DNS Management
Manage DNS zones and resource records with integrated DNSSEC support. Features include master and forward zones, comprehensive record type support (A, AAAA, MX, SRV, PTR, TXT, etc.), dynamic updates with Kerberos authentication, zone transfers with TSIG, per-zone permissions for delegation, and interactive record management. Supports both IPv4 and IPv6, reverse zones, and DNS-based service discovery for IPA infrastructure.
Overview
FreeIPA includes an integrated DNS server providing authoritative DNS services for the IPA domain and optionally for other managed zones. This integration enables automatic DNS record management for IPA infrastructure, service discovery through SRV records, dynamic host record updates with Kerberos authentication, and centralized DNS administration through IPA’s command-line and web interfaces.
The IPA DNS implementation is built on BIND (Berkeley Internet Name Domain), storing zone data in the IPA LDAP directory rather than traditional zone files. This LDAP-based storage enables multi-master replication of DNS data across IPA servers, provides consistent DNS views across the domain, and allows fine-grained access control through IPA’s permission system. DNS zones replicate automatically alongside other IPA data, maintaining consistency without separate zone transfer configurations between IPA servers.
DNS is optional in FreeIPA deployments. Organizations can choose to use IPA’s integrated DNS for full-service management or delegate DNS to existing infrastructure while using IPA solely for identity and access management. When DNS is enabled, IPA can automatically maintain DNS records for hosts, services, and infrastructure components, reducing administrative overhead and preventing DNS-related authentication failures.
Zone Types
Master Zones
Master zones (managed through dnszone-* commands) contain authoritative DNS data for a domain. IPA DNS servers respond authoritatively to queries for these zones, providing definitive answers for resource records within the zone. Master zones support all standard DNS record types and can be configured for dynamic updates, zone transfers, and DNSSEC signing.
When a master zone is created in IPA, it is automatically replicated to all IPA servers with DNS enabled. This multi-master model ensures high availability and load distribution without manual zone transfer configuration. DNS updates made on any IPA server propagate to all other servers through standard LDAP replication.
Master zones serve as the foundation for IPA’s automatic DNS integration. When hosts are enrolled with --ip-address or --updatedns flags, IPA automatically creates and maintains A/AAAA records in the appropriate master zone. Service discovery records (SRV, TXT) for IPA infrastructure are also stored in master zones, enabling clients to locate LDAP servers, Kerberos KDCs, and certificate authorities.
Forward Zones
Forward zones (managed through dnsforwardzone-* commands) do not contain authoritative data. Instead, they forward DNS queries to specified upstream DNS servers. Forward zones enable IPA to delegate authority for specific domains while maintaining centralized DNS query routing.
Forward zones are particularly useful for split-horizon DNS scenarios, integration with external DNS systems, and conditional forwarding based on domain name. For example, a forward zone for cloud.example.com could forward queries to cloud provider DNS servers while maintaining authoritative data for the main example.com zone.
Forward zones respect the configured forward policy (first, only, none), determining fallback behavior when forwarders are unreachable. The “first” policy attempts forwarders before falling back to recursive resolution, while “only” policy returns failure if forwarders don’t respond. Forward zones do not support DNSSEC validation of forwarded responses in standard configurations.
Supported Record Types
IPA DNS supports comprehensive DNS record types for both IPv4 and IPv6 environments:
Address Records: A (IPv4), AAAA (IPv6), PTR (reverse lookup) Service Records: SRV (service location), MX (mail exchange), NS (nameserver) Security Records: SSHFP (SSH fingerprint), TLSA (DANE certificate association), DS (DNSSEC delegation signer) Text Records: TXT (text data), SPF (sender policy framework - deprecated, use TXT) Infrastructure Records: SOA (start of authority), CNAME (canonical name), DNAME (delegation name) Advanced Records: LOC (location), NAPTR (naming authority pointer), CAA (certificate authority authorization), URI, KX, CERT
Each record type is supported through both structured options (e.g., --mx-preference, --mx-exchanger) and raw format options (e.g., --mx-rec="10 mail.example.com"). Structured options provide validation and ease of use, while raw format supports advanced configurations and record types without specific structured support.
Structured Per-Type Options
Many DNS record types contain structured data with multiple components. For example, an MX record includes both a preference value (priority) and an exchanger (mail server hostname). A LOC record contains latitude degrees/minutes/seconds, longitude degrees/minutes/seconds, altitude, and size/precision values.
IPA provides structured options for these complex record types to simplify management and prevent syntax errors. Each supported record type offers both a raw format option (--<type>-rec) for direct value specification and structured component options (--<type>-<component>) for editing individual fields.
When creating records, administrators can use either approach but should not mix them in a single operation. When modifying existing records, structured options enable changing specific components without reconstructing the entire record. This is particularly valuable for records like SRV with multiple components where editing a single field (such as priority) should preserve other values (weight, port, target).
The interactive mode for dnsrecord-add, dnsrecord-mod, and dnsrecord-del provides guided workflows for complex record types, prompting for each component individually and offering intelligent defaults. This mode is especially helpful for occasional DNS administrators or when managing unfamiliar record types.
Dynamic DNS Updates
IPA DNS supports dynamic updates authenticated via Kerberos, enabling hosts to automatically maintain their own DNS records without granting broad DNS modification privileges. When a zone is configured for dynamic updates (--dynamic-update=TRUE), IPA automatically creates an update policy granting hosts permission to modify their own A, AAAA, and SSHFP records.
The default update policy uses the krb5-self keyword, restricting updates so each host can only modify records matching its own hostname. This prevents hosts from manipulating other hosts’ records while allowing legitimate self-updates. Administrators can customize update policies for advanced scenarios requiring different update permissions.
Dynamic updates are commonly used when hosts obtain IP addresses via DHCP and need to register those addresses in DNS automatically. SSSD on IPA clients can be configured to perform dynamic DNS updates when network configuration changes, ensuring DNS reflects current network state without manual intervention.
BIND’s update policy syntax in IPA supports Kerberos principal matching, allowing policies based on realm, hostname patterns, or specific principals. This flexibility enables scenarios like allowing a DHCP server principal to update records for any host, or restricting updates to specific network segments based on hostname conventions.
Zone Transfers and Replication
DNS zone transfers between IPA DNS servers occur automatically through LDAP replication rather than traditional DNS AXFR/IXFR mechanisms. This LDAP-based replication provides several advantages: changes propagate immediately as part of normal IPA replication, access control is managed through IPA’s LDAP ACL system, and zone consistency is guaranteed by the underlying directory replication.
For integration with external DNS servers (non-IPA secondaries), IPA supports traditional BIND zone transfers secured with TSIG keys. Zone transfer access is controlled through --allow-transfer settings specifying IP addresses, networks, or TSIG key names authorized to receive zone data. This enables IPA to serve as the master for non-IPA secondary servers in split management scenarios.
Zone transfer throttling and rate limiting follow standard BIND configuration, helping protect against resource exhaustion attacks or misconfigured secondary servers performing excessive transfers. Transfer logs are available through BIND’s query logging, providing audit trails for zone transfer activity.
Forwarders and Forwarding Policies
Global forwarders provide a default upstream DNS resolver for queries not answered authoritatively by IPA. These forwarders are typically an organization’s existing recursive resolvers or internet-facing DNS servers. Global forwarder configuration is stored in LDAP and applies to all IPA DNS servers unless overridden per-zone.
Forwarding policies determine behavior when forwarders are unavailable:
First: Query forwarders first; if they fail, perform standard recursive resolution using root hints. This policy provides resilience at the cost of potentially slower resolution when forwarders are down.
Only: Query only forwarders; if they fail, return SERVFAIL. This policy enforces strict forwarding but can cause resolution failures if forwarders are unreachable. Useful when direct internet DNS access is prohibited by policy.
None: Disable forwarding entirely for the zone. Queries perform recursive resolution from root servers or use zone delegation as appropriate. This policy is used to override global forwarding for specific zones.
Per-zone forwarding configurations override global settings, enabling different forwarding behavior for different domains. For example, internal zones might use local resolvers while external zones forward to internet-facing servers, or sensitive zones might use “only” policy while general zones use “first” for resilience.
Reverse Zones
Reverse DNS zones (in-addr.arpa for IPv4, ip6.arpa for IPv6) provide IP address to hostname resolution. IPA can automatically create reverse zones using --name-from-ip with CIDR notation, generating the appropriate zone name for the specified network.
IPA supports automatic reverse record creation when forward records are added with --a-create-reverse or --aaaa-create-reverse flags. This automation ensures forward and reverse DNS consistency, important for many protocols and security mechanisms that validate reverse DNS.
Reverse zone delegation follows DNS standards, with classful boundaries (Class A, B, C for IPv4) or on nibble boundaries for IPv6. For networks not aligned with natural boundaries, classless reverse delegation (RFC 2317) can be configured manually using CNAME records.
Synchronization between forward and reverse records can be enabled globally (dnsconfig-mod --allow-sync-ptr=TRUE), automatically creating or removing PTR records when A/AAAA records change. This setting simplifies administration but requires careful planning to avoid unintended PTR record modifications.
