Greenfield FreeIPA deployment - is it OK to put FreeIPA at the domain apex, or a "best practice" to put it in a subdomain?
Hello FreeIPA-users. The Subject line is the core of my question here; I'll provide a bit more detail below.
I work for what is (effectively) a startup, non-profit internet provider. I have an extensive Windows background, and "know enough to be dangerous" with Linux & BSD (have been tinkering with GNU/Linux on and off since Slackware 3.0 or 3.1). I'm very familiar with Windows Active Directory, but the org does not have any AD infrastructure right now (and being nonprofit, are trying to avoid spending money for MS, especially when all of the other VMs will be Linux or BSD anyway).
Given the nonprofit nature, I discovered FreeIPA when looking for a free centralized directory system. The goal is to consolidate all credentials for *other* Linux VMs (customer-facing DNS, CRM web server, SNMP/network graphing servers, etc) as well as provide a back-end for RADIUS for management of network equipment (switches, routers, P2P wireless, etc). Simplifying DNS management and replication is also appealing, I'd rather administrate one system than two or three.
In case it changes your opinion of the plan at all - all of the network equipment and VMs will be on *private* (10.x) IPv4 space and behind one or more firewalls, at least initially. We do want to add public IPv6, but do not have that yet. We only have a small allocation (/26) of public v4 from our upstream that will be NATed through a firewall and not directly on any devices. The traffic to FreeIPA is going to be internal-only, I do not plan on exposing FreeIPA's DNS "to the world" at all. Even customer-facing internal DNS will likely be through separate caching forwarders pointing back to FreeIPA.
I have a completely unused, publicly registered domain (let's just call it "example.net" for this thread) available to dedicate to this system. We also own "example.org" and are using that for our public web presence, and I intend to keep that entirely standalone.
Given that I have no current "interoperability" concerns, is there anything "wrong" with putting FreeIPA directly at the root of example.net? Or would it be more wise, from an interop, security, or manageability standpoint (i.e. a "best practice"), to root FreeIPA at something like auth.example.net or ipa.example.net and then have a separate set of nameservers handling the base domain? If I put FreeIPA's root (and Kerberos realm) in a subdomain, is it possible to *also* have it manage the parent domain's DNS entries?
I've read through the Quick Start Guide and Deployment Recommendations (https://www.freeipa.org/page/Deployment_Recommendations), which is part of how I've come to the decisions I've made thus far. I couldn't really find guidance one way or the other on whether FreeIPA "should" be in a subdomain or not, hence this posting. I would appreciate any insight the community can provide!
On ma, 11 tammi 2021, Braden McGrath via FreeIPA-users wrote:
Hello FreeIPA-users. The Subject line is the core of my question here; I'll provide a bit more detail below.
I work for what is (effectively) a startup, non-profit internet provider. I have an extensive Windows background, and "know enough to be dangerous" with Linux & BSD (have been tinkering with GNU/Linux on and off since Slackware 3.0 or 3.1). I'm very familiar with Windows Active Directory, but the org does not have any AD infrastructure right now (and being nonprofit, are trying to avoid spending money for MS, especially when all of the other VMs will be Linux or BSD anyway).
Given the nonprofit nature, I discovered FreeIPA when looking for a free centralized directory system. The goal is to consolidate all credentials for *other* Linux VMs (customer-facing DNS, CRM web server, SNMP/network graphing servers, etc) as well as provide a back-end for RADIUS for management of network equipment (switches, routers, P2P wireless, etc). Simplifying DNS management and replication is also appealing, I'd rather administrate one system than two or three.
In case it changes your opinion of the plan at all - all of the network equipment and VMs will be on *private* (10.x) IPv4 space and behind one or more firewalls, at least initially. We do want to add public IPv6, but do not have that yet. We only have a small allocation (/26) of public v4 from our upstream that will be NATed through a firewall and not directly on any devices. The traffic to FreeIPA is going to be internal-only, I do not plan on exposing FreeIPA's DNS "to the world" at all. Even customer-facing internal DNS will likely be through separate caching forwarders pointing back to FreeIPA.
I have a completely unused, publicly registered domain (let's just call it "example.net" for this thread) available to dedicate to this system. We also own "example.org" and are using that for our public web presence, and I intend to keep that entirely standalone.
Given that I have no current "interoperability" concerns, is there anything "wrong" with putting FreeIPA directly at the root of example.net Or would it be more wise, from an interop, security, or manageability standpoint (i.e. a "best practice"), to root FreeIPA at something like auth.example.net or ipa.example.net and then have a separate set of nameservers handling the base domain? If I put FreeIPA's root (and Kerberos realm) in a subdomain, is it possible to *also* have it manage the parent domain's DNS entries?
I've read through the Quick Start Guide and Deployment Recommendations (https://www.freeipa.org/page/Deployment_Recommendations), which is part of how I've come to the decisions I've made thus far. I couldn't really find guidance one way or the other on whether FreeIPA "should" be in a subdomain or not, hence this posting. I would appreciate any insight the community can provide!
