DNS Management

Overview

FreeIPA includes an integrated DNS server providing authoritative DNS services for the IPA domain and optionally for other managed zones. This integration enables automatic DNS record management for IPA infrastructure, service discovery through SRV records, dynamic host record updates with Kerberos authentication, and centralized DNS administration through IPA’s command-line and web interfaces.

The IPA DNS implementation is built on BIND (Berkeley Internet Name Domain), storing zone data in the IPA LDAP directory rather than traditional zone files. This LDAP-based storage enables multi-master replication of DNS data across IPA servers, provides consistent DNS views across the domain, and allows fine-grained access control through IPA’s permission system. DNS zones replicate automatically alongside other IPA data, maintaining consistency without separate zone transfer configurations between IPA servers.

DNS is optional in FreeIPA deployments. Organizations can choose to use IPA’s integrated DNS for full-service management or delegate DNS to existing infrastructure while using IPA solely for identity and access management. When DNS is enabled, IPA can automatically maintain DNS records for hosts, services, and infrastructure components, reducing administrative overhead and preventing DNS-related authentication failures.

Zone Types

Master Zones

Master zones (managed through dnszone-* commands) contain authoritative DNS data for a domain. IPA DNS servers respond authoritatively to queries for these zones, providing definitive answers for resource records within the zone. Master zones support all standard DNS record types and can be configured for dynamic updates, zone transfers, and DNSSEC signing.

When a master zone is created in IPA, it is automatically replicated to all IPA servers with DNS enabled. This multi-master model ensures high availability and load distribution without manual zone transfer configuration. DNS updates made on any IPA server propagate to all other servers through standard LDAP replication.

Master zones serve as the foundation for IPA’s automatic DNS integration. When hosts are enrolled with --ip-address or --updatedns flags, IPA automatically creates and maintains A/AAAA records in the appropriate master zone. Service discovery records (SRV, TXT) for IPA infrastructure are also stored in master zones, enabling clients to locate LDAP servers, Kerberos KDCs, and certificate authorities.

Forward Zones

Forward zones (managed through dnsforwardzone-* commands) do not contain authoritative data. Instead, they forward DNS queries to specified upstream DNS servers. Forward zones enable IPA to delegate authority for specific domains while maintaining centralized DNS query routing.

Forward zones are particularly useful for split-horizon DNS scenarios, integration with external DNS systems, and conditional forwarding based on domain name. For example, a forward zone for cloud.example.com could forward queries to cloud provider DNS servers while maintaining authoritative data for the main example.com zone.

Forward zones respect the configured forward policy (first, only, none), determining fallback behavior when forwarders are unreachable. The “first” policy attempts forwarders before falling back to recursive resolution, while “only” policy returns failure if forwarders don’t respond. Forward zones do not support DNSSEC validation of forwarded responses in standard configurations.

Supported Record Types

IPA DNS supports comprehensive DNS record types for both IPv4 and IPv6 environments:

Address Records: A (IPv4), AAAA (IPv6), PTR (reverse lookup) Service Records: SRV (service location), MX (mail exchange), NS (nameserver) Security Records: SSHFP (SSH fingerprint), TLSA (DANE certificate association), DS (DNSSEC delegation signer) Text Records: TXT (text data), SPF (sender policy framework - deprecated, use TXT) Infrastructure Records: SOA (start of authority), CNAME (canonical name), DNAME (delegation name) Advanced Records: LOC (location), NAPTR (naming authority pointer), CAA (certificate authority authorization), URI, KX, CERT

Each record type is supported through both structured options (e.g., --mx-preference, --mx-exchanger) and raw format options (e.g., --mx-rec="10 mail.example.com"). Structured options provide validation and ease of use, while raw format supports advanced configurations and record types without specific structured support.

Structured Per-Type Options

Many DNS record types contain structured data with multiple components. For example, an MX record includes both a preference value (priority) and an exchanger (mail server hostname). A LOC record contains latitude degrees/minutes/seconds, longitude degrees/minutes/seconds, altitude, and size/precision values.

IPA provides structured options for these complex record types to simplify management and prevent syntax errors. Each supported record type offers both a raw format option (--<type>-rec) for direct value specification and structured component options (--<type>-<component>) for editing individual fields.

When creating records, administrators can use either approach but should not mix them in a single operation. When modifying existing records, structured options enable changing specific components without reconstructing the entire record. This is particularly valuable for records like SRV with multiple components where editing a single field (such as priority) should preserve other values (weight, port, target).

The interactive mode for dnsrecord-add, dnsrecord-mod, and dnsrecord-del provides guided workflows for complex record types, prompting for each component individually and offering intelligent defaults. This mode is especially helpful for occasional DNS administrators or when managing unfamiliar record types.

Dynamic DNS Updates

IPA DNS supports dynamic updates authenticated via Kerberos, enabling hosts to automatically maintain their own DNS records without granting broad DNS modification privileges. When a zone is configured for dynamic updates (--dynamic-update=TRUE), IPA automatically creates an update policy granting hosts permission to modify their own A, AAAA, and SSHFP records.