EXAMPLES
Add new zone:
ipa dnszone-add example.com --admin-email=admin@example.comAdd system permission that can be used for per-zone privilege delegation:
ipa dnszone-add-permission example.comModify the zone to allow dynamic updates for hosts own records in realm EXAMPLE.COM:
ipa dnszone-mod example.com --dynamic-update=TRUE This is the equivalent of: ipa dnszone-mod example.com --dynamic-update=TRUE $ --update-policy="grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA; grant EXAMPLE.COM krb5-self * SSHFP;"Modify the zone to allow zone transfers for local network only:
ipa dnszone-mod example.com --allow-transfer=192.0.2.0/24Add new reverse zone specified by network IP address:
ipa dnszone-add --name-from-ip=192.0.2.0/24Add second nameserver for example.com:
ipa dnsrecord-add example.com @ --ns-rec=nameserver2.example.comAdd a mail server for example.com:
ipa dnsrecord-add example.com @ --mx-rec="10 mail1"Add another record using MX record specific options:
ipa
dnsrecord-addexample.com @ —mx-preference=20 —mx-exchanger=mail2Add another record using interactive mode (started when
dnsrecord-add,dnsrecord-mod,or
dnsrecord-delare executed with no options):ipa
dnsrecord-addexample.com @Please choose a type of DNS resource record to be added
The most common types for this type of zone are: NS, MX, LOC
DNS resource record type: MX
MX Preference: 30
MX Exchanger: mail3
Record name: example.com MX record: 10 mail1, 20 mail2, 30 mail3 NS record: nameserver.example.com., nameserver2.example.com.Delete previously added nameserver from example.com:
ipa dnsrecord-del example.com @ --ns-rec=nameserver2.example.com.Add LOC record for example.com:
ipa dnsrecord-add example.com @ --loc-rec="49 11 42.4 N 16 36 29.6 E 227.64m"Add new A record for www.example.com. Create a reverse record in appropriate
reverse zone as well. In this case a PTR record “2” pointing to www.example.com
will be created in zone 2.0.192.in-addr.arpa.
ipa dnsrecord-add example.com www --a-rec=192.0.2.2 --a-create-reverseAdd new PTR record for www.example.com
ipa dnsrecord-add 2.0.192.in-addr.arpa. 2 --ptr-rec=www.example.com.Add new SRV records for LDAP servers. Three quarters of the requests
should go to fast.example.com, one quarter to slow.example.com. If neither
is available, switch to backup.example.com.
ipa dnsrecord-add example.com _ldap._tcp --srv-rec="0 3 389 fast.example.com" ipa dnsrecord-add example.com _ldap._tcp --srv-rec="0 1 389 slow.example.com" ipa dnsrecord-add example.com _ldap._tcp --srv-rec="1 1 389 backup.example.com"The interactive mode can be used for easy modification:
ipa
dnsrecord-modexample.com [ldap]{#ldap}._tcpNo option to modify specific record provided.
Current DNS record contents:
SRV record: 0 3 389 fast.example.com, 0 1 389 slow.example.com, 1 1 389 backup.example.com
Modify SRV record ‘0 3 389 fast.example.com’? Yes/No (default No):
Modify SRV record ‘0 1 389 slow.example.com’? Yes/No (default No): y
SRV Priority [0]: (keep the default value)
SRV Weight [1]: 2 (modified value)
SRV Port [389]: (keep the default value)
SRV Target [slow.example.com]: (keep the default value)
1 SRV record skipped. Only one value per DNS record type can be modified at one time.
Record name: _ldap._tcp SRV record: 0 3 389 fast.example.com, 1 1 389 backup.example.com, 0 2 389 slow.example.comAfter this modification, three fifths of the requests should go to
fast.example.com and two fifths to slow.example.com.
An example of the interactive mode for
dnsrecord-delcommand:ipa dnsrecord-del example.com www No option to delete specific record provided. Delete all? Yes/No (default No): (do not delete all records) Current DNS record contents: A record: 192.0.2.2, 192.0.2.3 Delete A record '192.0.2.2'? Yes/No (default No): Delete A record '192.0.2.3'? Yes/No (default No): y Record name: www A record: 192.0.2.2 (A record 192.0.2.3 has been deleted)Show zone example.com:
ipa dnszone-show example.comFind zone with “example” in its domain name:
ipa dnszone-find exampleFind records for resources with “www” in their name in zone example.com:
ipa dnsrecord-find example.com wwwFind A records with value 192.0.2.2 in zone example.com
ipa dnsrecord-find example.com --a-rec=192.0.2.2Show records for resource www in zone example.com
ipa dnsrecord-show example.com wwwDelegate zone sub.example to another nameserver:
ipa dnsrecord-add example.com ns.sub --a-rec=203.0.113.1 ipa dnsrecord-add example.com sub --ns-rec=ns.sub.example.com.Delete zone example.com with all resource records:
ipa dnszone-del example.comIf a global forwarder is configured, all queries for which this server is not
authoritative (e.g. sub.example.com) will be routed to the global forwarder.
Global forwarding configuration can be overridden per-zone.
Semantics of forwarding in IPA matches BIND semantics and depends on the type
of zone:
- Master zone: local BIND replies authoritatively to queries for data in
the given zone (including authoritative NXDOMAIN answers) and forwarding affects only queries for names below zone cuts (NS records) of locally served zones. * Forward zone: forward zone contains no authoritative data. BIND forwards queries, which cannot be answered from its local cache, to configured forwarders.Semantics of the —forward-policy option:
: - none - disable forwarding for the given zone. - first - forward all queries to configured forwarders. If they fail,
do resolution using DNS root servers. * only - forward all queries to configured forwarders and if they fail, return failure.Disable global forwarding for given sub-tree:
ipa dnszone-mod example.com --forward-policy=noneThis configuration forwards all queries for names outside the example.com sub-tree to global forwarders. Normal recursive resolution process is used for names inside the example.com sub-tree (i.e. NS records are followed etc.).
Forward all requests for the zone external.example.com to another forwarder
using a “first” policy (it will send the queries to the selected forwarder
and if not answered it will use global root servers):
ipa dnsforwardzone-add external.example.com --forward-policy=first $ --forwarder=203.0.113.1Change forward-policy for external.example.com:
ipa dnsforwardzone-mod external.example.com --forward-policy=onlyShow forward zone external.example.com:
ipa dnsforwardzone-show external.example.comList all forward zones:
ipa dnsforwardzone-findDelete forward zone external.example.com:
ipa dnsforwardzone-del external.example.comResolve a host name to see if it exists (will add default IPA domain
if one is not included):
ipa dns-resolve www.example.com ipa dns-resolve www
Per-Zone Permissions and Delegation
IPA supports fine-grained DNS administration through per-zone permissions. The dnszone-add-permission command creates a system permission allowing delegated administrators to manage a specific zone without granting access to other zones or broader IPA privileges.
Per-zone permissions enable organizational delegation scenarios: the web team manages web.example.com zone, the email team manages mail.example.com zone, and the network team manages reverse zones. Each team can add, modify, and delete records within their assigned zones without interfering with other zones.
Permission-based delegation integrates with IPA’s role-based access control system. Administrators create roles that include zone-specific permissions, then assign those roles to users or groups. This creates auditable delegation hierarchies where permission changes are tracked through role membership.
DNSSEC Support
IPA DNS integrates with BIND’s DNSSEC implementation, supporting signed zones with automated key management. DNSSEC provides cryptographic authentication of DNS responses, protecting against cache poisoning and man-in-the-middle attacks on DNS queries.
When DNSSEC is enabled for a zone, IPA automatically manages key generation, key rotation, and signature maintenance. Zone signing keys (ZSK) and key signing keys (KSK) are generated and rotated according to configured policies. Parent zone DS records must be manually configured to complete the DNSSEC chain of trust.
DNSSEC validation for forwarded zones requires careful configuration. IPA’s BIND configuration must trust the forwarder’s DNSSEC responses or validation must be disabled for specific forwarded zones to prevent validation failures.
Integration with IPA Infrastructure
IPA automatically maintains DNS records critical for infrastructure operation. When IPA servers are installed with DNS enabled, SRV records for Kerberos (_kerberos), LDAP (_ldap), and other services are created automatically. These records enable clients to discover IPA services without explicit configuration.
Location-based service records support geographically distributed IPA deployments. When IPA locations are configured and hosts are assigned to locations, IPA creates location-specific SRV records enabling clients to preferentially connect to nearby servers. The dns-update-system-records command regenerates these infrastructure records after topology changes.
When hosts are enrolled with DNS integration (ipa host-add --ip-address or client-side dynamic updates), A and AAAA records are automatically created and maintained. SSHFP records can be automatically published when hosts have SSH public keys in their LDAP entries, enabling DNS-based SSH host key verification.
Global DNS Configuration
DNS configuration consists of server-local settings (configured during installation, stored in /etc/named.conf) and global settings (stored in LDAP, accessible via dnsconfig-* commands). Global settings override local configuration and apply uniformly across all IPA DNS servers.
