Product SiteDocumentation Site

C.3. ipa DNS Commands

There are a collection of commands used to add and manage DNS zones and DNS records.

C.3.1. ipa dnszone-add

Creates a new DNS zone in the FreeIPA server.

C.3.1.1. Syntax

ipa dnszone-add zoneName [ --name-server=name ] [ --ip-address=IPaddress ] [ --name-from-ip=IPaddress ] [ --admin-email=email ] [ --serial=# ] [ --refresh=# ] [ --retry=# ] [ --expire=# ] [ --minimum=# ] [ --ttl=# ] [ --class=name ] [ --update-policy=string ] [ --dynamic-update=TRUE|FALSE ] [ --allow-query=string ] [ --allow-transfer=string ] [ --allow-sync-ptr=TRUE|FALSE ] [ --forwarder=string ] [ --forward-policy=only|first ] [ --force ]

C.3.1.2. Options

Parameter Description
zoneName Sets the name of the new zone. This is required.
--name-server=name Gives the name of the authoritative DNS server to use, based on the hostname.
--ip-address=IPaddress Sets a DNS name server to use with the FreeIPA domain, based on the IP address.
--name-from-ip=IPaddress Gives an IP address for the DNS zone to use to create a reverse zone name.
--admin-email=email Gives the email address of the DNS domain administrator.
--serial=# Sets the serial number to use for the DNS start of authority (SOA) record.
--refresh=# Sets the time interval to use to check for updated SOA records.
--retry=# Sets the time to wait before retrying a failed name resolution attempt.
--expire=# Sets the time to hold successful resolution attempts in the cache before they expire.
--minimum=# Sets the time to hold negative or failed resolution attempts in the cache.
--ttl=# Sets how long to hold SOA records in the cache.
--class=name Sets a SOA record class for zone entries.
--update-policy=string Sets a BIND service policy.
--dynamic-update=TRUE|FALSE Enables domain clients to update their own DNS entries dynamically.
--allow-query=string Gives a semi-colon-separated listed of IP addresses or network names which are allowed to issue DNS queries.
--allow-transfer=string Gives a semi-colon-separated listed of IP addresses or network names which are allowed to transfer the given zone.
--allow-sync-ptr=TRUE|FALSE Sets whether A or AAAA records (forward records) for the zone will be automatically synchronized with the PTR (reverse) records.
--forwarder=string Specifies a forwarder specifically configured for the DNS zone. This is separate from any global forwarders used in the FreeIPA domain.
To specify multiple forwarders, use the option multiple times.
--forward-policy=only|first Sets whether the zone will only forward requests to configured the DNS name servers (a forward-only zone) or whether it will check the forwarders first for DNS records and then check its own local records.
--force Forces a zone to be created in the FreeIPA configuration even if the name server is not recognized by the DNS.

C.3.2. ipa dnsrecord-add

Adds a new resource record.
Each resource record type has its own set of options, based on the required information to configure the record.

C.3.2.1. Syntax

ipa dnsrecord-add zoneName recordName [ --recordType_options=value ]