The default update policy uses the krb5-self keyword, restricting updates so each host can only modify records matching its own hostname. This prevents hosts from manipulating other hosts’ records while allowing legitimate self-updates. Administrators can customize update policies for advanced scenarios requiring different update permissions.

Dynamic updates are commonly used when hosts obtain IP addresses via DHCP and need to register those addresses in DNS automatically. SSSD on IPA clients can be configured to perform dynamic DNS updates when network configuration changes, ensuring DNS reflects current network state without manual intervention.

BIND’s update policy syntax in IPA supports Kerberos principal matching, allowing policies based on realm, hostname patterns, or specific principals. This flexibility enables scenarios like allowing a DHCP server principal to update records for any host, or restricting updates to specific network segments based on hostname conventions.

Zone Transfers and Replication

DNS zone transfers between IPA DNS servers occur automatically through LDAP replication rather than traditional DNS AXFR/IXFR mechanisms. This LDAP-based replication provides several advantages: changes propagate immediately as part of normal IPA replication, access control is managed through IPA’s LDAP ACL system, and zone consistency is guaranteed by the underlying directory replication.

For integration with external DNS servers (non-IPA secondaries), IPA supports traditional BIND zone transfers secured with TSIG keys. Zone transfer access is controlled through --allow-transfer settings specifying IP addresses, networks, or TSIG key names authorized to receive zone data. This enables IPA to serve as the master for non-IPA secondary servers in split management scenarios.

Zone transfer throttling and rate limiting follow standard BIND configuration, helping protect against resource exhaustion attacks or misconfigured secondary servers performing excessive transfers. Transfer logs are available through BIND’s query logging, providing audit trails for zone transfer activity.

Forwarders and Forwarding Policies

Global forwarders provide a default upstream DNS resolver for queries not answered authoritatively by IPA. These forwarders are typically an organization’s existing recursive resolvers or internet-facing DNS servers. Global forwarder configuration is stored in LDAP and applies to all IPA DNS servers unless overridden per-zone.

Forwarding policies determine behavior when forwarders are unavailable:

First: Query forwarders first; if they fail, perform standard recursive resolution using root hints. This policy provides resilience at the cost of potentially slower resolution when forwarders are down.

Only: Query only forwarders; if they fail, return SERVFAIL. This policy enforces strict forwarding but can cause resolution failures if forwarders are unreachable. Useful when direct internet DNS access is prohibited by policy.

None: Disable forwarding entirely for the zone. Queries perform recursive resolution from root servers or use zone delegation as appropriate. This policy is used to override global forwarding for specific zones.

Per-zone forwarding configurations override global settings, enabling different forwarding behavior for different domains. For example, internal zones might use local resolvers while external zones forward to internet-facing servers, or sensitive zones might use “only” policy while general zones use “first” for resilience.

Reverse Zones

Reverse DNS zones (in-addr.arpa for IPv4, ip6.arpa for IPv6) provide IP address to hostname resolution. IPA can automatically create reverse zones using --name-from-ip with CIDR notation, generating the appropriate zone name for the specified network.

IPA supports automatic reverse record creation when forward records are added with --a-create-reverse or --aaaa-create-reverse flags. This automation ensures forward and reverse DNS consistency, important for many protocols and security mechanisms that validate reverse DNS.

Reverse zone delegation follows DNS standards, with classful boundaries (Class A, B, C for IPv4) or on nibble boundaries for IPv6. For networks not aligned with natural boundaries, classless reverse delegation (RFC 2317) can be configured manually using CNAME records.

Synchronization between forward and reverse records can be enabled globally (dnsconfig-mod --allow-sync-ptr=TRUE), automatically creating or removing PTR records when A/AAAA records change. This setting simplifies administration but requires careful planning to avoid unintended PTR record modifications.

EXAMPLES

Add new zone:
ipa dnszone-add example.com --admin-email=admin@example.com
Add system permission that can be used for per-zone privilege delegation:
ipa dnszone-add-permission example.com
Modify the zone to allow dynamic updates for hosts own records in realm EXAMPLE.COM:
ipa dnszone-mod example.com --dynamic-update=TRUE

This is the equivalent of:
  ipa dnszone-mod example.com --dynamic-update=TRUE $
   --update-policy="grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA; grant EXAMPLE.COM krb5-self * SSHFP;"
Modify the zone to allow zone transfers for local network only:
ipa dnszone-mod example.com --allow-transfer=192.0.2.0/24
Add new reverse zone specified by network IP address:
ipa dnszone-add --name-from-ip=192.0.2.0/24
Add second nameserver for example.com:
ipa dnsrecord-add example.com @ --ns-rec=nameserver2.example.com
Add a mail server for example.com:
ipa dnsrecord-add example.com @ --mx-rec="10 mail1"
Add another record using MX record specific options:

ipa dnsrecord-add example.com @ —mx-preference=20 —mx-exchanger=mail2

Add another record using interactive mode (started when dnsrecord-add, dnsrecord-mod,