Common global configurations include:
- Global forwarders: Upstream DNS servers for recursive queries
- Forward policy: Default forwarding behavior (first, only, none)
- PTR synchronization: Automatic reverse record management for forward records
Show global DNS configuration:
ipa dnsconfig-show
Modify global DNS configuration to set forwarders:
ipa dnsconfig-mod --forwarder=203.0.113.113
Set multiple global forwarders with custom ports:
ipa dnsconfig-mod --forwarder=203.0.113.113 --forwarder="203.0.113.114 port 5353"
Configure global forward policy:
ipa dnsconfig-mod --forward-policy=first
Enable automatic PTR record synchronization:
ipa dnsconfig-mod --allow-sync-ptr=TRUE
Use Cases
Service Discovery with SRV Records
Scenario: Applications need to automatically discover LDAP servers across multiple datacenters.
Solution:
# Create SRV records for LDAP service discovery
ipa dnsrecord-add example.com _ldap._tcp \
--srv-priority=10 --srv-weight=60 --srv-port=389 \
--srv-target=ldap1.example.com
ipa dnsrecord-add example.com _ldap._tcp \
--srv-priority=10 --srv-weight=40 --srv-port=389 \
--srv-target=ldap2.example.com
# Clients use DNS SRV lookups to find LDAP servers
# dig SRV _ldap._tcp.example.com
# Returns both servers with priority/weight for load balancing
Split-Horizon DNS with Forward Zones
Scenario: Internal resources use private DNS, external resources forward to internet DNS.
Solution:
# Create master zone for internal domain
ipa dnszone-add internal.example.com
# Create forward zone for external cloud resources
ipa dnsforwardzone-add cloud.example.com \
--forwarder=8.8.8.8 --forwarder=8.8.4.4 \
--forward-policy=only
# Internal resources resolved authoritatively
# Cloud resources forwarded to Google DNS
Dynamic DNS for DHCP Environment
Scenario: Workstations receive DHCP addresses and need automatic DNS registration.
Solution:
# Enable dynamic updates on zone
ipa dnszone-mod workstations.example.com --dynamic-update=TRUE
# Configure SSSD on clients for dynamic DNS (automatic)
# Or configure DHCP server for DNS updates
# On DHCP server, configure Kerberos and update DNS:
# ddns-updates on;
# ddns-update-style interim;
# update-static-leases on;
Delegated Zone Management for Departments
Scenario: IT delegates DNS management for engineering subdomain to engineering team.
Solution:
# Create subdomain zone
ipa dnszone-add eng.example.com
# Create per-zone permission
ipa dnszone-add-permission eng.example.com
# Create role for engineering DNS admins
ipa role-add eng-dns-admin --desc="Engineering DNS administrators"
ipa role-add-privilege eng-dns-admin \
--privileges="DNS Administrators"
# Alternatively, grant zone-specific permission
ipa permission-mod "Manage DNS zone eng.example.com" \
--bindtype=permission
ipa role-add eng-zone-admin
ipa role-add-privilege eng-zone-admin \
--privileges="Manage DNS zone eng.example.com"
# Add engineering team members
ipa role-add-member eng-zone-admin --groups=engineering
Multi-Region DNS with Geolocation
Scenario: Global infrastructure with region-specific endpoints.
Solution:
# Create region-specific A records
ipa dnsrecord-add example.com www-us --a-rec=192.0.2.10
ipa dnsrecord-add example.com www-eu --a-rec=198.51.100.20
ipa dnsrecord-add example.com www-ap --a-rec=203.0.113.30
# Create geographic CNAMEs (client-side logic needed for selection)
# Or use global load balancer with geographic awareness
# Alternatively, use TXT records for location hints
ipa dnsrecord-add example.com www --txt-rec="geo=us-east"
Reverse DNS for Email Server Reputation
Scenario: Mail servers require proper reverse DNS for anti-spam compliance.
Solution:
# Create reverse zone for mail server subnet
ipa dnszone-add --name-from-ip=192.0.2.0/24
# Add forward record for mail server
ipa dnsrecord-add example.com mail --a-rec=192.0.2.50
# Add reverse record (PTR)
ipa dnsrecord-add 2.0.192.in-addr.arpa 50 --ptr-rec=mail.example.com.
# Verify forward and reverse match
dig mail.example.com
dig -x 192.0.2.50
# Add MX record
ipa dnsrecord-add example.com @ --mx-rec="10 mail.example.com"
DNSSEC-Secured Zone
Scenario: Enable DNSSEC for zone integrity and authentication.
Solution:
# Enable DNSSEC on zone
ipa dnszone-mod example.com --dnssec=TRUE
# IPA automatically:
# - Generates ZSK and KSK
# - Signs zone
# - Publishes DNSKEY records
# Retrieve DS records for parent zone delegation
ipa dnszone-show example.com --all | grep "DS record"
# Provide DS records to parent zone (.com registry)
# Parent publishes DS records completing chain of trust
DNS-Based Service High Availability
Scenario: Critical services need DNS-based failover.
Solution:
# Create multiple A records for same hostname (round-robin)
ipa dnsrecord-add example.com api --a-rec=192.0.2.10
ipa dnsrecord-add example.com api --a-rec=192.0.2.11
ipa dnsrecord-add example.com api --a-rec=192.0.2.12
# DNS round-robin distributes load across servers
# Failed servers require external health monitoring to remove
# For more sophisticated failover, use SRV records
ipa dnsrecord-add example.com _http._tcp.api \
--srv-priority=10 --srv-weight=50 --srv-port=443 \
--srv-target=api1.example.com
ipa dnsrecord-add example.com _http._tcp.api \
--srv-priority=20 --srv-weight=50 --srv-port=443 \
--srv-target=api2.example.com
# Priority 20 = backup server
CAA Records for Certificate Authority Authorization
Scenario: Restrict which CAs can issue certificates for domain.
Solution:
# Allow only specific CA to issue certificates
ipa dnsrecord-add example.com @ \
--caa-rec='0 issue "letsencrypt.org"'
# Disallow certificate issuance (CAA block)
ipa dnsrecord-add restricted.example.com @ \
--caa-rec='0 issue ";"'
# Send violation reports
ipa dnsrecord-add example.com @ \
--caa-rec='0 iodef "mailto:security@example.com"'
# CAs check CAA records before issuing certificates
# Prevents unauthorized certificate issuance
Security Considerations
Dynamic update policies grant modification rights: Zones with --dynamic-update=TRUE allow hosts to modify their own records. Compromised hosts could register arbitrary DNS entries. Use dynamic updates only when necessary and audit update activity.
Zone transfer access controls critical: Allowing unrestricted zone transfers (--allow-transfer) enables attackers to enumerate all DNS entries, revealing infrastructure topology. Restrict zone transfers to known secondary servers only.
DNSSEC key material security: DNSSEC private keys stored in IPA enable attackers with LDAP access to forge DNS responses. Protect DNSSEC keys with appropriate LDAP ACLs and monitor key access.
Wildcard records can be abused: Wildcard DNS records (*.example.com) match any subdomain. Attackers could exploit wildcards to claim arbitrary subdomains for phishing or data exfiltration. Use wildcards judiciously.
TXT records may contain sensitive data: TXT records often store SPF, DKIM, and configuration data. Avoid storing secrets or sensitive information in TXT records as they’re publicly queryable.
Forwarder compromise affects resolution: Malicious forwarders can return incorrect DNS responses, redirecting traffic to attacker-controlled systems. Use trusted forwarders only and consider DNSSEC validation.
PTR record mismatch enables impersonation: Forward and reverse DNS mismatches can confuse security mechanisms relying on reverse DNS validation. Maintain consistent forward/reverse records.
SRV record manipulation affects service discovery: Attackers with DNS modification rights could redirect service discovery to rogue servers via SRV record manipulation. Protect DNS zones with strong access controls.
DNS rebinding attacks via short TTLs: Extremely low TTL values combined with rapid record changes enable DNS rebinding attacks against browsers. Enforce minimum TTL values for public-facing records.
Zone enumeration via DNSSEC: DNSSEC zone walking (NSEC/NSEC3 traversal) can enumerate all records even without zone transfers. Use NSEC3 with opt-out for better privacy, but recognize complete enumeration prevention is impossible with DNSSEC.
Cached poisoning via forged responses: Without DNSSEC validation, cached DNS responses could be poisoned. Enable DNSSEC signing and validation for security-critical zones.
Per-zone delegation grants broad access: Zone-specific permissions grant complete control over the zone. Delegate carefully and review permission assignments regularly.
Global DNS configuration affects all zones: Changes to global forwarders or DNS config apply to all zones. Test global configuration changes thoroughly before deployment.
BIND vulnerabilities affect IPA DNS: IPA DNS runs BIND; BIND vulnerabilities could compromise IPA DNS. Keep IPA updated and monitor BIND security advisories.
