Your specific issue might not be because the .local TLD, but .local is a special
‘reserved’ name for multicast DNS. You can use any other (including fake) TLD that is not
registered.
There are some other TLDs that are ’special’, like the one used for reverse-IP records in
APIPA. Best to avoid such things as not all network software takes care of those special
names the way they should.
Some hosts might treat .local special and ignore DNS servers or DNS query responses that
are not from mDNS. Some hosts might first query DNS and then mDNS, some might do it the
other way around. Some systems disable mDNS or .local mDNS if a static .local zone is
detected which breaks Bonjour and ZeroConf in most configurations.
In my experience, mixing mDNS and DNS by introducing a .local is just going to create more
problems.
I would suggest registering a DNS name but not using it externally, just internally. For
example, you could take something like
my-internal-domain.net
<
http://my-internal-domain.net/> but simply not host anything externally and remove
all records, maybe even disable name servers. There probably are better conventions for
this, but using a ‘real’ (but dead to the outside) has served me well.
Multiple subdomains shouldn’t be a problem, but there probably are limits to the depth of
subzones. For my setups, I usually don’t go deeper than 2 levels, i.e.
sub1.sub0.ipa.net
<
http://sub1.sub0.ipa.net/>.
I do tend to make dedicated subzones with NS delegations when I go deeper than 1 level,
but in theory, if you only have 1 sublevel, you can leave it as-is and IPA will register
your hosts with a dot in the name in the record effectively creating a virtual subzone.
There is nothing bad about that, but depending on the management functionaliteit you are
trying to create your needs may call for a different setup.
One of the important parts of domain naming isn’t as much about IPA’s idea on domains, but
very much depends on how kerberos likes names.
So if you can’t provide a strong enough guideline in the IPA community or documentation,
try the ones for Kerberos (which IPA uses):
https://web.mit.edu/kerberos/krb5-1.12/doc/admin/realm_config.html
<
https://web.mit.edu/kerberos/krb5-1.12/doc/admin/realm_config.html> The same can be
(partially) said about Microsof’s AD naming suggestions, as their system also depends on
correct naming, uses Kerberos and uses SRV records to find the correct servers for
services:
https://social.technet.microsoft.com/wiki/contents/articles/34981.active-...
<
https://social.technet.microsoft.com/wiki/contents/articles/34981.active-...
One of the quotes from the above sources:
In the past, lots of people chose to use a dummy, unofficial TLD
(top-level-domain) for their internal network, like domain.lan, domain.local of
domain.internal (and also domain.internalhost)
But this can get you in serious trouble. Because these names are not supported by
internet standards, the most important RFC on this is: RFC 2606
<
http://tools.ietf.org/html/rfc2606> (
http://tools.ietf.org/html/rfc2606
<
http://tools.ietf.org/html/rfc2606> ) This RFC standard is very explicit on
choosing domain names for private testing and documentation
Other sources condense the suggestions into:
Option 1: Use a valid TLD (Top Level Domain, also known as routable
domain) registered to your company. Some examples of this are company.ca or
company.com;
Option 2: Use a subdomain of a valid TLD that is registered to your company
Option 3: Use non-TLD name (or non-routable domain). (But not an RFC reserved name!)
John
On 3 Mar 2019, at 19:08, Vivek Aggarwal via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
Thanks John,
It would be nice if you can elaborate bit more & share your advise on:-
i) Whats wrong in the current hostname convention as still i dont have clear
understanding what is that which is causing a problem in the current setup? .. any
links/thoughts which can explain this will be of great help .
ii) Is ".local" is a problem or can i use any other TLD like ".int"
?
iii) Thirdly what is the recommendation for naming Hostname FQDN , does it shouldnot have
multiple sub domains ??
Please bear with my questions in case these look bit naive. Thanks a lot for sparing time
in answering my concerns.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...