or dnsrecord-del are executed with no options):
ipa dnsrecord-add example.com @

Please choose a type of DNS resource record to be added

The most common types for this type of zone are: NS, MX, LOC

DNS resource record type: MX

MX Preference: 30

MX Exchanger: mail3
Record name: example.com
MX record: 10 mail1, 20 mail2, 30 mail3
NS record: nameserver.example.com., nameserver2.example.com.
Delete previously added nameserver from example.com:
ipa dnsrecord-del example.com @ --ns-rec=nameserver2.example.com.
Add LOC record for example.com:
ipa dnsrecord-add example.com @ --loc-rec="49 11 42.4 N 16 36 29.6 E 227.64m"
Add new A record for www.example.com. Create a reverse record in appropriate

reverse zone as well. In this case a PTR record “2” pointing to www.example.com

will be created in zone 2.0.192.in-addr.arpa.
ipa dnsrecord-add example.com www --a-rec=192.0.2.2 --a-create-reverse
Add new PTR record for www.example.com
ipa dnsrecord-add 2.0.192.in-addr.arpa. 2 --ptr-rec=www.example.com.
Add new SRV records for LDAP servers. Three quarters of the requests

should go to fast.example.com, one quarter to slow.example.com. If neither

is available, switch to backup.example.com.
ipa dnsrecord-add example.com _ldap._tcp --srv-rec="0 3 389 fast.example.com"
ipa dnsrecord-add example.com _ldap._tcp --srv-rec="0 1 389 slow.example.com"
ipa dnsrecord-add example.com _ldap._tcp --srv-rec="1 1 389 backup.example.com"
The interactive mode can be used for easy modification:
ipa dnsrecord-mod example.com [ldap]{#ldap}._tcp

No option to modify specific record provided.

Current DNS record contents:

SRV record: 0 3 389 fast.example.com, 0 1 389 slow.example.com, 1 1 389 backup.example.com

Modify SRV record ‘0 3 389 fast.example.com’? Yes/No (default No):

Modify SRV record ‘0 1 389 slow.example.com’? Yes/No (default No): y

SRV Priority [0]: (keep the default value)

SRV Weight [1]: 2 (modified value)

SRV Port [389]: (keep the default value)

SRV Target [slow.example.com]: (keep the default value)

1 SRV record skipped. Only one value per DNS record type can be modified at one time.
Record name: _ldap._tcp
SRV record: 0 3 389 fast.example.com, 1 1 389 backup.example.com, 0 2 389 slow.example.com
After this modification, three fifths of the requests should go to

fast.example.com and two fifths to slow.example.com.

An example of the interactive mode for dnsrecord-del command:
ipa dnsrecord-del example.com www
No option to delete specific record provided.
Delete all? Yes/No (default No):     (do not delete all records)
Current DNS record contents:

A record: 192.0.2.2, 192.0.2.3

Delete A record '192.0.2.2'? Yes/No (default No):
Delete A record '192.0.2.3'? Yes/No (default No): y
  Record name: www
  A record: 192.0.2.2               (A record 192.0.2.3 has been deleted)
Show zone example.com:
ipa dnszone-show example.com
Find zone with “example” in its domain name:
ipa dnszone-find example
Find records for resources with “www” in their name in zone example.com:
ipa dnsrecord-find example.com www
Find A records with value 192.0.2.2 in zone example.com
ipa dnsrecord-find example.com --a-rec=192.0.2.2
Show records for resource www in zone example.com
ipa dnsrecord-show example.com www
Delegate zone sub.example to another nameserver:
ipa dnsrecord-add example.com ns.sub --a-rec=203.0.113.1
ipa dnsrecord-add example.com sub --ns-rec=ns.sub.example.com.
Delete zone example.com with all resource records:
ipa dnszone-del example.com
If a global forwarder is configured, all queries for which this server is not

authoritative (e.g. sub.example.com) will be routed to the global forwarder.

Global forwarding configuration can be overridden per-zone.

Semantics of forwarding in IPA matches BIND semantics and depends on the type

of zone:

Master zone: local BIND replies authoritatively to queries for data in
the given zone (including authoritative NXDOMAIN answers) and forwarding
affects only queries for names below zone cuts (NS records) of locally
served zones.

* Forward zone: forward zone contains no authoritative data. BIND forwards
queries, which cannot be answered from its local cache, to configured
forwarders.
Semantics of the —forward-policy option:

: - none - disable forwarding for the given zone. - first - forward all queries to configured forwarders. If they fail,
do resolution using DNS root servers.
* only - forward all queries to configured forwarders and if they fail,
return failure.
Disable global forwarding for given sub-tree:
ipa dnszone-mod example.com --forward-policy=none
This configuration forwards all queries for names outside the example.com sub-tree to global forwarders. Normal recursive resolution process is used for names inside the example.com sub-tree (i.e. NS records are followed etc.).

