Product SiteDocumentation Site

9.4. Managing DNS Zone Entries

9.4.1. Adding DNS Zones

9.4.1.1. Adding DNS Zones from the Web UI

  1. Open the Identity tab, and select the DNS subtab.
  2. Click the Add link at the top of the list of DNS zones.
  3. Fill in the information about the new DNS zone. The Zone Name is required; this is the actual domain name. The other information about the administrator email and the authoritative name server are optional.
  4. Click the Add and Add Another button to go directly to the DNS zone page. In the Settings tab, it is possible to reset the default zone configuration to enable dynamic binds (Section 9.8.1, “Enabling Dynamic DNS Updates in the Web UI”) or change other default records information (Section 9.4.2.1, “Editing the Zone Configuration in the Web UI”). It is also possible to begin adding new DNS resource records (Section 9.5.1.1, “Adding DNS Resource Records from the Web UI”) in the DNS Resource Records tab.

9.4.1.2. Adding DNS Zones from the Command Line

The ipa dnszone-add command adds a new zone to the DNS domain. At a minimum, this requires the name of the new subdomain:
$ ipa dnszone-add domainName
If the name is not given, the script prompts for it. Other command-line options can also be passed with the ipa dnszone-add command.
To add a zone entry:
  1. Add the new zone. For example:
    $ ipa dnszone-add newserver.example.com --admin-email=admin@example.com --minimum=3000 --dynamic-update=TRUE
  2. Reload the name service.
    # rndc reload

    TIP

    To make new resource records immediately resolvable without restarting the name service, enable persistent searches with the named service or configure the BIND service to poll the Directory Server automatically for zone changes. See Section 9.6.2, “Enabling Zone Refreshes and Persistent Searches”.

9.4.2. Modifying DNS Zones

A zone is created with a certain amount of configuration, set to default values.
Example 9.1. Default DNS Zone Entry Settings
  dn: idnsname=example.com,cn=dns,dc=example,dc=com
  idnsname: example.com
  idnssoamname: server.example.com.
  idnssoarname: root.server.example.com.
  idnssoaserial: 2011130701
  idnssoarefresh: 3600
  idnssoaretry: 900
  idnssoaexpire: 1209600
  idnssoaminimum: 3600
  idnsupdatepolicy: grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA;
  idnszoneactive: TRUE
  idnsallowdynupdate: TRUE
  nsrecord: server.example.com.
  objectclass: top
  objectclass: idnsrecord
  objectclass: idnszone

All of the possible zone settings are listed in Table 9.1, “Zone Attributes”. Along with setting the actual information for the zone, the settings define how the DNS server handles the start of authority (SOA) record entries and how it updates its records from the DNS name server.
Table 9.1. Zone Attributes
Attribute Command-Line Option Description
Zone name --name Sets the name of the zone.
Authoritative nameserver --name-server Sets the fully-qualified domain name of the DNS name server.
Administrator e-mail address --admin-email Sets the email address to use for the zone administrator. This defaults to the root account on the host.
SOA serial --serial Sets a version number for the SOA record file.
SOA refresh --refresh Sets the interval, in seconds, for a secondary DNS server to wait before requesting updates from the primary DNS server.
SOA retry --retry Sets the time, in seconds, to wait before retrying a failed refresh operation.
SOA expire --expire Sets the time, in seconds, that a secondary DNS server will try to perform a refresh update before ending the operation attempt.
SOA minimum --minimum Sets the minimum amount of time, in seconds, that data are kept in cache.
SOA time to live --ttl Sets the maximum time, in seconds, that information is kept in the data cache.
SOA class --class Sets the type of record. This is almost always IN, which stands for Internet.
BIND update policy --update-policy Sets the permissions allowed to clients in the DNS zone.

IMPORTANT

If this is set to false, FreeIPA client machines will not be able to add or update their IP address. See Section 9.8, “Enabling Dynamic DNS Updates” for more information.
Dynamic update --dynamic-update=TRUE|FALSE Enables dynamic updates to DNS records for clients.
Name server --ip-address Adds the DNS name server by its IP address.
Allow transfer --allow-transfer=string Gives a semi-colon-separated listed of IP addresses or network names which are allowed to transfer the given zone.
Allow query --allow-query Gives a semi-colon-separated listed of IP addresses or network names which are allowed to issue DNS queries.
Allow PTR sync --allow-sync-ptr=TRUE|FALSE Sets whether A or AAAA records (forward records) for the zone will be automatically synchronized with the PTR (reverse) records.
Zone forwarders --forwarder=string Specifies a forwarder specifically configured for the DNS zone. This is separate from any global forwarders used in the FreeIPA domain.
To specificy multiple forwarders, use the option multiple times.
Forward policy --forward-policy=only|first Sets whether the zone will only forward requests to configured the DNS name servers (a forward-only zone) or whether it will check the forwarders first for DNS records and then check its own local records.

9.4.2.1. Editing the Zone Configuration in the Web UI

  1. Open the Identity tab, and select the DNS subtab.
  2. Click the name of the DNS zone to edit.
  3. Open the Settings tab.
  4. Change any of the DNS zone settings. The full list of attributes is described in Table 9.1, “Zone Attributes”. There are some common attributes to change:
    • Authoritative name server, the fully-qualified domain name of the DNS name server.
    • Dynamic update, to enable dynamic updates to DNS records for clients.
    • SOA refresh, the interval, in seconds, for a secondary DNS server to wait before requesting updates from the primary DNS server.
  5. Click the Update link at the top of the settings page.

9.4.2.2. Editing the Zone Configuration in the Command Line

The zone can be created with additional attributes and values different from the default by passing additional options with the dnszone-add command. Likewise, attributes can be added or modified in the zone entry by passing the same attribute options with the dnszone-mod command. These are listed in Table 9.1, “Zone Attributes”.
If an attribute does not exist in the DNS zone entry, than the dnszone-mod command adds the attribute. If the attribute exists, then it overwrites the current value with the specified value.
For example, to set a time to live for SOA records:
$ ipa dnszone-mod server.example.com --ttl=1800
This adds a new attribute to the DNS zone entry:
  dn: idnsname=example.com,cn=dns,dc=example,dc=com
  idnsname: example.com
  idnssoamname: server.example.com.
  idnssoarname: root.server.example.com.
  idnssoaserial: 2011130701
  idnssoarefresh: 3600
  idnssoaretry: 900
  idnssoaexpire: 1209600
  idnssoaminimum: 3600
  dnsttl: 1800
  idnsupdatepolicy: grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA;
  idnszoneactive: TRUE
  idnsallowdynupdate: TRUE
  nsrecord: server.example.com.
  objectclass: top
  objectclass: idnsrecord
  objectclass: idnszone

9.4.3. Enabling and Disabling Zones

Active zones can have clients added to them, are available for lookups, and are used by FreeIPA services like Kerberos. Deleting a DNS zone removes the zone entry and all the associated configuration.
There can be situations when it is necessary to remove a zone from activity without permanently removing the zone. This is done by disabling the zone.

9.4.3.1. Disabling Zones in the Web UI

  1. Open the Identity tab, and select the DNS subtab.
  2. Click the name of the DNS zone to edit.
  3. Open the Settings tab.
  4. Scroll down to the Active zone field. To disable the zone, set the value to Disabled.
  5. Click the Update link at the top of the settings page.

9.4.3.2. Disabling Zones in the Command Line

Disabling a zone is done by using the dnszone-disable command.
For example:
$ ipa dnszone-disable server.example.com
When the zone needs to be brought back online, it can be re-enabled using the dnszone-enable command.