C.3.2.2. Options

General Record Options
Option Description
--ttl=number Sets the time to live for the record.
--class=IN | CS | CH | HS Sets the class of the record. This is usually IN, for Internet protocol.
--structured Parses the raw DNS records and returns them in a structured format.
"A" Record Options
Option Description
--a-rec=ARECORD Passes a comma-separated list of A records.
--a-ip-address=string Gives the IP address for the record.
"A6" Record Options
Option Description
--a6-rec=A6RECORD Passes a comma-separated list of A6 records.
--a6-data=string Gives the data for the record.
"AAAA" Record Options
Option Description
--aaaa-rec=AAAARECORD Passes a comma-separated list of AAAA (IPv6) records.
--aaaa-ip-address=string Gives the IPv6 address for the record.
"AFSDB" Record Options
Option Description
--afsdb-rec=AFSDBRECORD Passes a comma-separated list of AFSDB records.
--afsdb-subtype=1 | 2 Gives the subtype of the AFS database.
--afsdb-hostname=string Gives the hostname of the AFS database.
"CERT" Record Options
Option Description
--cert-rec=CERTRECORD Passes a comma-separated list of CERT records.
--cert-type=number Gives the type of certificate. Common values include 1 (X.509 certificate), 3 (PGP packet), 4 (URL of an X.509 certificate), and 254 (private OID).
--cert-key-tag=number Contains a 16-bit computed value that represents the certificate key. This is generated based on the given key algorithm in the certificate.
--cert-algorithm=number Contains the algorithm used to create the public key.
--cert-certificate-or-crl=number Contains the base 64-encoded blob of the X.509 object (certificate or CRL).
"CNAME" Record Options
Option Description
--cname-rec=CNAMERECORD Passes a comma-separated list of CNAME records.
--cname-hostname=string Gives the real hostname that the CNAME alias hostname points to.
"DNAME" Record Options
Option Description
--dname-rec=DNAMERECORD Passes a comma-separated list of DNAME records.
--dname-target=string Gives the domain name of the target DNS domain.
"DS" Record Options
Option Description
--ds-rec=DSRECORD Passes a comma-separated list of DNSSEC key records.
--ds-key-tag=number Contains a 16-bit computed value that represents the certificate key. This is generated based on the given key algorithm.
--ds-algorithm=number Contains the algorithm used to create the public key.
--ds-digest-type=number Contains the algorithm used to create the digest. This is 1, for SHA-1.
--ds-digest=string Contains the digest for the DNSKEY. This is calculated by combining the fully qualified owner name of the DNSKEY resource record, the DNSKEY data, and the digest algorithm.
"KEY" Record Options
Option Description
--key-rec=KEYRECORD Passes a comma-separated list of KEY records.
--key-flags=number Gives a series of bits the indicate aspects of the key. Bits 0-1 show key usage, bits 6-7 show the key entity type (such as a user or account), and bits 12-15 show the key signature settings. For more information, see http://tools.ietf.org/html/rfc2535#section-3.
--key-protocol=number Shows what Internet protocols the key can be used with. This value can be 1 (TLS), 2 (email), 3 (DNSSEC), 4 (IPSEC), or 255 (all).
--key-algorithm=number Contains the algorithm used to create the key.
--key-public-key=number Contains the public key.
"KX" Record Options
Option Description
--kx-rec=KXRECORD Passes a comma-separated list of KX records.
--kx-preference=number Sets the priority of the specified key exchanger. The lower the number, the higher priority.
--kx-exchanger=string Gives the hostname of a server which can act as a key exchanger.
"LOC" Record Options
Option Description
--loc-rec=LOCRECORD Passes a comma-separated list of location information records.
--loc-lat-deg=number Gives the degrees element of the latitude of the physical location of a network object.
--loc-lat-min=number Gives the minutes element of the latitude of the physical location of a network object.
--loc-lat-sec=decimal Gives the seconds element of the latitude of the physical location of a network object.
--loc-lat-dir=N | S Gives the hemisphere (north or south) of the latitude.
--loc-lon-deg=number Gives the degrees element of the longitude of the physical location of a network object.
--loc-lon-min=number Gives the minutes element of the longitude of the physical location of a network object.
--loc-lon-sec=decimal Gives the seconds element of the longitude of the physical location of a network object.
--loc-lon-dir=E | W Gives the orientation or direction (east or west) of the longitude.
--loc-altitude=decimal Gives the altitude of the physical location of a network object.
--loc-size=decimal Gives the diameter of a circle encompassing the object, to give an idea of its physical size.
--loc-h-precision=decimal Gives the diameter of a circle which constitutes the margin of error for estimating the physical size of the object.
--loc-v-precision=decimal Gives the diameter of a circle which constitutes the margin of error for estimating the altitude of the object.
"MX" Record Options
Option Description
--mx-rec=MXRECORD Passes a comma-separated list of MX records.
--mx-preference=number Sets the priority of the specified mail server. The lower the number, the higher priority.
--mx-exchanger=string Gives the hostname of a mail server.
"NAPTR" Record Options
Option Description
