It can be done, but there are some caveats you should be aware of:

- You'll need to disable the fake_mname that bind gets configured with for your SOA to show up correctly

- Any time you add/change a replica, you'll need to check your NS/SOA records and probably correct them again, as they get reset.

- TSIG updates for dynamic DNS don't work, as the nameserver in the SOA record doesn't match the required service principal. You can kind of work around this by creating a new service for DNS/yournameserver.here.com to match your SOA record, delegating that to the appropriate hosts, and adding the kerberos key for that service to the bind keytab. Even after doing this though, I've found it to be unreliable, and somewhat difficult to debug.

I filed an issue or two about related problems some years ago, but they weren't given much in the way of attention, because public DNS is deemed an unsupported configuration, so you probably shouldn't expect much in the way of help if things go poorly.

On 9/11/18 1:37 pm, Jonathan Vaughn via FreeIPA-users wrote:

If I set up FreeIPA on 10.x.x.x internal IP, and have it manage company.net, it seems to want to set the NS record to it's FQDN that only will be reachable internally. The internal IP is SNAT mapped to an external IP (vs using DMZ), so DNS requests can reach the server via the external IP.

Other than assigning a public IP to FreeIPA server instead (and placing that IP in DMZ vs how our firewall/router is currently set up with SNAT), is there a way to serve public zones managed by FreeIPA functionally ?

Is it safe to just edit the NS/A records such that they're using externally resolvable addresses? Or will that break something?
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org