If I set up FreeIPA on 10.x.x.x internal IP, and have it manage company.net, it seems to want to set the NS record to it's FQDN that only will be reachable internally. The internal IP is SNAT mapped to an external IP (vs using DMZ), so DNS requests can reach the server via the external IP.

Other than assigning a public IP to FreeIPA server instead (and placing that IP in DMZ vs how our firewall/router is currently set up with SNAT), is there a way to serve public zones managed by FreeIPA functionally ?

Is it safe to just edit the NS/A records such that they're using externally resolvable addresses? Or will that break something?