--naptr-rec=NAPTRRECORD Passes a comma-separated list of pointer records.
--naptr-order=number Contains a 16-bit unsigned number which sets that order to use to process naming authority pointer records.
--napter-preference=number Contains a 16-bit unsigned number which is the secondary method used to determine the weight or priority of naming authority pointer records with the same order value.
--napter-flags=string Contains an application-specific series of characters which sets how to manage field values.
--napter-service=string Contains application-specific values which are used to configure the NAPTR service.
--napter-regexp=string Contains a substitution expression which is used to help look up the next domain name in the queue.
--napter-replacement=string Contains a fully-qualified domain name to use with --napter-regexp if the expression is a simple replacement.
"NS" Record Options
Option Description
--ns-rec=NSRECORD Passes a comma-separated list of NS records.
--ns-hostname=string Gives the hostname of the authoritative name server.
"NSEC" Record Options
Option Description
--nsec-rec=NSECRECORD Passes a comma-separated list of NSEC key records.
--nsec-next=string Gives the next domain name in the canonical order of the DNS zone.
--nsec-types=types Contains a list of record types supported in the domain. The types can be SOA, A, AAAA, A6, AFSDB, APL, CERT, CNAME, DHCID, DLV, DNAME, DNSKEY, DS, HIP, IPSECKEY, KEY, KX, LOC, MX, NAPTR, NS, NSEC, NSEC3, NSEC3PARAM, PTR, RRSIG, RP, SIG, SPF, SRV, SSHFP, TA, TKEY, TSIG, TXT.
"PTR" Record Options
Option Description
--ptr-rec=PTRRECORD Passes a comma-separated list of PTR records.
--ptr-hostname=string Gives the hostname for the record.
"RRSIG" Record Options
Option Description
--rrsig-rec=RRSIGRECORD Passes a comma-separated list of RRSIG key records.
--rrsig-algorithm=number Contains the algorithm used to sign the resource record set.
--rrsig-key-tag=number Contains a 16-bit computed value that represents the key used to sign the resource record set.
--rrsig-labels=number Gives the number of labels in the owner name; this is used to validate the signature.
--rrsig-type-covered=types Identified what resource record type is covered in the specific RRSIG set. The types can be SOA, A, AAAA, A6, AFSDB, APL, CERT, CNAME, DHCID, DLV, DNAME, DNSKEY, DS, HIP, IPSECKEY, KEY, KX, LOC, MX, NAPTR, NS, NSEC, NSEC3, NSEC3PARAM, PTR, RRSIG, RP, SIG, SPF, SRV, SSHFP, TA, TKEY, TSIG, TXT.
--rrsig-original-ttl=number Gives the time-to-live of the records set in the authoritative zone.
--rrsig-signature-inception=string Gives the beginning date of the record set's validity period.
--rrsig-signature-expiration=string Gives the end date of the record set's validity period.
--rrsig-signers-name=string Gives the name of the signer of the DNSKEY for the record set. This must include the name of the zone.
--rrsig-signature=string Contains the digital signature for the record set.
"SIG" Record Options
Option Description
--sig-rec=SIGRECORD Passes a comma-separated list of SIG key records.
--sig-algorithm=number Contains the algorithm used to sign the resource record set.
--sig-key-tag=number Contains a 16-bit computed value that represents the key used to sign the resource record set.
--sig-labels=number Gives the number of labels in the owner name; this is used to validate the signature.
--sig-type-covered=types Identified what resource record type is covered in the specific RRSIG set. The types can be SOA, A, AAAA, A6, AFSDB, APL, CERT, CNAME, DHCID, DLV, DNAME, DNSKEY, DS, HIP, IPSECKEY, KEY, KX, LOC, MX, NAPTR, NS, NSEC, NSEC3, NSEC3PARAM, PTR, RRSIG, RP, SIG, SPF, SRV, SSHFP, TA, TKEY, TSIG, TXT.
--sig-original-ttl=number Gives the time-to-live of the records set in the authoritative zone.
--sig-signature-inception=string Gives the beginning date of the record set's validity period.
--sig-signature-expiration=string Gives the end date of the record set's validity period.
--sig-signers-name=string Gives the name of the signer of the DNSKEY for the record set. This must include the name of the zone.
--sig-signature=string Contains the digital signature for the record set.
"SRV" Record Options
Option Description
--srv-rec=SRVRECORD Passes a comma-separated list of SRV records.
--srv-priority=number Sets the priority of the record. There can be multiple SRV records for a service type. The priority (0 - 65535) sets the rank of the record; the lower the number, the higher the priority. A service has to use the record with the highest priority first.
--srv-weight=number Sets the weight of the record. This helps determine the order of SRV records with the same priority.
--srv-port=number Gives the port for the service on the target host.
--srv-target=string Gives the domain name of the target host. This can be a single period (.) if the service is not available in the domain.
"SSHFP" Record Options
Option Description
--sshfp-rec=SSHFPRECORD Passes a comma-separated list of SSH fingerprint records.
--sshfp-algorithm=number Contains the algorithm used for the SSH fingerprint.
--sshfp-fp-type=1 Identifies the type of fingerprint. This value is always 1, for SHA-1.
--sshfp-fingerprint=string Contains the fingerprint, as calculated from the public key.
"TXT" Record Options
Option Description
--txt-rec=TXTRECORD Passes a comma-separated list of TXT records.
--txt-data=string Gives text data for the record.