Forward all requests for the zone external.example.com to another forwarder

using a “first” policy (it will send the queries to the selected forwarder

and if not answered it will use global root servers):
ipa dnsforwardzone-add external.example.com --forward-policy=first $
                            --forwarder=203.0.113.1
Change forward-policy for external.example.com:
ipa dnsforwardzone-mod external.example.com --forward-policy=only
Show forward zone external.example.com:
ipa dnsforwardzone-show external.example.com
List all forward zones:
ipa dnsforwardzone-find
Delete forward zone external.example.com:
ipa dnsforwardzone-del external.example.com
Resolve a host name to see if it exists (will add default IPA domain

if one is not included):
ipa dns-resolve www.example.com
ipa dns-resolve www

Per-Zone Permissions and Delegation

IPA supports fine-grained DNS administration through per-zone permissions. The dnszone-add-permission command creates a system permission allowing delegated administrators to manage a specific zone without granting access to other zones or broader IPA privileges.

Per-zone permissions enable organizational delegation scenarios: the web team manages web.example.com zone, the email team manages mail.example.com zone, and the network team manages reverse zones. Each team can add, modify, and delete records within their assigned zones without interfering with other zones.

Permission-based delegation integrates with IPA’s role-based access control system. Administrators create roles that include zone-specific permissions, then assign those roles to users or groups. This creates auditable delegation hierarchies where permission changes are tracked through role membership.

DNSSEC Support

IPA DNS integrates with BIND’s DNSSEC implementation, supporting signed zones with automated key management. DNSSEC provides cryptographic authentication of DNS responses, protecting against cache poisoning and man-in-the-middle attacks on DNS queries.

When DNSSEC is enabled for a zone, IPA automatically manages key generation, key rotation, and signature maintenance. Zone signing keys (ZSK) and key signing keys (KSK) are generated and rotated according to configured policies. Parent zone DS records must be manually configured to complete the DNSSEC chain of trust.

DNSSEC validation for forwarded zones requires careful configuration. IPA’s BIND configuration must trust the forwarder’s DNSSEC responses or validation must be disabled for specific forwarded zones to prevent validation failures.

Integration with IPA Infrastructure

IPA automatically maintains DNS records critical for infrastructure operation. When IPA servers are installed with DNS enabled, SRV records for Kerberos (_kerberos), LDAP (_ldap), and other services are created automatically. These records enable clients to discover IPA services without explicit configuration.

Location-based service records support geographically distributed IPA deployments. When IPA locations are configured and hosts are assigned to locations, IPA creates location-specific SRV records enabling clients to preferentially connect to nearby servers. The dns-update-system-records command regenerates these infrastructure records after topology changes.

When hosts are enrolled with DNS integration (ipa host-add --ip-address or client-side dynamic updates), A and AAAA records are automatically created and maintained. SSHFP records can be automatically published when hosts have SSH public keys in their LDAP entries, enabling DNS-based SSH host key verification.

Global DNS Configuration

DNS configuration consists of server-local settings (configured during installation, stored in /etc/named.conf) and global settings (stored in LDAP, accessible via dnsconfig-* commands). Global settings override local configuration and apply uniformly across all IPA DNS servers.

Common global configurations include:

Global forwarders: Upstream DNS servers for recursive queries
Forward policy: Default forwarding behavior (first, only, none)
PTR synchronization: Automatic reverse record management for forward records

Show global DNS configuration:

ipa dnsconfig-show

Modify global DNS configuration to set forwarders:

ipa dnsconfig-mod --forwarder=203.0.113.113

Set multiple global forwarders with custom ports:

ipa dnsconfig-mod --forwarder=203.0.113.113 --forwarder="203.0.113.114 port 5353"

Configure global forward policy:

ipa dnsconfig-mod --forward-policy=first

Enable automatic PTR record synchronization:

ipa dnsconfig-mod --allow-sync-ptr=TRUE

Best Practices

Zone Design and Organization

Align zones with organizational structure: Create separate zones for different departments, applications, or environments (production, staging, development). This enables delegation to appropriate teams and isolates changes to specific organizational units.

Use subdomains for scalability: Rather than placing all records in a single large zone, create subdomains (web.example.com, api.example.com) for major functional areas. Smaller zones are easier to manage, delegate, and troubleshoot.

Plan reverse zones carefully: Create reverse zones for all allocated IP space. Consistent reverse DNS is required by many protocols (SMTP, SSH, Kerberos) and missing reverse records can cause authentication failures or service degradation.

Document zone delegation: Maintain clear records of which teams or individuals are responsible for each zone. This documentation aids incident response and prevents conflicting changes.

Record Management

Use structured options for complex records: Prefer --mx-preference --mx-exchanger over --mx-rec raw format. Structured options provide validation and prevent syntax errors that can break DNS resolution.

Leverage automatic reverse record creation: Use --a-create-reverse when adding A records to automatically maintain forward and reverse consistency. This prevents reverse DNS mismatches.

Test changes before committing: Use dnsrecord-show to verify records after adding or modifying them. DNS errors can be difficult to diagnose after the fact.

Minimize TTL for records undergoing changes: Lower TTL values (300-900 seconds) during planned changes reduce cache-related delays. Restore higher TTLs (3600+ seconds) after changes stabilize to reduce query load.

