You can configure an IdM server to use the secret key transaction authentication for DNS (TSIG) technology that uses the rndc.key key file for authentication.
The TSIG protocol is defined in RFC2845.
-
You must ensure the IdM server is deployed and the host-based firewall is configured correctly. For more information, see Port Requirements in the Linux Domain Identity, Authentication, and Policy Guide.
-
You must obtain
rootuser access on the IdM server. -
You must confirm whether {ProjectServer} or {SmartProxyServer} is configured to provide DNS service for your deployment.
-
You must configure DNS, DHCP and TFTP services on the base operating system of either the {Project} or {SmartProxy} that is managing the DNS service for your deployment.
-
You must create a backup of the answer file. You can use the backup to restore the answer file to its original state if it becomes corrupted. For more information, see {InstallingServerDocURL}configuring-server_{project-context}[Configuring {ProjectServer}].
To configure dynamic DNS update with TSIG authentication, complete the following steps:
-
On the IdM Server, add the following to the top of the
/etc/named.conffile:######################################################################## include "/etc/rndc.key"; controls { inet _IdM_Server_IP_Address_ port 953 allow { _{Project}_IP_Address_; } keys { "rndc-key"; }; }; ######################################################################## -
Reload the
namedservice to make the changes take effect:# systemctl reload named
-
In the IdM web UI, navigate to Network Services > DNS > DNS Zones and click the name of the zone. In the Settings tab, apply the following changes:
-
Add the following in the
BIND update policybox:grant "rndc-key" zonesub ANY;
-
Set Dynamic update to True.
-
Click Update to save the changes.
-
-
Copy the
/etc/rndc.keyfile from the IdM server to the base operating system of your {ProjectServer}. Enter the following command:# scp /etc/rndc.key root@{foreman-example-com}:/etc/rndc.key -
To set the correct ownership, permissions, and SELinux context for the
rndc.keyfile, enter the following command:# restorecon -v /etc/rndc.key # chown -v root:named /etc/rndc.key # chmod -v 640 /etc/rndc.key
-
Assign the
foreman-proxyuser to thenamedgroup manually. Normally, {foreman-installer} ensures that theforeman-proxyuser belongs to thenamedUNIX group, however, in this scenario {Project} does not manage users and groups, therefore you need to assign theforeman-proxyuser to thenamedgroup manually.# usermod -a -G named foreman-proxy
-
On {ProjectServer}, enter the following
{foreman-installer}command to configure {Project} to use the external DNS server:# {installer-scenario} \ --foreman-proxy-dns=true \ --foreman-proxy-dns-managed=false \ --foreman-proxy-dns-provider=nsupdate \ --foreman-proxy-dns-server="IdM_Server_IP_Address" \ --foreman-proxy-keyfile=/etc/rndc.key \ --foreman-proxy-dns-ttl=86400
-
Ensure that the key in the
/etc/rndc.keyfile on {ProjectServer} is the same key file that is used on the IdM server:key "rndc-key" { algorithm hmac-md5; secret "secret-key=="; }; -
On {ProjectServer}, create a test DNS entry for a host. For example, host
test.example.comwith an A record of192.168.25.20on the IdM server at192.168.25.1.# echo -e "server 192.168.25.1\n \ update add test.example.com 3600 IN A 192.168.25.20\n \ send\n" | nsupdate -k /etc/rndc.key
-
On {ProjectServer}, test the DNS entry:
# nslookup test.example.com 192.168.25.1 Server: 192.168.25.1 Address: 192.168.25.1#53 Name: test.example.com Address: 192.168.25.20
-
To view the entry in the IdM web UI, navigate to Network Services > DNS > DNS Zones. Click the name of the zone and search for the host by name.
-
If resolved successfully, remove the test DNS entry:
# echo -e "server 192.168.25.1\n \ update delete test.example.com 3600 IN A 192.168.25.20\n \ send\n" | nsupdate -k /etc/rndc.key
-
Confirm that the DNS entry was removed:
# nslookup test.example.com 192.168.25.1
The above
nslookupcommand fails and returns theSERVFAILerror message if the record was successfully deleted.