Troubleshooting
Zone creation fails with “zone already exists”:
# Check if zone exists in IPA
ipa dnszone-find example.com
# If exists, either delete and recreate or modify existing
ipa dnszone-mod example.com --admin-email=newadmin@example.com
# If exists in BIND but not IPA (orphaned zone):
# Clean BIND configuration manually
DNS queries return SERVFAIL:
# Check zone status
ipa dnszone-show example.com
# Check if DNS servers are running
systemctl status named-pkcs11
# Check BIND logs
journalctl -u named-pkcs11 -n 50
# Verify zone loads correctly
named-checkzone example.com /var/named/dyndb-ldap/ipa/master/example.com
# Check for DNSSEC issues if enabled
ipa dnszone-show example.com | grep -i dnssec
Dynamic updates failing:
# Verify dynamic update enabled
ipa dnszone-show example.com | grep "Dynamic update"
# Check update policy
ipa dnszone-show example.com --all | grep "BIND update policy"
# Test update with nsupdate (Kerberos authenticated)
kinit host/hostname.example.com
nsupdate -g
> server ipa.example.com
> zone example.com
> update add test.example.com 300 A 192.0.2.100
> send
> quit
# Check logs for errors
journalctl -u named-pkcs11 | grep -i update
Reverse DNS not resolving:
# Verify reverse zone exists
ipa dnszone-find --name-from-ip=192.0.2.0/24
# Check PTR record exists
ipa dnsrecord-show 2.0.192.in-addr.arpa 100
# Test reverse lookup
dig -x 192.0.2.100
# If PTR missing, add it
ipa dnsrecord-add 2.0.192.in-addr.arpa 100 \
--ptr-rec=hostname.example.com.
DNSSEC validation failures:
# Check DNSSEC status
ipa dnszone-show example.com | grep DNSSEC
# Verify DNSKEY records published
dig DNSKEY example.com +dnssec
# Check if DS records are in parent zone
dig DS example.com +trace
# If DS records missing/incorrect, retrieve from IPA
ipa dnszone-show example.com --all | grep "DS record"
# Provide to parent zone operator
# Test DNSSEC validation
dig example.com +dnssec +multiline
Forwarders not working:
# Check global forwarders
ipa dnsconfig-show | grep -i forward
# Check per-zone forwarders
ipa dnsforwardzone-show cloud.example.com
# Test forwarder connectivity
dig @8.8.8.8 cloud.example.com
# Check forward policy
ipa dnsforwardzone-show cloud.example.com | grep "Forward policy"
# If policy "only" and forwarders unreachable, queries fail
# Change to "first" for fallback
ipa dnsforwardzone-mod cloud.example.com --forward-policy=first
Record addition fails with “invalid format”:
# Check record format matches type
# Common mistake: Missing trailing dot on FQDN
# Correct:
ipa dnsrecord-add example.com @ --ns-rec=ns1.example.com.
# Incorrect (missing dot):
ipa dnsrecord-add example.com @ --ns-rec=ns1.example.com
# Use structured options for complex records
ipa dnsrecord-add example.com _service._tcp \
--srv-priority=10 --srv-weight=50 --srv-port=443 \
--srv-target=server.example.com.
Zone transfer failing to external secondaries:
# Verify allow-transfer set
ipa dnszone-show example.com | grep "BIND transfer"
# Add external secondary IP
ipa dnszone-mod example.com --allow-transfer=203.0.113.10
# Check BIND query logs for transfer attempts
journalctl -u named-pkcs11 | grep -i transfer
# Verify firewall allows DNS traffic (port 53 TCP/UDP)
firewall-cmd --list-all | grep dns
Cannot delete DNS record - “not found”:
# List all records for name
ipa dnsrecord-show example.com www
# Delete must match exact record value
ipa dnsrecord-del example.com www --a-rec=192.0.2.10
# For records with trailing dots, include them
ipa dnsrecord-del example.com @ --ns-rec=ns1.example.com.
# Use interactive mode if unsure of exact value
ipa dnsrecord-del example.com www
# (prompts for record type and value to delete)
Permissions error adding records to zone:
# Check zone permissions
ipa dnszone-show example.com --all | grep -i permission
# Verify user has DNS privileges
ipa user-show username --all | grep -i role
# Add user to DNS administrators group
ipa group-add-member dnsadmins --users=username
# Or grant zone-specific permission
ipa dnszone-add-permission example.com
ipa permission-mod "Manage DNS zone example.com" \
--bindtype=permission
ipa role-add-member zone-admin --users=username
SRV records not being used by clients:
# Verify SRV record format
ipa dnsrecord-show example.com _ldap._tcp
# Test SRV lookup
dig SRV _ldap._tcp.example.com
# Common issues:
# - Wrong service/protocol names
# - Missing underscore prefixes
# - Incorrect priority/weight/port/target format
# Correct format:
ipa dnsrecord-add example.com _ldap._tcp \
--srv-rec="10 50 389 ldap.example.com."
DNS changes not propagating to all IPA servers:
# DNS uses LDAP replication
# Check replication status
ipa-replica-manage list
ipa-replica-manage list-ruv
# Force replication sync
ipa-replica-manage force-sync --from=ipa1.example.com
# Restart named on affected server
systemctl restart named-pkcs11
# Check if zone data consistent
# On each IPA server:
dig @localhost example.com SOA
# Serial numbers should match
TTL values not being respected:
# Check default TTL
ipa dnszone-show example.com | grep "Default time to live"
# Set zone default TTL
ipa dnszone-mod example.com --default-ttl=3600
# Set record-specific TTL
ipa dnsrecord-add example.com www --a-rec=192.0.2.10 --ttl=300
# Note: Clients may cache based on previous TTL
# Wait for old TTL to expire
BIND fails to start after IPA configuration:
# Check BIND configuration syntax
named-checkconf
# Check zone file syntax
named-checkzone example.com /var/named/dyndb-ldap/ipa/master/example.com
# Check BIND logs
journalctl -u named-pkcs11 -n 100
# Common issues:
# - DNSSEC key permissions
# - LDAP connection failures
# - Invalid zone data
# Verify LDAP connectivity
ldapsearch -Y GSSAPI -b "cn=dns,dc=example,dc=com"
Best Practices
Zone Design and Organization
Align zones with organizational structure: Create separate zones for different departments, applications, or environments (production, staging, development). This enables delegation to appropriate teams and isolates changes to specific organizational units.
Use subdomains for scalability: Rather than placing all records in a single large zone, create subdomains (web.example.com, api.example.com) for major functional areas. Smaller zones are easier to manage, delegate, and troubleshoot.
Plan reverse zones carefully: Create reverse zones for all allocated IP space. Consistent reverse DNS is required by many protocols (SMTP, SSH, Kerberos) and missing reverse records can cause authentication failures or service degradation.
Document zone delegation: Maintain clear records of which teams or individuals are responsible for each zone. This documentation aids incident response and prevents conflicting changes.
Record Management
Use structured options for complex records: Prefer --mx-preference --mx-exchanger over --mx-rec raw format. Structured options provide validation and prevent syntax errors that can break DNS resolution.
Leverage automatic reverse record creation: Use --a-create-reverse when adding A records to automatically maintain forward and reverse consistency. This prevents reverse DNS mismatches.
Test changes before committing: Use dnsrecord-show to verify records after adding or modifying them. DNS errors can be difficult to diagnose after the fact.
Minimize TTL for records undergoing changes: Lower TTL values (300-900 seconds) during planned changes reduce cache-related delays. Restore higher TTLs (3600+ seconds) after changes stabilize to reduce query load.
Dynamic Updates and Security
Restrict dynamic update permissions: Only enable dynamic updates (--dynamic-update=TRUE) for zones where hosts legitimately need to self-register. Unrestricted dynamic updates can enable DNS poisoning attacks.
Review update policies regularly: Default update policies use krb5-self to restrict updates to the owning host. Custom policies should be regularly audited to ensure they haven’t become overly permissive.
Monitor dynamic update activity: Review BIND logs for unexpected update patterns. Unusual update volumes or updates from unexpected principals may indicate misconfiguration or attacks.
Use TSIG for external zone transfers: When allowing zone transfers to non-IPA servers, use TSIG keys rather than IP-based restrictions alone. TSIG provides cryptographic authentication preventing unauthorized zone transfers.
Forwarder Configuration
Use reliable forwarders: Global forwarders should be highly available and geographically close to IPA servers. Forwarder failures impact all non-authoritative queries.
Set appropriate forward policies: Use “first” policy for general resilience, allowing fallback to recursive resolution. Reserve “only” policy for scenarios where policy requires queries to stay within specific infrastructure.
Monitor forwarder performance: Track query resolution times and failure rates for forwarders. Degraded forwarder performance impacts all DNS-dependent services.
Override global forwarding selectively: Use per-zone forwarding to route sensitive domains through specific forwarders or to disable forwarding for zones requiring direct recursive resolution.
DNSSEC Deployment
Enable DNSSEC incrementally: Start with non-critical zones to gain operational experience before enabling DNSSEC on critical infrastructure zones.
Automate DS record updates: Coordinate with parent zone administrators to establish automated DS record updates. Manual DS updates delay key rollovers and risk DNSSEC validation failures.