Dynamic Updates and Security

Restrict dynamic update permissions: Only enable dynamic updates (--dynamic-update=TRUE) for zones where hosts legitimately need to self-register. Unrestricted dynamic updates can enable DNS poisoning attacks.

Review update policies regularly: Default update policies use krb5-self to restrict updates to the owning host. Custom policies should be regularly audited to ensure they haven’t become overly permissive.

Monitor dynamic update activity: Review BIND logs for unexpected update patterns. Unusual update volumes or updates from unexpected principals may indicate misconfiguration or attacks.

Use TSIG for external zone transfers: When allowing zone transfers to non-IPA servers, use TSIG keys rather than IP-based restrictions alone. TSIG provides cryptographic authentication preventing unauthorized zone transfers.

Forwarder Configuration

Use reliable forwarders: Global forwarders should be highly available and geographically close to IPA servers. Forwarder failures impact all non-authoritative queries.

Set appropriate forward policies: Use “first” policy for general resilience, allowing fallback to recursive resolution. Reserve “only” policy for scenarios where policy requires queries to stay within specific infrastructure.

Monitor forwarder performance: Track query resolution times and failure rates for forwarders. Degraded forwarder performance impacts all DNS-dependent services.

Override global forwarding selectively: Use per-zone forwarding to route sensitive domains through specific forwarders or to disable forwarding for zones requiring direct recursive resolution.

DNSSEC Deployment

Enable DNSSEC incrementally: Start with non-critical zones to gain operational experience before enabling DNSSEC on critical infrastructure zones.

Automate DS record updates: Coordinate with parent zone administrators to establish automated DS record updates. Manual DS updates delay key rollovers and risk DNSSEC validation failures.

Monitor DNSSEC validation failures: Deploy monitoring for DNSSEC validation failures. Invalid signatures or missing trust chain elements cause resolution failures that may not be immediately obvious.

Plan for key rollover: Establish procedures for both routine automated key rollovers and emergency rollovers in case of key compromise. Test rollover procedures in non-production environments.

Operational Practices

Maintain DNS documentation: Document zone purposes, record type usage, delegation boundaries, and special configurations. DNS is often modified by multiple administrators; clear documentation prevents conflicts.

Use version control for zone planning: Track intended zone changes in version control before applying them. This provides audit history and rollback capability for configuration errors.

Implement change management for DNS: Require review and approval for changes to critical zones (IPA infrastructure zones, mail zones). DNS errors can cause widespread service disruption.

Regularly validate infrastructure records: Use dns-update-system-records to verify and regenerate IPA infrastructure SRV records after server additions, removals, or topology changes.

Audit zone permissions periodically: Review per-zone permissions and role assignments regularly. Remove permissions for staff who change roles or leave the organization.

Plan for DNS server outages: Ensure sufficient IPA DNS servers are deployed for redundancy. Clients should have multiple nameservers configured in resolv.conf.

Test DNS resolution from client perspective: Regularly query DNS from client systems to verify proper resolution, forwarder behavior, and infrastructure record functionality.

Integration and Automation

Integrate DNS with provisioning workflows: Configuration management tools (Ansible, Puppet) should create DNS records as part of host provisioning. This ensures DNS consistency with deployed infrastructure.

Use dns-resolve for validation: After creating or modifying records, use ipa dns-resolve to verify resolution from the IPA server perspective before declaring changes complete.

Coordinate with DHCP: If using dynamic DNS updates triggered by DHCP, ensure DHCP and DNS configurations are synchronized. Mismatched configurations cause failed updates.

Automate reverse zone creation: Script reverse zone creation for new network allocations to ensure reverse zones exist before hosts are added to those networks.

Integration with Other IPA Components

Host Enrollment

Hosts enrolled with ipa host-add --ip-address or ipa-client-install --ip-address automatically receive DNS A/AAAA records. Hosts using dynamic DNS updates via SSSD automatically update their records when IP addresses change.

Service Discovery

SRV records enable IPA clients to discover LDAP servers, Kerberos KDCs, certificate authorities, and NTP servers without explicit configuration. IPA automatically maintains these SRV records as topology changes.

SSH Integration

SSHFP records published to DNS enable SSH clients to verify host keys using DNS rather than known_hosts files. When combined with DNSSEC, this provides strong verification of SSH host identity.

Certificate Management

CAA records restrict which certificate authorities can issue certificates for domains under IPA management. TLSA records (DANE) publish certificate fingerprints in DNS for additional certificate validation.

Trust Relationships

When trusts with Active Directory are established, DNS forwarders or conditional forwarding ensure IPA servers can resolve AD domain names. Proper DNS configuration is critical for trust functionality.