It really depends on you. ;)
I run my home's FreeIPA deployment at 'example.net' and rely on firewalls and external DNS server to provide a safer outer view to it. There is nothing wrong with this approach -- as well as with 'ipa.example.net' approach either.
Alexander, I appreciate your reply :)
I run my home's FreeIPA deployment at 'example.net' and rely on firewalls and external DNS server to provide a safer outer view to it. There is nothing wrong with this approach -- as well as with 'ipa.example.net' approach either.
Let us assume I have no other DNS servers at all for 'example.net'. If I put the FreeIPA root at 'ipa.example.net', is it possible to add the "parent" 'example.net' as an authoritative domain in FreeIPA's DNS server? Or can it only manage and serve DNS for its own subdomain and others below it? I'm sorry if this is a basic / stupid question, I haven't had to deal with BIND in over a decade, and I don't know how much the FreeIPA integration changes what can be done (I'm 99% sure that BIND on its own can do this).
Thank you, Braden M.
On ti, 12 tammi 2021, Braden McGrath via FreeIPA-users wrote:
Alexander, I appreciate your reply :)
I run my home's FreeIPA deployment at 'example.net' and rely on firewalls and external DNS server to provide a safer outer view to it. There is nothing wrong with this approach -- as well as with 'ipa.example.net' approach either.
Let us assume I have no other DNS servers at all for 'example.net'. If I put the FreeIPA root at 'ipa.example.net', is it possible to add the "parent" 'example.net' as an authoritative domain in FreeIPA's DNS server? Or can it only manage and serve DNS for its own subdomain and others below it? I'm sorry if this is a basic / stupid question, I haven't had to deal with BIND in over a decade, and I don't know how much the FreeIPA integration changes what can be done (I'm 99% sure that BIND on its own can do this).
Any DNS zone for which IPA DNS server could be authoritative can be handled. It cannot be a slave DNS server or cannot handle DNS views but other than that there are no limitations on what the zone name could be.
For example,
[root@m1 ~]# ipa dnszone-add my-top-level. Zone name: my-top-level. Active zone: TRUE Authoritative nameserver: m1.ipa1.test. Administrator e-mail address: hostmaster SOA serial: 1610480726 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant IPA1.TEST krb5-self * A; grant IPA1.TEST krb5-self * AAAA; grant IPA1.TEST krb5-self * SSHFP; Dynamic update: FALSE Allow query: any; Allow transfer: none; [root@m1 ~]# ipa dnszone-add test.my-top-level. Zone name: test.my-top-level. Active zone: TRUE Authoritative nameserver: m1.ipa1.test. Administrator e-mail address: hostmaster SOA serial: 1610480741 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant IPA1.TEST krb5-self * A; grant IPA1.TEST krb5-self * AAAA; grant IPA1.TEST krb5-self * SSHFP; Dynamic update: FALSE Allow query: any; Allow transfer: none; [root@m1 ~]# ipa dnszone-find Zone name: my-top-level. Active zone: TRUE Authoritative nameserver: m1.ipa1.test. Administrator e-mail address: hostmaster SOA serial: 1610480727 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant IPA1.TEST krb5-self * A; grant IPA1.TEST krb5-self * AAAA; grant IPA1.TEST krb5-self * SSHFP; Dynamic update: FALSE Allow query: any; Allow transfer: none;
Zone name: test.my-top-level. Active zone: TRUE Authoritative nameserver: m1.ipa1.test. Administrator e-mail address: hostmaster SOA serial: 1610480743 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant IPA1.TEST krb5-self * A; grant IPA1.TEST krb5-self * AAAA; grant IPA1.TEST krb5-self * SSHFP; Dynamic update: FALSE Allow query: any; Allow transfer: none;
Zone name: ipa1.test. Active zone: TRUE Authoritative nameserver: m1.ipa1.test. Administrator e-mail address: hostmaster.ipa1.test. SOA serial: 1610393570 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant IPA1.TEST krb5-self * A; grant IPA1.TEST krb5-self * AAAA; grant IPA1.TEST krb5-self * SSHFP; grant "rndc-key" zonesub ANY; Dynamic update: TRUE Allow query: any; Allow transfer: none; ---------------------------- Number of entries returned 3 ----------------------------
[root@m1 ~]# dig -t any +nostats +nocomments my-top-level. test.my-top-level.
; <<>> DiG 9.11.25-RedHat-9.11.25-2.fc34 <<>> -t any +nostats +nocomments my-top-level. test.my-top-level. ;; global options: +cmd ;my-top-level. IN ANY my-top-level. 86400 IN NS m1.ipa1.test. my-top-level. 86400 IN SOA m1.ipa1.test. hostmaster.my-top-level. 1610480727 3600 900 1209600 3600 ;test.my-top-level. IN ANY test.my-top-level. 86400 IN NS m1.ipa1.test. test.my-top-level. 86400 IN SOA m1.ipa1.test. hostmaster.test.my-top-level. 1610480743 3600 900 1209600 3600
Older thread, curious which direction you went with.
I am kind of deciding the same as you. Build it with root domain and then have resource domains or do a subdomain to start. Have not really found a best practice guide.
Wonder how redhat does there domain setup.
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Braden McGrath -
Paul Wilcox