Monitor DNSSEC validation failures: Deploy monitoring for DNSSEC validation failures. Invalid signatures or missing trust chain elements cause resolution failures that may not be immediately obvious.
Plan for key rollover: Establish procedures for both routine automated key rollovers and emergency rollovers in case of key compromise. Test rollover procedures in non-production environments.
Operational Practices
Maintain DNS documentation: Document zone purposes, record type usage, delegation boundaries, and special configurations. DNS is often modified by multiple administrators; clear documentation prevents conflicts.
Use version control for zone planning: Track intended zone changes in version control before applying them. This provides audit history and rollback capability for configuration errors.
Implement change management for DNS: Require review and approval for changes to critical zones (IPA infrastructure zones, mail zones). DNS errors can cause widespread service disruption.
Regularly validate infrastructure records: Use dns-update-system-records to verify and regenerate IPA infrastructure SRV records after server additions, removals, or topology changes.
Audit zone permissions periodically: Review per-zone permissions and role assignments regularly. Remove permissions for staff who change roles or leave the organization.
Plan for DNS server outages: Ensure sufficient IPA DNS servers are deployed for redundancy. Clients should have multiple nameservers configured in resolv.conf.
Test DNS resolution from client perspective: Regularly query DNS from client systems to verify proper resolution, forwarder behavior, and infrastructure record functionality.
Integration and Automation
Integrate DNS with provisioning workflows: Configuration management tools (Ansible, Puppet) should create DNS records as part of host provisioning. This ensures DNS consistency with deployed infrastructure.
Use dns-resolve for validation: After creating or modifying records, use ipa dns-resolve to verify resolution from the IPA server perspective before declaring changes complete.
Coordinate with DHCP: If using dynamic DNS updates triggered by DHCP, ensure DHCP and DNS configurations are synchronized. Mismatched configurations cause failed updates.
Automate reverse zone creation: Script reverse zone creation for new network allocations to ensure reverse zones exist before hosts are added to those networks.
Integration with Other IPA Components
Host Enrollment
Hosts enrolled with ipa host-add --ip-address or ipa-client-install --ip-address automatically receive DNS A/AAAA records. Hosts using dynamic DNS updates via SSSD automatically update their records when IP addresses change.
Service Discovery
SRV records enable IPA clients to discover LDAP servers, Kerberos KDCs, certificate authorities, and NTP servers without explicit configuration. IPA automatically maintains these SRV records as topology changes.
SSH Integration
SSHFP records published to DNS enable SSH clients to verify host keys using DNS rather than known_hosts files. When combined with DNSSEC, this provides strong verification of SSH host identity.
Certificate Management
CAA records restrict which certificate authorities can issue certificates for domains under IPA management. TLSA records (DANE) publish certificate fingerprints in DNS for additional certificate validation.
Trust Relationships
When trusts with Active Directory are established, DNS forwarders or conditional forwarding ensure IPA servers can resolve AD domain names. Proper DNS configuration is critical for trust functionality.
Commands
dns-update-system-records
Usage: ipa [global-options] dns-update-system-records [options]
Update location and IPA server DNS records
Options
| Option | Description |
|---|---|
--dry-run | Do not update records only return expected records |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
dnsconfig-mod
Usage: ipa [global-options] dnsconfig-mod [options]
Modify global DNS configuration.
Options
| Option | Description |
|---|---|
--forwarder FORWARDER | Global forwarders. A custom port can be specified for each forwarder using a standard format “IP_ADDRESS port PORT” |
--forward-policy FORWARD-POLICY | Global forwarding policy. Set to “none” to disable any configured global forwarders. |
--allow-sync-ptr ALLOW-SYNC-PTR | Allow synchronization of forward (A, AAAA) and reverse (PTR) records |
--setattr SETATTR | Set an attribute to a name/value pair. Format is attr=value. |
--addattr ADDATTR | Add an attribute/value pair. Format is attr=value. The attribute |
--delattr DELATTR | Delete an attribute/value pair. The option will be evaluated |
--rights | Display the access rights of this entry (requires —all). See ipa man page for details. |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
dnsconfig-show
Usage: ipa [global-options] dnsconfig-show [options]
Show the current global DNS configuration.
Options
| Option | Description |
|---|---|
--rights | Display the access rights of this entry (requires —all). See ipa man page for details. |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
dnsforwardzone-add
Usage: ipa [global-options] dnsforwardzone-add NAME [options]
Create new DNS forward zone.
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | Zone name (FQDN) |
Options
| Option | Description |
|---|---|
--name-from-ip NAME-FROM-IP | IP network to create reverse zone name from |
--forwarder FORWARDER | Per-zone forwarders. A custom port can be specified for each forwarder using a standard format “IP_ADDRESS port PORT” |
--forward-policy FORWARD-POLICY | Per-zone conditional forwarding policy. Set to “none” to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded. |
--setattr SETATTR | Set an attribute to a name/value pair. Format is attr=value. |
--addattr ADDATTR | Add an attribute/value pair. Format is attr=value. The attribute |
--skip-overlap-check | Force DNS zone creation even if it will overlap with an existing zone. |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
dnsforwardzone-add-permission
Usage:
ipa [global-options] dnsforwardzone-add-permission NAME [options]
Add a permission for per-forward zone access delegation.
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | Zone name (FQDN) |
dnsforwardzone-del
Usage: ipa [global-options] dnsforwardzone-del NAME [options]
Delete DNS forward zone.
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | Zone name (FQDN) |
Options
| Option | Description |
|---|---|
--continue | Continuous mode: Don’t stop on errors. |
dnsforwardzone-disable
Usage: ipa [global-options] dnsforwardzone-disable NAME [options]
Disable DNS Forward Zone.
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | Zone name (FQDN) |
dnsforwardzone-enable
Usage: ipa [global-options] dnsforwardzone-enable NAME [options]
Enable DNS Forward Zone.
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | Zone name (FQDN) |
dnsforwardzone-find
Usage:
ipa [global-options] dnsforwardzone-find [CRITERIA] [options]
Search for DNS forward zones.
Arguments
Argument Required Description
CRITERIA no A string searched in all relevant object
attributes
Options
| Option | Description |
|---|---|
--name NAME | Zone name (FQDN) |
--name-from-ip NAME-FROM-IP | IP network to create reverse zone name from |
--zone-active ZONE-ACTIVE | Is zone active? |
--forwarder FORWARDER | Per-zone forwarders. A custom port can be specified for each forwarder using a standard format “IP_ADDRESS port PORT” |
--forward-policy FORWARD-POLICY | Per-zone conditional forwarding policy. Set to “none” to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded. |
--timelimit TIMELIMIT | Time limit of search in seconds (0 is unlimited) |
--sizelimit SIZELIMIT | Maximum number of entries returned (0 is unlimited) |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--pkey-only | Results should contain primary key attribute only (“name”) |
dnsforwardzone-mod
Usage: ipa [global-options] dnsforwardzone-mod NAME [options]
Modify DNS forward zone.
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | Zone name (FQDN) |
Options
| Option | Description |
|---|---|
--name-from-ip NAME-FROM-IP | IP network to create reverse zone name from |
--forwarder FORWARDER | Per-zone forwarders. A custom port can be specified for each forwarder using a standard format “IP_ADDRESS port PORT” |
--forward-policy FORWARD-POLICY | Per-zone conditional forwarding policy. Set to “none” to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded. |
--setattr SETATTR | Set an attribute to a name/value pair. Format is attr=value. |
--addattr ADDATTR | Add an attribute/value pair. Format is attr=value. The attribute |
--delattr DELATTR | Delete an attribute/value pair. The option will be evaluated |
--rights | Display the access rights of this entry (requires —all). See ipa man page for details. |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
dnsforwardzone-remove-permission
Usage:
ipa [global-options] dnsforwardzone-remove-permission NAME [options]
Remove a permission for per-forward zone access delegation.
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | Zone name (FQDN) |
dnsforwardzone-show
Usage: ipa [global-options] dnsforwardzone-show NAME [options]
Display information about a DNS forward zone.
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | Zone name (FQDN) |
Options
| Option | Description |
|---|---|
--rights | Display the access rights of this entry (requires —all). See ipa man page for details. |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
dnsrecord-add
Usage: ipa [global-options] dnsrecord-add DNSZONE NAME [options]
Add new DNS resource record.
