Greetings all,
I'm running the following FreeIPA:
Installed Packages
freeipa-client.x86_64 4.9.10-4.fc36 @updates
freeipa-client-common.noarch 4.9.10-4.fc36 @updates
freeipa-common.noarch 4.9.10-4.fc36 @updates
freeipa-healthcheck.noarch 0.11-2.fc36 @updates
freeipa-healthcheck-core.noarch 0.11-2.fc36 @updates
freeipa-selinux.noarch 4.9.10-4.fc36 @updates
freeipa-server.x86_64 4.9.10-4.fc36 @updates
freeipa-server-common.noarch 4.9.10-4.fc36 @updates
freeipa-server-dns.noarch 4.9.10-4.fc36 @updates
libipa_hbac.x86_64 2.7.4-1.fc36 @updates
python3-ipaclient.noarch 4.9.10-4.fc36 @updates
python3-ipalib.noarch 4.9.10-4.fc36 @updates
python3-ipaserver.noarch 4.9.10-4.fc36 @updates
python3-libipa_hbac.x86_64 2.7.4-1.fc36 @updates
sssd-ipa.x86_64 2.7.4-1.fc36 @updates
On the following Fedora revision:
5.19.12-200.fc36.x86_64
My other internal DNS server is9.16.33-1.fc36 running on the same OS
revision. Both my FreeIPA subdomain and the subdomain served by the
other Bind 9 instance are serving subdomains of my issued domain name
but are hidden. My public DNS (also Bind9, but on Debian) is in my DMZ
and accessible via local LAN links to the all FreeIPA clients. My
publicly accessible hosts are not FreeIPA clients and don't lookup
internal PTR records or need any integration with FreeIPA. If something
really requires the DS records for the subdomains to be available, I
could create a view on the public server that serves that data,
including the subdomain authority delegation. I'd rather not take this
step unless it's really a necessity.
I don't have any FreeIPA secondary servers at present since I can't see
a point in having 2 copies of the same server running as VMs on the same
host machine. As I lack another machine with sufficient power to run
FreeIPA server, I just backup regularly. Therefore, the packages that
manage a fleet of servers are unnecessary overhead, since I have just 1.
ipa dnszone-show returns the following as the first line of output,
followed by the other settings looking as expected:
ipa: WARNING: No DNSSEC key master is installed. DNSSEC zone signing
will not work until the DNSSEC key master is installed.
I have created ZSK and KSK keys for the ipa subdomain. I'm wondering if
there's an easier way to import them than manually creating the DNSKEY
256 and 257 records. I've searched, fruitlessly, for the information in
the doc and can only find passing references to DNSSEC, with no key
import instructions.
I do still need to create and sign the IPv4 class B levels of the
in-addr.arpa addresses to provide the DS records for the PTR validation
on my FreeIPA master. That, however, is secondary to getting my keys
into FreeIPA in the first place. I suppose I could have my other
private server inline sign them and do all lookups there, rather than on
the FreeIPA DNS instance, but I'd rather not alter the default FreeIPA
client setup if I don't have to.
Thanks in advance,
Eric
Show replies by date