[Freeipa-users] DNS: sub-domain or new domain

Thu Dec 13 08:21:50 UTC 2012

On 12/12/2012 07:59 PM, Simo Sorce wrote:
> On Wed, 2012-12-12 at 10:45 -0800, Patrick Bakker wrote:
>> I just joined this list because I was curious about the recent
>> discussion that Rashard Kelly had started about whether to
>> use FreeIPA's integrated DNS or whether to disable DNS. I'm wondering
>> about a very similar thing. I have a bunch of Linux servers that I'd
>> like to start manage more centrally but we have Active Directory
>> running the network right now.
>>
>>
>> I looked at the bug attachment Petr Spacek recommended
>> (https://fedorahosted.org/freeipa/attachment/ticket/3268/3268.v2) but
>> one thing I didn't see there is a discussion of whether to use an
>> entirely different domain. As this is the direction I'm inclined to
>> I'm curious if there is some good reason not to do it.
IMHO there is no real difference between scenarios
a) "ad.comp.tld" + "ipa.comp.tld"
vs
b) "comp1.tld" + "comp2.tld"

In both cases they are just different domains. It doesn't make any difference 
as long as all machines are able to resolve all names (from both domains).

>> Suppose I have a company ACME Widgets which is running
>> acmewidgets.local under Active Directory. Does it simplify anything if
>> I were to run all my Linux boxes under FreeIPA under an entirely
>> different domain such as acme.local?
>
> It will avoid the need to do delegation but you will need to set up
> conditional forwarders if you want to resolve both domain from all
> machines.
If it is inevitable, I would recommend to establish top level domain "local" 
or "lan" and fill it with usual delegation records for "acmewidgets" and 
"acme". Please, avoid usage of forwarders as much as possible. Please see my 
next comment and try to avoid private TLDs.

> Also do not use .local that domain name is used by zeroconf style stuff
> and can cause issues (in a windows domain too), use something like .lan
You can save some pain by using real domain "acme.com" instead of "acme.lan". 
Just configure your DNS servers on enterprise boundary to return different 
results to clients inside and outside the boundary.

Background story:
DNS is a tree with root in domain "". By using a non-existent top level domain 
"lan" you cut the root. Client asking root servers for "lan" will get NXDOMAIN 
for every query.

You can see the problem very nicely with command:
dig +trace "some.name.under.lan"

(I don't have much experience with DNSSEC, please correct me if I'm wrong.)
I would expect problems with DNSSEC deployment ... At least you will have to 
handle domain signature for "lan" in special way and configure another root of 
trust in each DNSSEC validating resolver etc.

>> Since I have completely separate DNS records I shouldn't need to worry
>> about any DNS integration. Will this complicate a future trust between
>> the AD domain acmewidgets.local and the FreeIPA domain acme.local if I
>> want to do that at some point?
Again, I don't see any difference between scenarios
a) "ad.comp.tld" + "ipa.comp.tld"
vs
b) "comp1.tld" + "comp2.tld"

Both domain have to be resolvable. The difference is in place where NS records 
or forwarders are set. That should be all.

> No trusts are better with completely separate root domains, they
> certainly can't work if you use the same domain.
Simo, can you elaborate this? I'm not experienced with trusts, but IMHO there 
should not be any difference between scenarios a) and b).

> However there is at least 1 minor 'integration; step, you need
> conditional forwarders in both systems so one can forward queries to the
> other for its clients.

-- 
Petr^2 Spacek