Arguments
| Argument | Required | Description |
|---|---|---|
DNSZONE | yes | Zone name (FQDN) |
NAME yes Record name
Options
| Option | Description |
|---|---|
--ttl TTL | Time to live |
--a-rec A-REC | Raw A records |
--a-ip-address A-IP-ADDRESS | A IP Address |
--a-create-reverse | Create reverse record for this IP Address |
--aaaa-rec AAAA-REC | Raw AAAA records |
--aaaa-ip-address AAAA-IP-ADDRESS | AAAA IP Address |
--aaaa-create-reverse | Create reverse record for this IP Address |
--a6-rec A6-REC | Raw A6 records |
--a6-data A6-DATA | A6 Record data |
--afsdb-rec AFSDB-REC | Raw AFSDB records |
--afsdb-subtype AFSDB-SUBTYPE | AFSDB Subtype |
--afsdb-hostname AFSDB-HOSTNAME | AFSDB Hostname |
--cert-rec CERT-REC | Raw CERT records |
--cert-type CERT-TYPE | CERT Certificate Type |
--cert-key-tag CERT-KEY-TAG | CERT Key Tag |
--cert-algorithm CERT-ALGORITHM | CERT Algorithm |
--cert-certificate-or-crl CERT-CERTIFICATE-OR-CRL | CERT Certificate/CRL |
--cname-rec CNAME-REC | Raw CNAME records |
--cname-hostname CNAME-HOSTNAME | A hostname which this alias hostname points to |
--dlv-rec DLV-REC | Raw DLV records |
--dlv-key-tag DLV-KEY-TAG | DLV Key Tag |
--dlv-algorithm DLV-ALGORITHM | DLV Algorithm |
--dlv-digest-type DLV-DIGEST-TYPE | DLV Digest Type |
--dlv-digest DLV-DIGEST | DLV Digest |
--dname-rec DNAME-REC | Raw DNAME records |
--dname-target DNAME-TARGET | DNAME Target |
--ds-rec DS-REC | Raw DS records |
--ds-key-tag DS-KEY-TAG | DS Key Tag |
--ds-algorithm DS-ALGORITHM | DS Algorithm |
--ds-digest-type DS-DIGEST-TYPE | DS Digest Type |
--ds-digest DS-DIGEST | DS Digest |
--kx-rec KX-REC | Raw KX records |
--kx-preference KX-PREFERENCE | Preference given to this exchanger. Lower values are more preferred |
--kx-exchanger KX-EXCHANGER | A host willing to act as a key exchanger |
--loc-rec LOC-REC | Raw LOC records |
--loc-lat-deg LOC-LAT-DEG | LOC Degrees Latitude |
--loc-lat-min LOC-LAT-MIN | LOC Minutes Latitude |
--loc-lat-sec LOC-LAT-SEC | LOC Seconds Latitude |
--loc-lat-dir LOC-LAT-DIR | LOC Direction Latitude |
--loc-lon-deg LOC-LON-DEG | LOC Degrees Longitude |
--loc-lon-min LOC-LON-MIN | LOC Minutes Longitude |
--loc-lon-sec LOC-LON-SEC | LOC Seconds Longitude |
--loc-lon-dir LOC-LON-DIR | LOC Direction Longitude |
--loc-altitude LOC-ALTITUDE | LOC Altitude |
--loc-size LOC-SIZE | LOC Size |
--loc-h-precision LOC-H-PRECISION | LOC Horizontal Precision |
--loc-v-precision LOC-V-PRECISION | LOC Vertical Precision |
--mx-rec MX-REC | Raw MX records |
--mx-preference MX-PREFERENCE | Preference given to this exchanger. Lower values are more preferred |
--mx-exchanger MX-EXCHANGER | A host willing to act as a mail exchanger |
--naptr-rec NAPTR-REC | Raw NAPTR records |
--naptr-order NAPTR-ORDER | NAPTR Order |
--naptr-preference NAPTR-PREFERENCE | NAPTR Preference |
--naptr-flags NAPTR-FLAGS | NAPTR Flags |
--naptr-service NAPTR-SERVICE | NAPTR Service |
--naptr-regexp NAPTR-REGEXP | NAPTR Regular Expression |
--naptr-replacement NAPTR-REPLACEMENT | NAPTR Replacement |
--ns-rec NS-REC | Raw NS records |
--ns-hostname NS-HOSTNAME | NS Hostname |
--ptr-rec PTR-REC | Raw PTR records |
--ptr-hostname PTR-HOSTNAME | The hostname this reverse record points to |
--srv-rec SRV-REC | Raw SRV records |
--srv-priority SRV-PRIORITY | Lower number means higher priority. Clients will attempt to contact the server with the lowest-numbered priority they can reach. |
--srv-weight SRV-WEIGHT | Relative weight for entries with the same priority. |
--srv-port SRV-PORT | SRV Port |
--srv-target SRV-TARGET | The domain name of the target host or ’.’ if the service is decidedly not available at this domain |
--sshfp-rec SSHFP-REC | Raw SSHFP records |
--sshfp-algorithm SSHFP-ALGORITHM | SSHFP Algorithm |
--sshfp-fp-type SSHFP-FP-TYPE | SSHFP Fingerprint Type |
--sshfp-fingerprint SSHFP-FINGERPRINT | SSHFP Fingerprint |
--tlsa-rec TLSA-REC | Raw TLSA records |
--tlsa-cert-usage TLSA-CERT-USAGE | TLSA Certificate Usage |
--tlsa-selector TLSA-SELECTOR | TLSA Selector |
--tlsa-matching-type TLSA-MATCHING-TYPE | TLSA Matching Type |
--tlsa-cert-association-data TLSA-CERT-ASSOCIATION-DATA | TLSA Certificate Association Data |
--txt-rec TXT-REC | Raw TXT records |
--txt-data TXT-DATA | TXT Text Data |
--uri-rec URI-REC | Raw URI records |
--uri-priority URI-PRIORITY | Lower number means higher priority. Clients will attempt to contact the URI with the lowest-numbered priority they can reach. |
--uri-weight URI-WEIGHT | Relative weight for entries with the same priority. |
--uri-target URI-TARGET | Target Uniform Resource Identifier according to RFC 3986 |
--setattr SETATTR | Set an attribute to a name/value pair. Format is attr=value. |
--addattr ADDATTR | Add an attribute/value pair. Format is attr=value. The attribute |
--force | force NS record creation even if its hostname is not in DNS |
--structured | Parse all raw DNS records and return them in a structured way |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
dnsrecord-del
Usage: ipa [global-options] dnsrecord-del DNSZONE NAME [options]
Delete DNS resource record.
Arguments
| Argument | Required | Description |
|---|---|---|
DNSZONE | yes | Zone name (FQDN) |
NAME yes Record name
Options
| Option | Description |
|---|---|
--ttl TTL | Time to live |
--a-rec A-REC | Raw A records |
--aaaa-rec AAAA-REC | Raw AAAA records |
--a6-rec A6-REC | Raw A6 records |
--afsdb-rec AFSDB-REC | Raw AFSDB records |
--cert-rec CERT-REC | Raw CERT records |
--cname-rec CNAME-REC | Raw CNAME records |
--dlv-rec DLV-REC | Raw DLV records |
--dname-rec DNAME-REC | Raw DNAME records |
--ds-rec DS-REC | Raw DS records |
--kx-rec KX-REC | Raw KX records |
--loc-rec LOC-REC | Raw LOC records |
--mx-rec MX-REC | Raw MX records |
--naptr-rec NAPTR-REC | Raw NAPTR records |
--ns-rec NS-REC | Raw NS records |
--ptr-rec PTR-REC | Raw PTR records |
--srv-rec SRV-REC | Raw SRV records |
--sshfp-rec SSHFP-REC | Raw SSHFP records |
--tlsa-rec TLSA-REC | Raw TLSA records |
--txt-rec TXT-REC | Raw TXT records |
--uri-rec URI-REC | Raw URI records |
--del-all | Delete all associated records |
--structured | Parse all raw DNS records and return them in a structured way |
--raw |
dnsrecord-find
Usage:
ipa [global-options] dnsrecord-find DNSZONE [CRITERIA] [options]
Search for DNS resources.
Arguments
| Argument | Required | Description |
|---|---|---|
DNSZONE | yes | Zone name (FQDN) |
CRITERIA no A string searched in all relevant object
attributes
Options
| Option | Description |
|---|---|
--name NAME | Record name |
--ttl TTL | Time to live |
--a-rec A-REC | Raw A records |
--aaaa-rec AAAA-REC | Raw AAAA records |
--a6-rec A6-REC | Raw A6 records |
--afsdb-rec AFSDB-REC | Raw AFSDB records |
--cert-rec CERT-REC | Raw CERT records |
--cname-rec CNAME-REC | Raw CNAME records |
--dlv-rec DLV-REC | Raw DLV records |
--dname-rec DNAME-REC | Raw DNAME records |
--ds-rec DS-REC | Raw DS records |
--kx-rec KX-REC | Raw KX records |
--loc-rec LOC-REC | Raw LOC records |
--mx-rec MX-REC | Raw MX records |
--naptr-rec NAPTR-REC | Raw NAPTR records |
--ns-rec NS-REC | Raw NS records |
--ptr-rec PTR-REC | Raw PTR records |
--srv-rec SRV-REC | Raw SRV records |
--sshfp-rec SSHFP-REC | Raw SSHFP records |
--tlsa-rec TLSA-REC | Raw TLSA records |
--txt-rec TXT-REC | Raw TXT records |
--uri-rec URI-REC | Raw URI records |
--timelimit TIMELIMIT | Time limit of search in seconds (0 is unlimited) |
--sizelimit SIZELIMIT | Maximum number of entries returned (0 is unlimited) |
--structured | Parse all raw DNS records and return them in a structured way |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--pkey-only | Results should contain primary key attribute only (“name”) |
dnsrecord-mod
Usage: ipa [global-options] dnsrecord-mod DNSZONE NAME [options]
Modify a DNS resource record.