Commands

Command Description

dns-update-system-records Update location and IPA server DNS records

dnsconfig-mod Modify global DNS configuration.

dnsconfig-show Show the current global DNS configuration.

dnsforwardzone-add Create new DNS forward zone.

dnsforwardzone-add-permission Add a permission for per-forward zone access delegation.

dnsforwardzone-del Delete DNS forward zone.

dnsforwardzone-disable Disable DNS Forward Zone.

dnsforwardzone-enable Enable DNS Forward Zone.

dnsforwardzone-find Search for DNS forward zones.

dnsforwardzone-mod Modify DNS forward zone.

dnsforwardzone-remove-permission Remove a permission for per-forward zone access delegation.

dnsforwardzone-show Display information about a DNS forward zone.

dnsrecord-add Add new DNS resource record.

dnsrecord-del Delete DNS resource record.

dnsrecord-find Search for DNS resources.

dnsrecord-mod Modify a DNS resource record.

dnsrecord-show Display DNS resource.

dnsserver-add Add a new DNS server.

dnsserver-del Delete a DNS server

dnsserver-find Search for DNS servers.

dnsserver-mod Modify DNS server configuration

dnsserver-show Display configuration of a DNS server.

dnszone-add Create new DNS zone (SOA record).

dnszone-add-permission Add a permission for per-zone access delegation.

dnszone-del Delete DNS zone (SOA record).

dnszone-disable Disable DNS Zone.

dnszone-enable Enable DNS Zone.

dnszone-find Search for DNS zones (SOA records).

dnszone-mod Modify DNS zone (SOA record).

dnszone-remove-permission Remove a permission for per-zone access delegation.

dnszone-show Display information about a DNS zone (SOA record).

dns-update-system-records

Usage: ipa [global-options] dns-update-system-records [options]

Update location and IPA server DNS records

Options

Option Description

--dry-run Do not update records only return expected records

--all Retrieve and print all attributes from the server. Affects command output.

`--raw` Print entries as stored on the server. Only affects output format.

dnsconfig-mod

Usage: ipa [global-options] dnsconfig-mod [options]

Modify global DNS configuration.

Options

Option Description

--forwarder FORWARDER Global forwarders. A custom port can be specified for each forwarder using a standard format “IP_ADDRESS port PORT”

--forward-policy FORWARD-POLICY Global forwarding policy. Set to “none” to disable any configured global forwarders.

--allow-sync-ptr ALLOW-SYNC-PTR Allow synchronization of forward (A, AAAA) and reverse (PTR) records

--setattr SETATTR Set an attribute to a name/value pair. Format is attr=value.

--addattr ADDATTR Add an attribute/value pair. Format is attr=value. The attribute

--delattr DELATTR Delete an attribute/value pair. The option will be evaluated

--rights Display the access rights of this entry (requires —all). See ipa man page for details.

--all Retrieve and print all attributes from the server. Affects command output.

`--raw` Print entries as stored on the server. Only affects output format.

dnsconfig-show

Usage: ipa [global-options] dnsconfig-show [options]

Show the current global DNS configuration.

Options

Option Description

--rights Display the access rights of this entry (requires —all). See ipa man page for details.

--all Retrieve and print all attributes from the server. Affects command output.

`--raw` Print entries as stored on the server. Only affects output format.

dnsforwardzone-add

Usage: ipa [global-options] dnsforwardzone-add NAME [options]

Create new DNS forward zone.

Arguments

Argument Required Description

NAME yes Zone name (FQDN)

Options

Option Description

--name-from-ip NAME-FROM-IP IP network to create reverse zone name from

--forwarder FORWARDER Per-zone forwarders. A custom port can be specified for each forwarder using a standard format “IP_ADDRESS port PORT”

--forward-policy FORWARD-POLICY Per-zone conditional forwarding policy. Set to “none” to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.

--setattr SETATTR Set an attribute to a name/value pair. Format is attr=value.

--addattr ADDATTR Add an attribute/value pair. Format is attr=value. The attribute

--skip-overlap-check Force DNS zone creation even if it will overlap with an existing zone.

Option Description

--name NAME Zone name (FQDN)

--name-from-ip NAME-FROM-IP IP network to create reverse zone name from

--zone-active ZONE-ACTIVE Is zone active?

--forwarder FORWARDER Per-zone forwarders. A custom port can be specified for each forwarder using a standard format “IP_ADDRESS port PORT”

--timelimit TIMELIMIT Time limit of search in seconds (0 is unlimited)

--sizelimit SIZELIMIT Maximum number of entries returned (0 is unlimited)

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

`--pkey-only` Results should contain primary key attribute only (“name”)

dnsforwardzone-mod

Usage: ipa [global-options] dnsforwardzone-mod NAME [options]

Modify DNS forward zone.

Arguments

Argument Required Description

NAME yes Zone name (FQDN)

Options

Option Description

--name-from-ip NAME-FROM-IP IP network to create reverse zone name from

--forwarder FORWARDER Per-zone forwarders. A custom port can be specified for each forwarder using a standard format “IP_ADDRESS port PORT”

--setattr SETATTR Set an attribute to a name/value pair. Format is attr=value.

--addattr ADDATTR Add an attribute/value pair. Format is attr=value. The attribute

--delattr DELATTR Delete an attribute/value pair. The option will be evaluated

--rights Display the access rights of this entry (requires —all). See ipa man page for details.

--all Retrieve and print all attributes from the server. Affects command output.

`--raw` Print entries as stored on the server. Only affects output format.

dnsforwardzone-remove-permission

Usage: ipa [global-options] dnsforwardzone-remove-permission NAME [options]

Remove a permission for per-forward zone access delegation.

Arguments

Argument Required Description

NAME yes Zone name (FQDN)

dnsforwardzone-show

Usage: ipa [global-options] dnsforwardzone-show NAME [options]

Display information about a DNS forward zone.

Arguments

Argument Required Description

NAME yes Zone name (FQDN)

Options

Option Description

--rights Display the access rights of this entry (requires —all). See ipa man page for details.

--all Retrieve and print all attributes from the server. Affects command output.

`--raw` Print entries as stored on the server. Only affects output format.

dnsrecord-add

Usage: ipa [global-options] dnsrecord-add DNSZONE NAME [options]

Add new DNS resource record.

Arguments

Argument Required Description

DNSZONE yes Zone name (FQDN)

`NAME` yes Record name

Options

Option Description

--ttl TTL Time to live

--a-rec A-REC Raw A records

--a-ip-address A-IP-ADDRESS A IP Address

--a-create-reverse Create reverse record for this IP Address

--aaaa-rec AAAA-REC Raw AAAA records

--aaaa-ip-address AAAA-IP-ADDRESS AAAA IP Address

--aaaa-create-reverse Create reverse record for this IP Address

--a6-rec A6-REC Raw A6 records

--a6-data A6-DATA A6 Record data

--afsdb-rec AFSDB-REC Raw AFSDB records

--afsdb-subtype AFSDB-SUBTYPE AFSDB Subtype

--afsdb-hostname AFSDB-HOSTNAME AFSDB Hostname

--cert-rec CERT-REC Raw CERT records

--cert-type CERT-TYPE CERT Certificate Type

--cert-key-tag CERT-KEY-TAG CERT Key Tag

--cert-algorithm CERT-ALGORITHM CERT Algorithm

--cert-certificate-or-crl CERT-CERTIFICATE-OR-CRL CERT Certificate/CRL

--cname-rec CNAME-REC Raw CNAME records

--cname-hostname CNAME-HOSTNAME A hostname which this alias hostname points to

--dlv-rec DLV-REC Raw DLV records

--dlv-key-tag DLV-KEY-TAG DLV Key Tag

--dlv-algorithm DLV-ALGORITHM DLV Algorithm

--dlv-digest-type DLV-DIGEST-TYPE DLV Digest Type

--dlv-digest DLV-DIGEST DLV Digest

--dname-rec DNAME-REC Raw DNAME records

--dname-target DNAME-TARGET DNAME Target

--ds-rec DS-REC Raw DS records

--ds-key-tag DS-KEY-TAG DS Key Tag

--ds-algorithm DS-ALGORITHM DS Algorithm

--ds-digest-type DS-DIGEST-TYPE DS Digest Type

--ds-digest DS-DIGEST DS Digest

--kx-rec KX-REC Raw KX records

--kx-preference KX-PREFERENCE Preference given to this exchanger. Lower values are more preferred

--kx-exchanger KX-EXCHANGER A host willing to act as a key exchanger

--loc-rec LOC-REC Raw LOC records

--loc-lat-deg LOC-LAT-DEG LOC Degrees Latitude

--loc-lat-min LOC-LAT-MIN LOC Minutes Latitude

--loc-lat-sec LOC-LAT-SEC LOC Seconds Latitude

--loc-lat-dir LOC-LAT-DIR LOC Direction Latitude

--loc-lon-deg LOC-LON-DEG LOC Degrees Longitude

--loc-lon-min LOC-LON-MIN LOC Minutes Longitude

--loc-lon-sec LOC-LON-SEC LOC Seconds Longitude

--loc-lon-dir LOC-LON-DIR LOC Direction Longitude

--loc-altitude LOC-ALTITUDE LOC Altitude

--loc-size LOC-SIZE LOC Size

--loc-h-precision LOC-H-PRECISION LOC Horizontal Precision

--loc-v-precision LOC-V-PRECISION LOC Vertical Precision

--mx-rec MX-REC Raw MX records

--mx-preference MX-PREFERENCE Preference given to this exchanger. Lower values are more preferred

--mx-exchanger MX-EXCHANGER A host willing to act as a mail exchanger

--naptr-rec NAPTR-REC Raw NAPTR records

--naptr-order NAPTR-ORDER NAPTR Order

--naptr-preference NAPTR-PREFERENCE NAPTR Preference

--naptr-flags NAPTR-FLAGS NAPTR Flags

--naptr-service NAPTR-SERVICE NAPTR Service

--naptr-regexp NAPTR-REGEXP NAPTR Regular Expression

--naptr-replacement NAPTR-REPLACEMENT NAPTR Replacement

--ns-rec NS-REC Raw NS records

--ns-hostname NS-HOSTNAME NS Hostname

--ptr-rec PTR-REC Raw PTR records

--ptr-hostname PTR-HOSTNAME The hostname this reverse record points to

--srv-rec SRV-REC Raw SRV records

--srv-priority SRV-PRIORITY Lower number means higher priority. Clients will attempt to contact the server with the lowest-numbered priority they can reach.

--srv-weight SRV-WEIGHT Relative weight for entries with the same priority.

--srv-port SRV-PORT SRV Port

--srv-target SRV-TARGET The domain name of the target host or ’.’ if the service is decidedly not available at this domain

--sshfp-rec SSHFP-REC Raw SSHFP records

--sshfp-algorithm SSHFP-ALGORITHM SSHFP Algorithm

--sshfp-fp-type SSHFP-FP-TYPE SSHFP Fingerprint Type

--sshfp-fingerprint SSHFP-FINGERPRINT SSHFP Fingerprint

--tlsa-rec TLSA-REC Raw TLSA records

--tlsa-cert-usage TLSA-CERT-USAGE TLSA Certificate Usage

--tlsa-selector TLSA-SELECTOR TLSA Selector

--tlsa-matching-type TLSA-MATCHING-TYPE TLSA Matching Type

--tlsa-cert-association-data TLSA-CERT-ASSOCIATION-DATA TLSA Certificate Association Data

--txt-rec TXT-REC Raw TXT records

--txt-data TXT-DATA TXT Text Data

--uri-rec URI-REC Raw URI records

--uri-priority URI-PRIORITY Lower number means higher priority. Clients will attempt to contact the URI with the lowest-numbered priority they can reach.

--uri-weight URI-WEIGHT Relative weight for entries with the same priority.

--uri-target URI-TARGET Target Uniform Resource Identifier according to RFC 3986

--setattr SETATTR Set an attribute to a name/value pair. Format is attr=value.

--addattr ADDATTR Add an attribute/value pair. Format is attr=value. The attribute

--force force NS record creation even if its hostname is not in DNS

--structured Parse all raw DNS records and return them in a structured way

--all Retrieve and print all attributes from the server. Affects command output.

`--raw` Print entries as stored on the server. Only affects output format.

dnsrecord-del

Usage: ipa [global-options] dnsrecord-del DNSZONE NAME [options]

Delete DNS resource record.

Arguments

Argument Required Description

DNSZONE yes Zone name (FQDN)

`NAME` yes Record name

Options

Option Description

--ttl TTL Time to live

--a-rec A-REC Raw A records

--aaaa-rec AAAA-REC Raw AAAA records

--a6-rec A6-REC Raw A6 records

--afsdb-rec AFSDB-REC Raw AFSDB records

--cert-rec CERT-REC Raw CERT records

--cname-rec CNAME-REC Raw CNAME records

--dlv-rec DLV-REC Raw DLV records

--dname-rec DNAME-REC Raw DNAME records

--ds-rec DS-REC Raw DS records

--kx-rec KX-REC Raw KX records

--loc-rec LOC-REC Raw LOC records

--mx-rec MX-REC Raw MX records

--naptr-rec NAPTR-REC Raw NAPTR records

--ns-rec NS-REC Raw NS records

--ptr-rec PTR-REC Raw PTR records

--srv-rec SRV-REC Raw SRV records

--sshfp-rec SSHFP-REC Raw SSHFP records

--tlsa-rec TLSA-REC Raw TLSA records

--txt-rec TXT-REC Raw TXT records

--uri-rec URI-REC Raw URI records

--del-all Delete all associated records

--structured Parse all raw DNS records and return them in a structured way

`--raw`

dnsrecord-find

Usage: ipa [global-options] dnsrecord-find DNSZONE [CRITERIA] [options]

Search for DNS resources.

Arguments

Argument Required Description

DNSZONE yes Zone name (FQDN)

`CRITERIA` no A string searched in all relevant object attributes

Options

Option Description

--name NAME Record name

--ttl TTL Time to live

--a-rec A-REC Raw A records

--aaaa-rec AAAA-REC Raw AAAA records

--a6-rec A6-REC Raw A6 records

--afsdb-rec AFSDB-REC Raw AFSDB records

--cert-rec CERT-REC Raw CERT records

--cname-rec CNAME-REC Raw CNAME records

--dlv-rec DLV-REC Raw DLV records

--dname-rec DNAME-REC Raw DNAME records

--ds-rec DS-REC Raw DS records

--kx-rec KX-REC Raw KX records

--loc-rec LOC-REC Raw LOC records

--mx-rec MX-REC Raw MX records

--naptr-rec NAPTR-REC Raw NAPTR records

--ns-rec NS-REC Raw NS records

--ptr-rec PTR-REC Raw PTR records

--srv-rec SRV-REC Raw SRV records

--sshfp-rec SSHFP-REC Raw SSHFP records

--tlsa-rec TLSA-REC Raw TLSA records

--txt-rec TXT-REC Raw TXT records

--uri-rec URI-REC Raw URI records

--timelimit TIMELIMIT Time limit of search in seconds (0 is unlimited)

--sizelimit SIZELIMIT Maximum number of entries returned (0 is unlimited)

--structured Parse all raw DNS records and return them in a structured way

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

`--pkey-only` Results should contain primary key attribute only (“name”)

dnsrecord-mod

Usage: ipa [global-options] dnsrecord-mod DNSZONE NAME [options]

Modify a DNS resource record.