Arguments
| Argument | Required | Description |
|---|---|---|
DNSZONE | yes | Zone name (FQDN) |
NAME yes Record name
Options
| Option | Description |
|---|---|
--ttl TTL | Time to live |
--a-rec A-REC | Raw A records |
--a-ip-address A-IP-ADDRESS | A IP Address |
--aaaa-rec AAAA-REC | Raw AAAA records |
--aaaa-ip-address AAAA-IP-ADDRESS | AAAA IP Address |
--a6-rec A6-REC | Raw A6 records |
--a6-data A6-DATA | A6 Record data |
--afsdb-rec AFSDB-REC | Raw AFSDB records |
--afsdb-subtype AFSDB-SUBTYPE | AFSDB Subtype |
--afsdb-hostname AFSDB-HOSTNAME | AFSDB Hostname |
--cert-rec CERT-REC | Raw CERT records |
--cert-type CERT-TYPE | CERT Certificate Type |
--cert-key-tag CERT-KEY-TAG | CERT Key Tag |
--cert-algorithm CERT-ALGORITHM | CERT Algorithm |
--cert-certificate-or-crl CERT-CERTIFICATE-OR-CRL | CERT Certificate/CRL |
--cname-rec CNAME-REC | Raw CNAME records |
--cname-hostname CNAME-HOSTNAME | A hostname which this alias hostname points to |
--dlv-rec DLV-REC | Raw DLV records |
--dlv-key-tag DLV-KEY-TAG | DLV Key Tag |
--dlv-algorithm DLV-ALGORITHM | DLV Algorithm |
--dlv-digest-type DLV-DIGEST-TYPE | DLV Digest Type |
--dlv-digest DLV-DIGEST | DLV Digest |
--dname-rec DNAME-REC | Raw DNAME records |
--dname-target DNAME-TARGET | DNAME Target |
--ds-rec DS-REC | Raw DS records |
--ds-key-tag DS-KEY-TAG | DS Key Tag |
--ds-algorithm DS-ALGORITHM | DS Algorithm |
--ds-digest-type DS-DIGEST-TYPE | DS Digest Type |
--ds-digest DS-DIGEST | DS Digest |
--kx-rec KX-REC | Raw KX records |
--kx-preference KX-PREFERENCE | Preference given to this exchanger. Lower values are more preferred |
--kx-exchanger KX-EXCHANGER | A host willing to act as a key exchanger |
--loc-rec LOC-REC | Raw LOC records |
--loc-lat-deg LOC-LAT-DEG | LOC Degrees Latitude |
--loc-lat-min LOC-LAT-MIN | LOC Minutes Latitude |
--loc-lat-sec LOC-LAT-SEC | LOC Seconds Latitude |
--loc-lat-dir LOC-LAT-DIR | LOC Direction Latitude |
--loc-lon-deg LOC-LON-DEG | LOC Degrees Longitude |
--loc-lon-min LOC-LON-MIN | LOC Minutes Longitude |
--loc-lon-sec LOC-LON-SEC | LOC Seconds Longitude |
--loc-lon-dir LOC-LON-DIR | LOC Direction Longitude |
--loc-altitude LOC-ALTITUDE | LOC Altitude |
--loc-size LOC-SIZE | LOC Size |
--loc-h-precision LOC-H-PRECISION | LOC Horizontal Precision |
--loc-v-precision LOC-V-PRECISION | LOC Vertical Precision |
--mx-rec MX-REC | Raw MX records |
--mx-preference MX-PREFERENCE | Preference given to this exchanger. Lower values are more preferred |
--mx-exchanger MX-EXCHANGER | A host willing to act as a mail exchanger |
--naptr-rec NAPTR-REC | Raw NAPTR records |
--naptr-order NAPTR-ORDER | NAPTR Order |
--naptr-preference NAPTR-PREFERENCE | NAPTR Preference |
--naptr-flags NAPTR-FLAGS | NAPTR Flags |
--naptr-service NAPTR-SERVICE | NAPTR Service |
--naptr-regexp NAPTR-REGEXP | NAPTR Regular Expression |
--naptr-replacement NAPTR-REPLACEMENT | NAPTR Replacement |
--ns-rec NS-REC | Raw NS records |
--ns-hostname NS-HOSTNAME | NS Hostname |
--ptr-rec PTR-REC | Raw PTR records |
--ptr-hostname PTR-HOSTNAME | The hostname this reverse record points to |
--srv-rec SRV-REC | Raw SRV records |
--srv-priority SRV-PRIORITY | Lower number means higher priority. Clients will attempt to contact the server with the lowest-numbered priority they can reach. |
--srv-weight SRV-WEIGHT | Relative weight for entries with the same priority. |
--srv-port SRV-PORT | SRV Port |
--srv-target SRV-TARGET | The domain name of the target host or ’.’ if the service is decidedly not available at this domain |
--sshfp-rec SSHFP-REC | Raw SSHFP records |
--sshfp-algorithm SSHFP-ALGORITHM | SSHFP Algorithm |
--sshfp-fp-type SSHFP-FP-TYPE | SSHFP Fingerprint Type |
--sshfp-fingerprint SSHFP-FINGERPRINT | SSHFP Fingerprint |
--tlsa-rec TLSA-REC | Raw TLSA records |
--tlsa-cert-usage TLSA-CERT-USAGE | TLSA Certificate Usage |
--tlsa-selector TLSA-SELECTOR | TLSA Selector |
--tlsa-matching-type TLSA-MATCHING-TYPE | TLSA Matching Type |
--tlsa-cert-association-data TLSA-CERT-ASSOCIATION-DATA | TLSA Certificate Association Data |
--txt-rec TXT-REC | Raw TXT records |
--txt-data TXT-DATA | TXT Text Data |
--uri-rec URI-REC | Raw URI records |
--uri-priority URI-PRIORITY | Lower number means higher priority. Clients will attempt to contact the URI with the lowest-numbered priority they can reach. |
--uri-weight URI-WEIGHT | Relative weight for entries with the same priority. |
--uri-target URI-TARGET | Target Uniform Resource Identifier according to RFC 3986 |
--setattr SETATTR | Set an attribute to a name/value pair. Format is attr=value. |
--addattr ADDATTR | Add an attribute/value pair. Format is attr=value. The attribute |
--delattr DELATTR | Delete an attribute/value pair. The option will be evaluated |
--rights | Display the access rights of this entry (requires —all). See ipa man page for details. |
--structured | Parse all raw DNS records and return them in a structured way |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--rename RENAME | Rename the DNS resource record object |
dnsrecord-show
Usage: ipa [global-options] dnsrecord-show DNSZONE NAME [options]
Display DNS resource.
Arguments
| Argument | Required | Description |
|---|---|---|
DNSZONE | yes | Zone name (FQDN) |
NAME yes Record name
Options
| Option | Description |
|---|---|
--rights | Display the access rights of this entry (requires —all). See ipa man page for details. |
--structured | Parse all raw DNS records and return them in a structured way |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
dnsserver-add
Usage: ipa [global-options] dnsserver-add HOSTNAME [options]
Add a new DNS server.
Arguments
| Argument | Required | Description |
|---|---|---|
HOSTNAME | yes | DNS Server name |
Options
| Option | Description |
|---|---|
--soa-mname-override SOA-MNAME-OVERRIDE | SOA mname (authoritative server) override |
--forwarder FORWARDER | Per-server forwarders. A custom port can be specified for each forwarder using a standard format “IP_ADDRESS port PORT” |
--forward-policy FORWARD-POLICY | Per-server conditional forwarding policy. Set to “none” to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded. |
--setattr SETATTR | Set an attribute to a name/value pair. Format is attr=value. |
--addattr ADDATTR | Add an attribute/value pair. Format is attr=value. The attribute |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
dnsserver-del
Usage: ipa [global-options] dnsserver-del HOSTNAME [options]
Delete a DNS server
Arguments
| Argument | Required | Description |
|---|---|---|
HOSTNAME | yes | DNS Server name |
Options
| Option | Description |
|---|---|
--continue | Continuous mode: Don’t stop on errors. |
dnsserver-find
Usage: ipa [global-options] dnsserver-find [CRITERIA] [options]
Search for DNS servers.
Arguments
Argument Required Description
CRITERIA no A string searched in all relevant object
attributes
Options
| Option | Description |
|---|---|
--hostname HOSTNAME | DNS Server name |
--soa-mname-override SOA-MNAME-OVERRIDE | SOA mname (authoritative server) override |
--forwarder FORWARDER | Per-server forwarders. A custom port can be specified for each forwarder using a standard format “IP_ADDRESS port PORT” |
--forward-policy FORWARD-POLICY | Per-server conditional forwarding policy. Set to “none” to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded. |
--timelimit TIMELIMIT | Time limit of search in seconds (0 is unlimited) |
--sizelimit SIZELIMIT | Maximum number of entries returned (0 is unlimited) |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--pkey-only | Results should contain primary key attribute only (“hostname”) |
dnsserver-mod
Usage: ipa [global-options] dnsserver-mod HOSTNAME [options]
Modify DNS server configuration
Arguments
| Argument | Required | Description |
|---|---|---|
HOSTNAME | yes | DNS Server name |
Options
| Option | Description |
|---|---|
--soa-mname-override SOA-MNAME-OVERRIDE | SOA mname (authoritative server) override |
--forwarder FORWARDER | Per-server forwarders. A custom port can be specified for each forwarder using a standard format “IP_ADDRESS port PORT” |
--forward-policy FORWARD-POLICY | Per-server conditional forwarding policy. Set to “none” to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded. |
--setattr SETATTR | Set an attribute to a name/value pair. Format is attr=value. |
--addattr ADDATTR | Add an attribute/value pair. Format is attr=value. The attribute |
--delattr DELATTR | Delete an attribute/value pair. The option will be evaluated |
--rights | Display the access rights of this entry (requires —all). See ipa man page for details. |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
dnsserver-show
Usage: ipa [global-options] dnsserver-show HOSTNAME [options]
Display configuration of a DNS server.
Arguments
| Argument | Required | Description |
|---|---|---|
HOSTNAME | yes | DNS Server name |
Options
| Option | Description |
|---|---|
--rights | Display the access rights of this entry (requires —all). See ipa man page for details. |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
dnszone-add
Usage: ipa [global-options] dnszone-add NAME [options]
Create new DNS zone (SOA record).
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | Zone name (FQDN) |
Options
| Option | Description |
|---|---|
--name-from-ip NAME-FROM-IP | IP network to create reverse zone name from |
--forwarder FORWARDER | Per-zone forwarders. A custom port can be specified for each forwarder using a standard format “IP_ADDRESS port PORT” |
--forward-policy FORWARD-POLICY | Per-zone conditional forwarding policy. Set to “none” to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded. |
--name-server NAME-SERVER | Authoritative nameserver domain name |
--admin-email ADMIN-EMAIL | Administrator e-mail address |
--refresh REFRESH | SOA record refresh time |
--retry RETRY | SOA record retry time |
--expire EXPIRE | SOA record expire time |
--minimum MINIMUM | How long should negative responses be cached |
--ttl TTL | Time to live for records at zone apex |
--default-ttl DEFAULT-TTL | Time to live for records without explicit TTL definition |
--update-policy UPDATE-POLICY | BIND update policy |
--dynamic-update DYNAMIC-UPDATE | Allow dynamic updates. |
--allow-query ALLOW-QUERY | Semicolon separated list of IP addresses or networks which are allowed to issue queries |
--allow-transfer ALLOW-TRANSFER | Semicolon separated list of IP addresses or networks which are allowed to transfer the zone |
--allow-sync-ptr ALLOW-SYNC-PTR | Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone |
--dnssec DNSSEC | Allow inline DNSSEC signing of records in the zone |
--nsec3param-rec NSEC3PARAM-REC | NSEC3PARAM record for zone in format: hash_algorithm flags iterations salt |
--setattr SETATTR | Set an attribute to a name/value pair. Format is attr=value. |
--addattr ADDATTR | Add an attribute/value pair. Format is attr=value. The attribute |
--skip-overlap-check | Force DNS zone creation even if it will overlap with an existing zone. |
--force | Force DNS zone creation even if nameserver is not resolvable. (Deprecated) |
--skip-nameserver-check | Force DNS zone creation even if nameserver is not resolvable. |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
dnszone-add-permission
Usage: ipa [global-options] dnszone-add-permission NAME [options]
Add a permission for per-zone access delegation.
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | Zone name (FQDN) |
dnszone-del
Usage: ipa [global-options] dnszone-del NAME [options]
Delete DNS zone (SOA record).
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | Zone name (FQDN) |
Options
| Option | Description |
|---|---|
--continue | Continuous mode: Don’t stop on errors. |
dnszone-disable
Usage: ipa [global-options] dnszone-disable NAME [options]
Disable DNS Zone.
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | Zone name (FQDN) |
dnszone-enable
Usage: ipa [global-options] dnszone-enable NAME [options]
Enable DNS Zone.
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | Zone name (FQDN) |
dnszone-find
Usage: ipa [global-options] dnszone-find [CRITERIA] [options]
Search for DNS zones (SOA records).
Arguments
Argument Required Description
CRITERIA no A string searched in all relevant object
attributes
Options
| Option | Description |
|---|---|
--name NAME | Zone name (FQDN) |
--name-from-ip NAME-FROM-IP | IP network to create reverse zone name from |
--zone-active ZONE-ACTIVE | Is zone active? |
--forwarder FORWARDER | Per-zone forwarders. A custom port can be specified for each forwarder using a standard format “IP_ADDRESS port PORT” |
--forward-policy FORWARD-POLICY | Per-zone conditional forwarding policy. Set to “none” to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded. |
--name-server NAME-SERVER | Authoritative nameserver domain name |
--admin-email ADMIN-EMAIL | Administrator e-mail address |
--refresh REFRESH | SOA record refresh time |
--retry RETRY | SOA record retry time |
--expire EXPIRE | SOA record expire time |
--minimum MINIMUM | How long should negative responses be cached |
--ttl TTL | Time to live for records at zone apex |
--default-ttl DEFAULT-TTL | Time to live for records without explicit TTL definition |
--update-policy UPDATE-POLICY | BIND update policy |
--dynamic-update DYNAMIC-UPDATE | Allow dynamic updates. |
--allow-query ALLOW-QUERY | Semicolon separated list of IP addresses or networks which are allowed to issue queries |
--allow-transfer ALLOW-TRANSFER | Semicolon separated list of IP addresses or networks which are allowed to transfer the zone |
--allow-sync-ptr ALLOW-SYNC-PTR | Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone |
--dnssec DNSSEC | Allow inline DNSSEC signing of records in the zone |
--nsec3param-rec NSEC3PARAM-REC | NSEC3PARAM record for zone in format: hash_algorithm flags iterations salt |
--timelimit TIMELIMIT | Time limit of search in seconds (0 is unlimited) |
--sizelimit SIZELIMIT | Maximum number of entries returned (0 is unlimited) |
--forward-only | Search for forward zones only |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--pkey-only | Results should contain primary key attribute only (“name”) |
dnszone-mod
Usage: ipa [global-options] dnszone-mod NAME [options]
Modify DNS zone (SOA record).
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | Zone name (FQDN) |
Options
| Option | Description |
|---|---|
--name-from-ip NAME-FROM-IP | IP network to create reverse zone name from |
--forwarder FORWARDER | Per-zone forwarders. A custom port can be specified for each forwarder using a standard format “IP_ADDRESS port PORT” |
--forward-policy FORWARD-POLICY | Per-zone conditional forwarding policy. Set to “none” to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded. |
--name-server NAME-SERVER | Authoritative nameserver domain name |
--admin-email ADMIN-EMAIL | Administrator e-mail address |
--refresh REFRESH | SOA record refresh time |
--retry RETRY | SOA record retry time |
--expire EXPIRE | SOA record expire time |
--minimum MINIMUM | How long should negative responses be cached |
--ttl TTL | Time to live for records at zone apex |
--default-ttl DEFAULT-TTL | Time to live for records without explicit TTL definition |
--update-policy UPDATE-POLICY | BIND update policy |
--dynamic-update DYNAMIC-UPDATE | Allow dynamic updates. |
--allow-query ALLOW-QUERY | Semicolon separated list of IP addresses or networks which are allowed to issue queries |
--allow-transfer ALLOW-TRANSFER | Semicolon separated list of IP addresses or networks which are allowed to transfer the zone |
--allow-sync-ptr ALLOW-SYNC-PTR | Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone |
--dnssec DNSSEC | Allow inline DNSSEC signing of records in the zone |
--nsec3param-rec NSEC3PARAM-REC | NSEC3PARAM record for zone in format: hash_algorithm flags iterations salt |
--setattr SETATTR | Set an attribute to a name/value pair. Format is attr=value. |
--addattr ADDATTR | Add an attribute/value pair. Format is attr=value. The attribute |
--delattr DELATTR | Delete an attribute/value pair. The option will be evaluated |
--rights | Display the access rights of this entry (requires —all). See ipa man page for details. |
--force | Force nameserver change even if nameserver not in DNS |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
dnszone-remove-permission
Usage:
ipa [global-options] dnszone-remove-permission NAME [options]
Remove a permission for per-zone access delegation.
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | Zone name (FQDN) |
dnszone-show
Usage: ipa [global-options] dnszone-show NAME [options]
Display information about a DNS zone (SOA record).
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | Zone name (FQDN) |
Options
| Option | Description |
|---|---|
--rights | Display the access rights of this entry (requires —all). See ipa man page for details. |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |