dns

DNS Management

Manage DNS zones and resource records with integrated DNSSEC support. Features include master and forward zones, comprehensive record type support (A, AAAA, MX, SRV, PTR, TXT, etc.), dynamic updates with Kerberos authentication, zone transfers with TSIG, per-zone permissions for delegation, and interactive record management. Supports both IPv4 and IPv6, reverse zones, and DNS-based service discovery for IPA infrastructure.

31 commands
dns

Overview

FreeIPA includes an integrated DNS server providing authoritative DNS services for the IPA domain and optionally for other managed zones. This integration enables automatic DNS record management for IPA infrastructure, service discovery through SRV records, dynamic host record updates with Kerberos authentication, and centralized DNS administration through IPA’s command-line and web interfaces.

The IPA DNS implementation is built on BIND (Berkeley Internet Name Domain), storing zone data in the IPA LDAP directory rather than traditional zone files. This LDAP-based storage enables multi-master replication of DNS data across IPA servers, provides consistent DNS views across the domain, and allows fine-grained access control through IPA’s permission system. DNS zones replicate automatically alongside other IPA data, maintaining consistency without separate zone transfer configurations between IPA servers.

DNS is optional in FreeIPA deployments. Organizations can choose to use IPA’s integrated DNS for full-service management or delegate DNS to existing infrastructure while using IPA solely for identity and access management. When DNS is enabled, IPA can automatically maintain DNS records for hosts, services, and infrastructure components, reducing administrative overhead and preventing DNS-related authentication failures.

Zone Types

Master Zones

Master zones (managed through dnszone-* commands) contain authoritative DNS data for a domain. IPA DNS servers respond authoritatively to queries for these zones, providing definitive answers for resource records within the zone. Master zones support all standard DNS record types and can be configured for dynamic updates, zone transfers, and DNSSEC signing.

When a master zone is created in IPA, it is automatically replicated to all IPA servers with DNS enabled. This multi-master model ensures high availability and load distribution without manual zone transfer configuration. DNS updates made on any IPA server propagate to all other servers through standard LDAP replication.

Master zones serve as the foundation for IPA’s automatic DNS integration. When hosts are enrolled with --ip-address or --updatedns flags, IPA automatically creates and maintains A/AAAA records in the appropriate master zone. Service discovery records (SRV, TXT) for IPA infrastructure are also stored in master zones, enabling clients to locate LDAP servers, Kerberos KDCs, and certificate authorities.

Forward Zones

Forward zones (managed through dnsforwardzone-* commands) do not contain authoritative data. Instead, they forward DNS queries to specified upstream DNS servers. Forward zones enable IPA to delegate authority for specific domains while maintaining centralized DNS query routing.

Forward zones are particularly useful for split-horizon DNS scenarios, integration with external DNS systems, and conditional forwarding based on domain name. For example, a forward zone for cloud.example.com could forward queries to cloud provider DNS servers while maintaining authoritative data for the main example.com zone.

Forward zones respect the configured forward policy (first, only, none), determining fallback behavior when forwarders are unreachable. The “first” policy attempts forwarders before falling back to recursive resolution, while “only” policy returns failure if forwarders don’t respond. Forward zones do not support DNSSEC validation of forwarded responses in standard configurations.

Supported Record Types

IPA DNS supports comprehensive DNS record types for both IPv4 and IPv6 environments:

Address Records: A (IPv4), AAAA (IPv6), PTR (reverse lookup) Service Records: SRV (service location), MX (mail exchange), NS (nameserver) Security Records: SSHFP (SSH fingerprint), TLSA (DANE certificate association), DS (DNSSEC delegation signer) Text Records: TXT (text data), SPF (sender policy framework - deprecated, use TXT) Infrastructure Records: SOA (start of authority), CNAME (canonical name), DNAME (delegation name) Advanced Records: LOC (location), NAPTR (naming authority pointer), CAA (certificate authority authorization), URI, KX, CERT

Each record type is supported through both structured options (e.g., --mx-preference, --mx-exchanger) and raw format options (e.g., --mx-rec="10 mail.example.com"). Structured options provide validation and ease of use, while raw format supports advanced configurations and record types without specific structured support.

Structured Per-Type Options

Many DNS record types contain structured data with multiple components. For example, an MX record includes both a preference value (priority) and an exchanger (mail server hostname). A LOC record contains latitude degrees/minutes/seconds, longitude degrees/minutes/seconds, altitude, and size/precision values.

IPA provides structured options for these complex record types to simplify management and prevent syntax errors. Each supported record type offers both a raw format option (--<type>-rec) for direct value specification and structured component options (--<type>-<component>) for editing individual fields.

When creating records, administrators can use either approach but should not mix them in a single operation. When modifying existing records, structured options enable changing specific components without reconstructing the entire record. This is particularly valuable for records like SRV with multiple components where editing a single field (such as priority) should preserve other values (weight, port, target).

The interactive mode for dnsrecord-add, dnsrecord-mod, and dnsrecord-del provides guided workflows for complex record types, prompting for each component individually and offering intelligent defaults. This mode is especially helpful for occasional DNS administrators or when managing unfamiliar record types.

Dynamic DNS Updates

IPA DNS supports dynamic updates authenticated via Kerberos, enabling hosts to automatically maintain their own DNS records without granting broad DNS modification privileges. When a zone is configured for dynamic updates (--dynamic-update=TRUE), IPA automatically creates an update policy granting hosts permission to modify their own A, AAAA, and SSHFP records.

The default update policy uses the krb5-self keyword, restricting updates so each host can only modify records matching its own hostname. This prevents hosts from manipulating other hosts’ records while allowing legitimate self-updates. Administrators can customize update policies for advanced scenarios requiring different update permissions.

Dynamic updates are commonly used when hosts obtain IP addresses via DHCP and need to register those addresses in DNS automatically. SSSD on IPA clients can be configured to perform dynamic DNS updates when network configuration changes, ensuring DNS reflects current network state without manual intervention.

BIND’s update policy syntax in IPA supports Kerberos principal matching, allowing policies based on realm, hostname patterns, or specific principals. This flexibility enables scenarios like allowing a DHCP server principal to update records for any host, or restricting updates to specific network segments based on hostname conventions.

Zone Transfers and Replication

DNS zone transfers between IPA DNS servers occur automatically through LDAP replication rather than traditional DNS AXFR/IXFR mechanisms. This LDAP-based replication provides several advantages: changes propagate immediately as part of normal IPA replication, access control is managed through IPA’s LDAP ACL system, and zone consistency is guaranteed by the underlying directory replication.

For integration with external DNS servers (non-IPA secondaries), IPA supports traditional BIND zone transfers secured with TSIG keys. Zone transfer access is controlled through --allow-transfer settings specifying IP addresses, networks, or TSIG key names authorized to receive zone data. This enables IPA to serve as the master for non-IPA secondary servers in split management scenarios.

Zone transfer throttling and rate limiting follow standard BIND configuration, helping protect against resource exhaustion attacks or misconfigured secondary servers performing excessive transfers. Transfer logs are available through BIND’s query logging, providing audit trails for zone transfer activity.

Forwarders and Forwarding Policies

Global forwarders provide a default upstream DNS resolver for queries not answered authoritatively by IPA. These forwarders are typically an organization’s existing recursive resolvers or internet-facing DNS servers. Global forwarder configuration is stored in LDAP and applies to all IPA DNS servers unless overridden per-zone.

Forwarding policies determine behavior when forwarders are unavailable:

First: Query forwarders first; if they fail, perform standard recursive resolution using root hints. This policy provides resilience at the cost of potentially slower resolution when forwarders are down.

Only: Query only forwarders; if they fail, return SERVFAIL. This policy enforces strict forwarding but can cause resolution failures if forwarders are unreachable. Useful when direct internet DNS access is prohibited by policy.

None: Disable forwarding entirely for the zone. Queries perform recursive resolution from root servers or use zone delegation as appropriate. This policy is used to override global forwarding for specific zones.

Per-zone forwarding configurations override global settings, enabling different forwarding behavior for different domains. For example, internal zones might use local resolvers while external zones forward to internet-facing servers, or sensitive zones might use “only” policy while general zones use “first” for resilience.

Reverse Zones

Reverse DNS zones (in-addr.arpa for IPv4, ip6.arpa for IPv6) provide IP address to hostname resolution. IPA can automatically create reverse zones using --name-from-ip with CIDR notation, generating the appropriate zone name for the specified network.

IPA supports automatic reverse record creation when forward records are added with --a-create-reverse or --aaaa-create-reverse flags. This automation ensures forward and reverse DNS consistency, important for many protocols and security mechanisms that validate reverse DNS.

Reverse zone delegation follows DNS standards, with classful boundaries (Class A, B, C for IPv4) or on nibble boundaries for IPv6. For networks not aligned with natural boundaries, classless reverse delegation (RFC 2317) can be configured manually using CNAME records.

Synchronization between forward and reverse records can be enabled globally (dnsconfig-mod --allow-sync-ptr=TRUE), automatically creating or removing PTR records when A/AAAA records change. This setting simplifies administration but requires careful planning to avoid unintended PTR record modifications.

EXAMPLES

Add new zone:

ipa dnszone-add example.com --admin-email=admin@example.com

Add system permission that can be used for per-zone privilege delegation:

ipa dnszone-add-permission example.com

Modify the zone to allow dynamic updates for hosts own records in realm EXAMPLE.COM:

ipa dnszone-mod example.com --dynamic-update=TRUE

This is the equivalent of:
  ipa dnszone-mod example.com --dynamic-update=TRUE $
   --update-policy="grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA; grant EXAMPLE.COM krb5-self * SSHFP;"

Modify the zone to allow zone transfers for local network only:

ipa dnszone-mod example.com --allow-transfer=192.0.2.0/24

Add new reverse zone specified by network IP address:

ipa dnszone-add --name-from-ip=192.0.2.0/24

Add second nameserver for example.com:

ipa dnsrecord-add example.com @ --ns-rec=nameserver2.example.com

Add a mail server for example.com:

ipa dnsrecord-add example.com @ --mx-rec="10 mail1"

Add another record using MX record specific options:

ipa dnsrecord-add example.com @ —mx-preference=20 —mx-exchanger=mail2

Add another record using interactive mode (started when dnsrecord-add, dnsrecord-mod,

or dnsrecord-del are executed with no options):

ipa dnsrecord-add example.com @

Please choose a type of DNS resource record to be added

The most common types for this type of zone are: NS, MX, LOC

DNS resource record type: MX

MX Preference: 30

MX Exchanger: mail3

Record name: example.com
MX record: 10 mail1, 20 mail2, 30 mail3
NS record: nameserver.example.com., nameserver2.example.com.

Delete previously added nameserver from example.com:

ipa dnsrecord-del example.com @ --ns-rec=nameserver2.example.com.

Add LOC record for example.com:

ipa dnsrecord-add example.com @ --loc-rec="49 11 42.4 N 16 36 29.6 E 227.64m"

Add new A record for www.example.com. Create a reverse record in appropriate

reverse zone as well. In this case a PTR record “2” pointing to www.example.com

will be created in zone 2.0.192.in-addr.arpa.

ipa dnsrecord-add example.com www --a-rec=192.0.2.2 --a-create-reverse

Add new PTR record for www.example.com

ipa dnsrecord-add 2.0.192.in-addr.arpa. 2 --ptr-rec=www.example.com.

Add new SRV records for LDAP servers. Three quarters of the requests

should go to fast.example.com, one quarter to slow.example.com. If neither

is available, switch to backup.example.com.

ipa dnsrecord-add example.com _ldap._tcp --srv-rec="0 3 389 fast.example.com"
ipa dnsrecord-add example.com _ldap._tcp --srv-rec="0 1 389 slow.example.com"
ipa dnsrecord-add example.com _ldap._tcp --srv-rec="1 1 389 backup.example.com"

The interactive mode can be used for easy modification:

ipa dnsrecord-mod example.com [ldap]{#ldap}._tcp

No option to modify specific record provided.

Current DNS record contents:

SRV record: 0 3 389 fast.example.com, 0 1 389 slow.example.com, 1 1 389 backup.example.com

Modify SRV record ‘0 3 389 fast.example.com’? Yes/No (default No):

Modify SRV record ‘0 1 389 slow.example.com’? Yes/No (default No): y

SRV Priority [0]: (keep the default value)

SRV Weight [1]: 2 (modified value)

SRV Port [389]: (keep the default value)

SRV Target [slow.example.com]: (keep the default value)

1 SRV record skipped. Only one value per DNS record type can be modified at one time.

Record name: _ldap._tcp
SRV record: 0 3 389 fast.example.com, 1 1 389 backup.example.com, 0 2 389 slow.example.com

After this modification, three fifths of the requests should go to

fast.example.com and two fifths to slow.example.com.

An example of the interactive mode for dnsrecord-del command:

ipa dnsrecord-del example.com www
No option to delete specific record provided.
Delete all? Yes/No (default No):     (do not delete all records)
Current DNS record contents:

A record: 192.0.2.2, 192.0.2.3

Delete A record '192.0.2.2'? Yes/No (default No):
Delete A record '192.0.2.3'? Yes/No (default No): y
  Record name: www
  A record: 192.0.2.2               (A record 192.0.2.3 has been deleted)

Show zone example.com:

ipa dnszone-show example.com

Find zone with “example” in its domain name:

ipa dnszone-find example

Find records for resources with “www” in their name in zone example.com:

ipa dnsrecord-find example.com www

Find A records with value 192.0.2.2 in zone example.com

ipa dnsrecord-find example.com --a-rec=192.0.2.2

Show records for resource www in zone example.com

ipa dnsrecord-show example.com www

Delegate zone sub.example to another nameserver:

ipa dnsrecord-add example.com ns.sub --a-rec=203.0.113.1
ipa dnsrecord-add example.com sub --ns-rec=ns.sub.example.com.

Delete zone example.com with all resource records:

ipa dnszone-del example.com

If a global forwarder is configured, all queries for which this server is not

authoritative (e.g. sub.example.com) will be routed to the global forwarder.

Global forwarding configuration can be overridden per-zone.

Semantics of forwarding in IPA matches BIND semantics and depends on the type

of zone:

  • Master zone: local BIND replies authoritatively to queries for data in
the given zone (including authoritative NXDOMAIN answers) and forwarding
affects only queries for names below zone cuts (NS records) of locally
served zones.

* Forward zone: forward zone contains no authoritative data. BIND forwards
queries, which cannot be answered from its local cache, to configured
forwarders.

Semantics of the —forward-policy option:

: - none - disable forwarding for the given zone. - first - forward all queries to configured forwarders. If they fail,

do resolution using DNS root servers.
* only - forward all queries to configured forwarders and if they fail,
return failure.

Disable global forwarding for given sub-tree:

ipa dnszone-mod example.com --forward-policy=none

This configuration forwards all queries for names outside the example.com sub-tree to global forwarders. Normal recursive resolution process is used for names inside the example.com sub-tree (i.e. NS records are followed etc.).

Forward all requests for the zone external.example.com to another forwarder

using a “first” policy (it will send the queries to the selected forwarder

and if not answered it will use global root servers):

ipa dnsforwardzone-add external.example.com --forward-policy=first $
                            --forwarder=203.0.113.1

Change forward-policy for external.example.com:

ipa dnsforwardzone-mod external.example.com --forward-policy=only

Show forward zone external.example.com:

ipa dnsforwardzone-show external.example.com

List all forward zones:

ipa dnsforwardzone-find

Delete forward zone external.example.com:

ipa dnsforwardzone-del external.example.com

Resolve a host name to see if it exists (will add default IPA domain

if one is not included):

ipa dns-resolve www.example.com
ipa dns-resolve www

Per-Zone Permissions and Delegation

IPA supports fine-grained DNS administration through per-zone permissions. The dnszone-add-permission command creates a system permission allowing delegated administrators to manage a specific zone without granting access to other zones or broader IPA privileges.

Per-zone permissions enable organizational delegation scenarios: the web team manages web.example.com zone, the email team manages mail.example.com zone, and the network team manages reverse zones. Each team can add, modify, and delete records within their assigned zones without interfering with other zones.

Permission-based delegation integrates with IPA’s role-based access control system. Administrators create roles that include zone-specific permissions, then assign those roles to users or groups. This creates auditable delegation hierarchies where permission changes are tracked through role membership.

DNSSEC Support

IPA DNS integrates with BIND’s DNSSEC implementation, supporting signed zones with automated key management. DNSSEC provides cryptographic authentication of DNS responses, protecting against cache poisoning and man-in-the-middle attacks on DNS queries.

When DNSSEC is enabled for a zone, IPA automatically manages key generation, key rotation, and signature maintenance. Zone signing keys (ZSK) and key signing keys (KSK) are generated and rotated according to configured policies. Parent zone DS records must be manually configured to complete the DNSSEC chain of trust.

DNSSEC validation for forwarded zones requires careful configuration. IPA’s BIND configuration must trust the forwarder’s DNSSEC responses or validation must be disabled for specific forwarded zones to prevent validation failures.

Integration with IPA Infrastructure

IPA automatically maintains DNS records critical for infrastructure operation. When IPA servers are installed with DNS enabled, SRV records for Kerberos (_kerberos), LDAP (_ldap), and other services are created automatically. These records enable clients to discover IPA services without explicit configuration.

Location-based service records support geographically distributed IPA deployments. When IPA locations are configured and hosts are assigned to locations, IPA creates location-specific SRV records enabling clients to preferentially connect to nearby servers. The dns-update-system-records command regenerates these infrastructure records after topology changes.

When hosts are enrolled with DNS integration (ipa host-add --ip-address or client-side dynamic updates), A and AAAA records are automatically created and maintained. SSHFP records can be automatically published when hosts have SSH public keys in their LDAP entries, enabling DNS-based SSH host key verification.

Global DNS Configuration

DNS configuration consists of server-local settings (configured during installation, stored in /etc/named.conf) and global settings (stored in LDAP, accessible via dnsconfig-* commands). Global settings override local configuration and apply uniformly across all IPA DNS servers.

Common global configurations include:

  • Global forwarders: Upstream DNS servers for recursive queries
  • Forward policy: Default forwarding behavior (first, only, none)
  • PTR synchronization: Automatic reverse record management for forward records

Show global DNS configuration:

ipa dnsconfig-show

Modify global DNS configuration to set forwarders:

ipa dnsconfig-mod --forwarder=203.0.113.113

Set multiple global forwarders with custom ports:

ipa dnsconfig-mod --forwarder=203.0.113.113 --forwarder="203.0.113.114 port 5353"

Configure global forward policy:

ipa dnsconfig-mod --forward-policy=first

Enable automatic PTR record synchronization:

ipa dnsconfig-mod --allow-sync-ptr=TRUE

Use Cases

Service Discovery with SRV Records

Scenario: Applications need to automatically discover LDAP servers across multiple datacenters.

Solution:

# Create SRV records for LDAP service discovery
ipa dnsrecord-add example.com _ldap._tcp \
    --srv-priority=10 --srv-weight=60 --srv-port=389 \
    --srv-target=ldap1.example.com

ipa dnsrecord-add example.com _ldap._tcp \
    --srv-priority=10 --srv-weight=40 --srv-port=389 \
    --srv-target=ldap2.example.com

# Clients use DNS SRV lookups to find LDAP servers
# dig SRV _ldap._tcp.example.com
# Returns both servers with priority/weight for load balancing

Split-Horizon DNS with Forward Zones

Scenario: Internal resources use private DNS, external resources forward to internet DNS.

Solution:

# Create master zone for internal domain
ipa dnszone-add internal.example.com

# Create forward zone for external cloud resources
ipa dnsforwardzone-add cloud.example.com \
    --forwarder=8.8.8.8 --forwarder=8.8.4.4 \
    --forward-policy=only

# Internal resources resolved authoritatively
# Cloud resources forwarded to Google DNS

Dynamic DNS for DHCP Environment

Scenario: Workstations receive DHCP addresses and need automatic DNS registration.

Solution:

# Enable dynamic updates on zone
ipa dnszone-mod workstations.example.com --dynamic-update=TRUE

# Configure SSSD on clients for dynamic DNS (automatic)
# Or configure DHCP server for DNS updates

# On DHCP server, configure Kerberos and update DNS:
# ddns-updates on;
# ddns-update-style interim;
# update-static-leases on;

Delegated Zone Management for Departments

Scenario: IT delegates DNS management for engineering subdomain to engineering team.

Solution:

# Create subdomain zone
ipa dnszone-add eng.example.com

# Create per-zone permission
ipa dnszone-add-permission eng.example.com

# Create role for engineering DNS admins
ipa role-add eng-dns-admin --desc="Engineering DNS administrators"
ipa role-add-privilege eng-dns-admin \
    --privileges="DNS Administrators"

# Alternatively, grant zone-specific permission
ipa permission-mod "Manage DNS zone eng.example.com" \
    --bindtype=permission

ipa role-add eng-zone-admin
ipa role-add-privilege eng-zone-admin \
    --privileges="Manage DNS zone eng.example.com"

# Add engineering team members
ipa role-add-member eng-zone-admin --groups=engineering

Multi-Region DNS with Geolocation

Scenario: Global infrastructure with region-specific endpoints.

Solution:

# Create region-specific A records
ipa dnsrecord-add example.com www-us --a-rec=192.0.2.10
ipa dnsrecord-add example.com www-eu --a-rec=198.51.100.20
ipa dnsrecord-add example.com www-ap --a-rec=203.0.113.30

# Create geographic CNAMEs (client-side logic needed for selection)
# Or use global load balancer with geographic awareness

# Alternatively, use TXT records for location hints
ipa dnsrecord-add example.com www --txt-rec="geo=us-east"

Reverse DNS for Email Server Reputation

Scenario: Mail servers require proper reverse DNS for anti-spam compliance.

Solution:

# Create reverse zone for mail server subnet
ipa dnszone-add --name-from-ip=192.0.2.0/24

# Add forward record for mail server
ipa dnsrecord-add example.com mail --a-rec=192.0.2.50

# Add reverse record (PTR)
ipa dnsrecord-add 2.0.192.in-addr.arpa 50 --ptr-rec=mail.example.com.

# Verify forward and reverse match
dig mail.example.com
dig -x 192.0.2.50

# Add MX record
ipa dnsrecord-add example.com @ --mx-rec="10 mail.example.com"

DNSSEC-Secured Zone

Scenario: Enable DNSSEC for zone integrity and authentication.

Solution:

# Enable DNSSEC on zone
ipa dnszone-mod example.com --dnssec=TRUE

# IPA automatically:
# - Generates ZSK and KSK
# - Signs zone
# - Publishes DNSKEY records

# Retrieve DS records for parent zone delegation
ipa dnszone-show example.com --all | grep "DS record"

# Provide DS records to parent zone (.com registry)
# Parent publishes DS records completing chain of trust

DNS-Based Service High Availability

Scenario: Critical services need DNS-based failover.

Solution:

# Create multiple A records for same hostname (round-robin)
ipa dnsrecord-add example.com api --a-rec=192.0.2.10
ipa dnsrecord-add example.com api --a-rec=192.0.2.11
ipa dnsrecord-add example.com api --a-rec=192.0.2.12

# DNS round-robin distributes load across servers
# Failed servers require external health monitoring to remove

# For more sophisticated failover, use SRV records
ipa dnsrecord-add example.com _http._tcp.api \
    --srv-priority=10 --srv-weight=50 --srv-port=443 \
    --srv-target=api1.example.com

ipa dnsrecord-add example.com _http._tcp.api \
    --srv-priority=20 --srv-weight=50 --srv-port=443 \
    --srv-target=api2.example.com
# Priority 20 = backup server

CAA Records for Certificate Authority Authorization

Scenario: Restrict which CAs can issue certificates for domain.

Solution:

# Allow only specific CA to issue certificates
ipa dnsrecord-add example.com @ \
    --caa-rec='0 issue "letsencrypt.org"'

# Disallow certificate issuance (CAA block)
ipa dnsrecord-add restricted.example.com @ \
    --caa-rec='0 issue ";"'

# Send violation reports
ipa dnsrecord-add example.com @ \
    --caa-rec='0 iodef "mailto:security@example.com"'

# CAs check CAA records before issuing certificates
# Prevents unauthorized certificate issuance

Security Considerations

Dynamic update policies grant modification rights: Zones with --dynamic-update=TRUE allow hosts to modify their own records. Compromised hosts could register arbitrary DNS entries. Use dynamic updates only when necessary and audit update activity.

Zone transfer access controls critical: Allowing unrestricted zone transfers (--allow-transfer) enables attackers to enumerate all DNS entries, revealing infrastructure topology. Restrict zone transfers to known secondary servers only.

DNSSEC key material security: DNSSEC private keys stored in IPA enable attackers with LDAP access to forge DNS responses. Protect DNSSEC keys with appropriate LDAP ACLs and monitor key access.

Wildcard records can be abused: Wildcard DNS records (*.example.com) match any subdomain. Attackers could exploit wildcards to claim arbitrary subdomains for phishing or data exfiltration. Use wildcards judiciously.

TXT records may contain sensitive data: TXT records often store SPF, DKIM, and configuration data. Avoid storing secrets or sensitive information in TXT records as they’re publicly queryable.

Forwarder compromise affects resolution: Malicious forwarders can return incorrect DNS responses, redirecting traffic to attacker-controlled systems. Use trusted forwarders only and consider DNSSEC validation.

PTR record mismatch enables impersonation: Forward and reverse DNS mismatches can confuse security mechanisms relying on reverse DNS validation. Maintain consistent forward/reverse records.

SRV record manipulation affects service discovery: Attackers with DNS modification rights could redirect service discovery to rogue servers via SRV record manipulation. Protect DNS zones with strong access controls.

DNS rebinding attacks via short TTLs: Extremely low TTL values combined with rapid record changes enable DNS rebinding attacks against browsers. Enforce minimum TTL values for public-facing records.

Zone enumeration via DNSSEC: DNSSEC zone walking (NSEC/NSEC3 traversal) can enumerate all records even without zone transfers. Use NSEC3 with opt-out for better privacy, but recognize complete enumeration prevention is impossible with DNSSEC.

Cached poisoning via forged responses: Without DNSSEC validation, cached DNS responses could be poisoned. Enable DNSSEC signing and validation for security-critical zones.

Per-zone delegation grants broad access: Zone-specific permissions grant complete control over the zone. Delegate carefully and review permission assignments regularly.

Global DNS configuration affects all zones: Changes to global forwarders or DNS config apply to all zones. Test global configuration changes thoroughly before deployment.

BIND vulnerabilities affect IPA DNS: IPA DNS runs BIND; BIND vulnerabilities could compromise IPA DNS. Keep IPA updated and monitor BIND security advisories.

Troubleshooting

Zone creation fails with “zone already exists”:

# Check if zone exists in IPA
ipa dnszone-find example.com

# If exists, either delete and recreate or modify existing
ipa dnszone-mod example.com --admin-email=newadmin@example.com

# If exists in BIND but not IPA (orphaned zone):
# Clean BIND configuration manually

DNS queries return SERVFAIL:

# Check zone status
ipa dnszone-show example.com

# Check if DNS servers are running
systemctl status named-pkcs11

# Check BIND logs
journalctl -u named-pkcs11 -n 50

# Verify zone loads correctly
named-checkzone example.com /var/named/dyndb-ldap/ipa/master/example.com

# Check for DNSSEC issues if enabled
ipa dnszone-show example.com | grep -i dnssec

Dynamic updates failing:

# Verify dynamic update enabled
ipa dnszone-show example.com | grep "Dynamic update"

# Check update policy
ipa dnszone-show example.com --all | grep "BIND update policy"

# Test update with nsupdate (Kerberos authenticated)
kinit host/hostname.example.com
nsupdate -g
> server ipa.example.com
> zone example.com
> update add test.example.com 300 A 192.0.2.100
> send
> quit

# Check logs for errors
journalctl -u named-pkcs11 | grep -i update

Reverse DNS not resolving:

# Verify reverse zone exists
ipa dnszone-find --name-from-ip=192.0.2.0/24

# Check PTR record exists
ipa dnsrecord-show 2.0.192.in-addr.arpa 100

# Test reverse lookup
dig -x 192.0.2.100

# If PTR missing, add it
ipa dnsrecord-add 2.0.192.in-addr.arpa 100 \
    --ptr-rec=hostname.example.com.

DNSSEC validation failures:

# Check DNSSEC status
ipa dnszone-show example.com | grep DNSSEC

# Verify DNSKEY records published
dig DNSKEY example.com +dnssec

# Check if DS records are in parent zone
dig DS example.com +trace

# If DS records missing/incorrect, retrieve from IPA
ipa dnszone-show example.com --all | grep "DS record"
# Provide to parent zone operator

# Test DNSSEC validation
dig example.com +dnssec +multiline

Forwarders not working:

# Check global forwarders
ipa dnsconfig-show | grep -i forward

# Check per-zone forwarders
ipa dnsforwardzone-show cloud.example.com

# Test forwarder connectivity
dig @8.8.8.8 cloud.example.com

# Check forward policy
ipa dnsforwardzone-show cloud.example.com | grep "Forward policy"

# If policy "only" and forwarders unreachable, queries fail
# Change to "first" for fallback
ipa dnsforwardzone-mod cloud.example.com --forward-policy=first

Record addition fails with “invalid format”:

# Check record format matches type
# Common mistake: Missing trailing dot on FQDN

# Correct:
ipa dnsrecord-add example.com @ --ns-rec=ns1.example.com.
# Incorrect (missing dot):
ipa dnsrecord-add example.com @ --ns-rec=ns1.example.com

# Use structured options for complex records
ipa dnsrecord-add example.com _service._tcp \
    --srv-priority=10 --srv-weight=50 --srv-port=443 \
    --srv-target=server.example.com.

Zone transfer failing to external secondaries:

# Verify allow-transfer set
ipa dnszone-show example.com | grep "BIND transfer"

# Add external secondary IP
ipa dnszone-mod example.com --allow-transfer=203.0.113.10

# Check BIND query logs for transfer attempts
journalctl -u named-pkcs11 | grep -i transfer

# Verify firewall allows DNS traffic (port 53 TCP/UDP)
firewall-cmd --list-all | grep dns

Cannot delete DNS record - “not found”:

# List all records for name
ipa dnsrecord-show example.com www

# Delete must match exact record value
ipa dnsrecord-del example.com www --a-rec=192.0.2.10

# For records with trailing dots, include them
ipa dnsrecord-del example.com @ --ns-rec=ns1.example.com.

# Use interactive mode if unsure of exact value
ipa dnsrecord-del example.com www
# (prompts for record type and value to delete)

Permissions error adding records to zone:

# Check zone permissions
ipa dnszone-show example.com --all | grep -i permission

# Verify user has DNS privileges
ipa user-show username --all | grep -i role

# Add user to DNS administrators group
ipa group-add-member dnsadmins --users=username

# Or grant zone-specific permission
ipa dnszone-add-permission example.com
ipa permission-mod "Manage DNS zone example.com" \
    --bindtype=permission
ipa role-add-member zone-admin --users=username

SRV records not being used by clients:

# Verify SRV record format
ipa dnsrecord-show example.com _ldap._tcp

# Test SRV lookup
dig SRV _ldap._tcp.example.com

# Common issues:
# - Wrong service/protocol names
# - Missing underscore prefixes
# - Incorrect priority/weight/port/target format

# Correct format:
ipa dnsrecord-add example.com _ldap._tcp \
    --srv-rec="10 50 389 ldap.example.com."

DNS changes not propagating to all IPA servers:

# DNS uses LDAP replication
# Check replication status
ipa-replica-manage list
ipa-replica-manage list-ruv

# Force replication sync
ipa-replica-manage force-sync --from=ipa1.example.com

# Restart named on affected server
systemctl restart named-pkcs11

# Check if zone data consistent
# On each IPA server:
dig @localhost example.com SOA
# Serial numbers should match

TTL values not being respected:

# Check default TTL
ipa dnszone-show example.com | grep "Default time to live"

# Set zone default TTL
ipa dnszone-mod example.com --default-ttl=3600

# Set record-specific TTL
ipa dnsrecord-add example.com www --a-rec=192.0.2.10 --ttl=300

# Note: Clients may cache based on previous TTL
# Wait for old TTL to expire

BIND fails to start after IPA configuration:

# Check BIND configuration syntax
named-checkconf

# Check zone file syntax
named-checkzone example.com /var/named/dyndb-ldap/ipa/master/example.com

# Check BIND logs
journalctl -u named-pkcs11 -n 100

# Common issues:
# - DNSSEC key permissions
# - LDAP connection failures
# - Invalid zone data

# Verify LDAP connectivity
ldapsearch -Y GSSAPI -b "cn=dns,dc=example,dc=com"

Best Practices

Zone Design and Organization

Align zones with organizational structure: Create separate zones for different departments, applications, or environments (production, staging, development). This enables delegation to appropriate teams and isolates changes to specific organizational units.

Use subdomains for scalability: Rather than placing all records in a single large zone, create subdomains (web.example.com, api.example.com) for major functional areas. Smaller zones are easier to manage, delegate, and troubleshoot.

Plan reverse zones carefully: Create reverse zones for all allocated IP space. Consistent reverse DNS is required by many protocols (SMTP, SSH, Kerberos) and missing reverse records can cause authentication failures or service degradation.

Document zone delegation: Maintain clear records of which teams or individuals are responsible for each zone. This documentation aids incident response and prevents conflicting changes.

Record Management

Use structured options for complex records: Prefer --mx-preference --mx-exchanger over --mx-rec raw format. Structured options provide validation and prevent syntax errors that can break DNS resolution.

Leverage automatic reverse record creation: Use --a-create-reverse when adding A records to automatically maintain forward and reverse consistency. This prevents reverse DNS mismatches.

Test changes before committing: Use dnsrecord-show to verify records after adding or modifying them. DNS errors can be difficult to diagnose after the fact.

Minimize TTL for records undergoing changes: Lower TTL values (300-900 seconds) during planned changes reduce cache-related delays. Restore higher TTLs (3600+ seconds) after changes stabilize to reduce query load.

Dynamic Updates and Security

Restrict dynamic update permissions: Only enable dynamic updates (--dynamic-update=TRUE) for zones where hosts legitimately need to self-register. Unrestricted dynamic updates can enable DNS poisoning attacks.

Review update policies regularly: Default update policies use krb5-self to restrict updates to the owning host. Custom policies should be regularly audited to ensure they haven’t become overly permissive.

Monitor dynamic update activity: Review BIND logs for unexpected update patterns. Unusual update volumes or updates from unexpected principals may indicate misconfiguration or attacks.

Use TSIG for external zone transfers: When allowing zone transfers to non-IPA servers, use TSIG keys rather than IP-based restrictions alone. TSIG provides cryptographic authentication preventing unauthorized zone transfers.

Forwarder Configuration

Use reliable forwarders: Global forwarders should be highly available and geographically close to IPA servers. Forwarder failures impact all non-authoritative queries.

Set appropriate forward policies: Use “first” policy for general resilience, allowing fallback to recursive resolution. Reserve “only” policy for scenarios where policy requires queries to stay within specific infrastructure.

Monitor forwarder performance: Track query resolution times and failure rates for forwarders. Degraded forwarder performance impacts all DNS-dependent services.

Override global forwarding selectively: Use per-zone forwarding to route sensitive domains through specific forwarders or to disable forwarding for zones requiring direct recursive resolution.

DNSSEC Deployment

Enable DNSSEC incrementally: Start with non-critical zones to gain operational experience before enabling DNSSEC on critical infrastructure zones.

Automate DS record updates: Coordinate with parent zone administrators to establish automated DS record updates. Manual DS updates delay key rollovers and risk DNSSEC validation failures.

Monitor DNSSEC validation failures: Deploy monitoring for DNSSEC validation failures. Invalid signatures or missing trust chain elements cause resolution failures that may not be immediately obvious.

Plan for key rollover: Establish procedures for both routine automated key rollovers and emergency rollovers in case of key compromise. Test rollover procedures in non-production environments.

Operational Practices

Maintain DNS documentation: Document zone purposes, record type usage, delegation boundaries, and special configurations. DNS is often modified by multiple administrators; clear documentation prevents conflicts.

Use version control for zone planning: Track intended zone changes in version control before applying them. This provides audit history and rollback capability for configuration errors.

Implement change management for DNS: Require review and approval for changes to critical zones (IPA infrastructure zones, mail zones). DNS errors can cause widespread service disruption.

Regularly validate infrastructure records: Use dns-update-system-records to verify and regenerate IPA infrastructure SRV records after server additions, removals, or topology changes.

Audit zone permissions periodically: Review per-zone permissions and role assignments regularly. Remove permissions for staff who change roles or leave the organization.

Plan for DNS server outages: Ensure sufficient IPA DNS servers are deployed for redundancy. Clients should have multiple nameservers configured in resolv.conf.

Test DNS resolution from client perspective: Regularly query DNS from client systems to verify proper resolution, forwarder behavior, and infrastructure record functionality.

Integration and Automation

Integrate DNS with provisioning workflows: Configuration management tools (Ansible, Puppet) should create DNS records as part of host provisioning. This ensures DNS consistency with deployed infrastructure.

Use dns-resolve for validation: After creating or modifying records, use ipa dns-resolve to verify resolution from the IPA server perspective before declaring changes complete.

Coordinate with DHCP: If using dynamic DNS updates triggered by DHCP, ensure DHCP and DNS configurations are synchronized. Mismatched configurations cause failed updates.

Automate reverse zone creation: Script reverse zone creation for new network allocations to ensure reverse zones exist before hosts are added to those networks.

Integration with Other IPA Components

Host Enrollment

Hosts enrolled with ipa host-add --ip-address or ipa-client-install --ip-address automatically receive DNS A/AAAA records. Hosts using dynamic DNS updates via SSSD automatically update their records when IP addresses change.

Service Discovery

SRV records enable IPA clients to discover LDAP servers, Kerberos KDCs, certificate authorities, and NTP servers without explicit configuration. IPA automatically maintains these SRV records as topology changes.

SSH Integration

SSHFP records published to DNS enable SSH clients to verify host keys using DNS rather than known_hosts files. When combined with DNSSEC, this provides strong verification of SSH host identity.

Certificate Management

CAA records restrict which certificate authorities can issue certificates for domains under IPA management. TLSA records (DANE) publish certificate fingerprints in DNS for additional certificate validation.

Trust Relationships

When trusts with Active Directory are established, DNS forwarders or conditional forwarding ensure IPA servers can resolve AD domain names. Proper DNS configuration is critical for trust functionality.

Commands

dns-update-system-records

Usage: ipa [global-options] dns-update-system-records [options]

Update location and IPA server DNS records

Options

OptionDescription
--dry-runDo not update records only return expected records
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.

dnsconfig-mod

Usage: ipa [global-options] dnsconfig-mod [options]

Modify global DNS configuration.

Options

OptionDescription
--forwarder FORWARDERGlobal forwarders. A custom port can be specified for each forwarder using a standard format “IP_ADDRESS port PORT”
--forward-policy FORWARD-POLICYGlobal forwarding policy. Set to “none” to disable any configured global forwarders.
--allow-sync-ptr ALLOW-SYNC-PTRAllow synchronization of forward (A, AAAA) and reverse (PTR) records
--setattr SETATTRSet an attribute to a name/value pair. Format is attr=value.
--addattr ADDATTRAdd an attribute/value pair. Format is attr=value. The attribute
--delattr DELATTRDelete an attribute/value pair. The option will be evaluated
--rightsDisplay the access rights of this entry (requires —all). See ipa man page for details.
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.

dnsconfig-show

Usage: ipa [global-options] dnsconfig-show [options]

Show the current global DNS configuration.

Options

OptionDescription
--rightsDisplay the access rights of this entry (requires —all). See ipa man page for details.
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.

dnsforwardzone-add

Usage: ipa [global-options] dnsforwardzone-add NAME [options]

Create new DNS forward zone.

Arguments

ArgumentRequiredDescription
NAMEyesZone name (FQDN)

Options

OptionDescription
--name-from-ip NAME-FROM-IPIP network to create reverse zone name from
--forwarder FORWARDERPer-zone forwarders. A custom port can be specified for each forwarder using a standard format “IP_ADDRESS port PORT”
--forward-policy FORWARD-POLICYPer-zone conditional forwarding policy. Set to “none” to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.
--setattr SETATTRSet an attribute to a name/value pair. Format is attr=value.
--addattr ADDATTRAdd an attribute/value pair. Format is attr=value. The attribute
--skip-overlap-checkForce DNS zone creation even if it will overlap with an existing zone.
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.

dnsforwardzone-add-permission

Usage: ipa [global-options] dnsforwardzone-add-permission NAME [options]

Add a permission for per-forward zone access delegation.

Arguments

ArgumentRequiredDescription
NAMEyesZone name (FQDN)

dnsforwardzone-del

Usage: ipa [global-options] dnsforwardzone-del NAME [options]

Delete DNS forward zone.

Arguments

ArgumentRequiredDescription
NAMEyesZone name (FQDN)

Options

OptionDescription
--continueContinuous mode: Don’t stop on errors.

dnsforwardzone-disable

Usage: ipa [global-options] dnsforwardzone-disable NAME [options]

Disable DNS Forward Zone.

Arguments

ArgumentRequiredDescription
NAMEyesZone name (FQDN)

dnsforwardzone-enable

Usage: ipa [global-options] dnsforwardzone-enable NAME [options]

Enable DNS Forward Zone.

Arguments

ArgumentRequiredDescription
NAMEyesZone name (FQDN)

dnsforwardzone-find

Usage: ipa [global-options] dnsforwardzone-find [CRITERIA] [options]

Search for DNS forward zones.

Arguments

Argument Required Description


CRITERIA no A string searched in all relevant object attributes

Options

OptionDescription
--name NAMEZone name (FQDN)
--name-from-ip NAME-FROM-IPIP network to create reverse zone name from
--zone-active ZONE-ACTIVEIs zone active?
--forwarder FORWARDERPer-zone forwarders. A custom port can be specified for each forwarder using a standard format “IP_ADDRESS port PORT”
--forward-policy FORWARD-POLICYPer-zone conditional forwarding policy. Set to “none” to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.
--timelimit TIMELIMITTime limit of search in seconds (0 is unlimited)
--sizelimit SIZELIMITMaximum number of entries returned (0 is unlimited)
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--pkey-onlyResults should contain primary key attribute only (“name”)

dnsforwardzone-mod

Usage: ipa [global-options] dnsforwardzone-mod NAME [options]

Modify DNS forward zone.

Arguments

ArgumentRequiredDescription
NAMEyesZone name (FQDN)

Options

OptionDescription
--name-from-ip NAME-FROM-IPIP network to create reverse zone name from
--forwarder FORWARDERPer-zone forwarders. A custom port can be specified for each forwarder using a standard format “IP_ADDRESS port PORT”
--forward-policy FORWARD-POLICYPer-zone conditional forwarding policy. Set to “none” to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.
--setattr SETATTRSet an attribute to a name/value pair. Format is attr=value.
--addattr ADDATTRAdd an attribute/value pair. Format is attr=value. The attribute
--delattr DELATTRDelete an attribute/value pair. The option will be evaluated
--rightsDisplay the access rights of this entry (requires —all). See ipa man page for details.
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.

dnsforwardzone-remove-permission

Usage: ipa [global-options] dnsforwardzone-remove-permission NAME [options]

Remove a permission for per-forward zone access delegation.

Arguments

ArgumentRequiredDescription
NAMEyesZone name (FQDN)

dnsforwardzone-show

Usage: ipa [global-options] dnsforwardzone-show NAME [options]

Display information about a DNS forward zone.

Arguments

ArgumentRequiredDescription
NAMEyesZone name (FQDN)

Options

OptionDescription
--rightsDisplay the access rights of this entry (requires —all). See ipa man page for details.
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.

dnsrecord-add

Usage: ipa [global-options] dnsrecord-add DNSZONE NAME [options]

Add new DNS resource record.

Arguments

ArgumentRequiredDescription
DNSZONEyesZone name (FQDN)

NAME yes Record name

Options

OptionDescription
--ttl TTLTime to live
--a-rec A-RECRaw A records
--a-ip-address A-IP-ADDRESSA IP Address
--a-create-reverseCreate reverse record for this IP Address
--aaaa-rec AAAA-RECRaw AAAA records
--aaaa-ip-address AAAA-IP-ADDRESSAAAA IP Address
--aaaa-create-reverseCreate reverse record for this IP Address
--a6-rec A6-RECRaw A6 records
--a6-data A6-DATAA6 Record data
--afsdb-rec AFSDB-RECRaw AFSDB records
--afsdb-subtype AFSDB-SUBTYPEAFSDB Subtype
--afsdb-hostname AFSDB-HOSTNAMEAFSDB Hostname
--cert-rec CERT-RECRaw CERT records
--cert-type CERT-TYPECERT Certificate Type
--cert-key-tag CERT-KEY-TAGCERT Key Tag
--cert-algorithm CERT-ALGORITHMCERT Algorithm
--cert-certificate-or-crl CERT-CERTIFICATE-OR-CRLCERT Certificate/CRL
--cname-rec CNAME-RECRaw CNAME records
--cname-hostname CNAME-HOSTNAMEA hostname which this alias hostname points to
--dlv-rec DLV-RECRaw DLV records
--dlv-key-tag DLV-KEY-TAGDLV Key Tag
--dlv-algorithm DLV-ALGORITHMDLV Algorithm
--dlv-digest-type DLV-DIGEST-TYPEDLV Digest Type
--dlv-digest DLV-DIGESTDLV Digest
--dname-rec DNAME-RECRaw DNAME records
--dname-target DNAME-TARGETDNAME Target
--ds-rec DS-RECRaw DS records
--ds-key-tag DS-KEY-TAGDS Key Tag
--ds-algorithm DS-ALGORITHMDS Algorithm
--ds-digest-type DS-DIGEST-TYPEDS Digest Type
--ds-digest DS-DIGESTDS Digest
--kx-rec KX-RECRaw KX records
--kx-preference KX-PREFERENCEPreference given to this exchanger. Lower values are more preferred
--kx-exchanger KX-EXCHANGERA host willing to act as a key exchanger
--loc-rec LOC-RECRaw LOC records
--loc-lat-deg LOC-LAT-DEGLOC Degrees Latitude
--loc-lat-min LOC-LAT-MINLOC Minutes Latitude
--loc-lat-sec LOC-LAT-SECLOC Seconds Latitude
--loc-lat-dir LOC-LAT-DIRLOC Direction Latitude
--loc-lon-deg LOC-LON-DEGLOC Degrees Longitude
--loc-lon-min LOC-LON-MINLOC Minutes Longitude
--loc-lon-sec LOC-LON-SECLOC Seconds Longitude
--loc-lon-dir LOC-LON-DIRLOC Direction Longitude
--loc-altitude LOC-ALTITUDELOC Altitude
--loc-size LOC-SIZELOC Size
--loc-h-precision LOC-H-PRECISIONLOC Horizontal Precision
--loc-v-precision LOC-V-PRECISIONLOC Vertical Precision
--mx-rec MX-RECRaw MX records
--mx-preference MX-PREFERENCEPreference given to this exchanger. Lower values are more preferred
--mx-exchanger MX-EXCHANGERA host willing to act as a mail exchanger
--naptr-rec NAPTR-RECRaw NAPTR records
--naptr-order NAPTR-ORDERNAPTR Order
--naptr-preference NAPTR-PREFERENCENAPTR Preference
--naptr-flags NAPTR-FLAGSNAPTR Flags
--naptr-service NAPTR-SERVICENAPTR Service
--naptr-regexp NAPTR-REGEXPNAPTR Regular Expression
--naptr-replacement NAPTR-REPLACEMENTNAPTR Replacement
--ns-rec NS-RECRaw NS records
--ns-hostname NS-HOSTNAMENS Hostname
--ptr-rec PTR-RECRaw PTR records
--ptr-hostname PTR-HOSTNAMEThe hostname this reverse record points to
--srv-rec SRV-RECRaw SRV records
--srv-priority SRV-PRIORITYLower number means higher priority. Clients will attempt to contact the server with the lowest-numbered priority they can reach.
--srv-weight SRV-WEIGHTRelative weight for entries with the same priority.
--srv-port SRV-PORTSRV Port
--srv-target SRV-TARGETThe domain name of the target host or ’.’ if the service is decidedly not available at this domain
--sshfp-rec SSHFP-RECRaw SSHFP records
--sshfp-algorithm SSHFP-ALGORITHMSSHFP Algorithm
--sshfp-fp-type SSHFP-FP-TYPESSHFP Fingerprint Type
--sshfp-fingerprint SSHFP-FINGERPRINTSSHFP Fingerprint
--tlsa-rec TLSA-RECRaw TLSA records
--tlsa-cert-usage TLSA-CERT-USAGETLSA Certificate Usage
--tlsa-selector TLSA-SELECTORTLSA Selector
--tlsa-matching-type TLSA-MATCHING-TYPETLSA Matching Type
--tlsa-cert-association-data TLSA-CERT-ASSOCIATION-DATATLSA Certificate Association Data
--txt-rec TXT-RECRaw TXT records
--txt-data TXT-DATATXT Text Data
--uri-rec URI-RECRaw URI records
--uri-priority URI-PRIORITYLower number means higher priority. Clients will attempt to contact the URI with the lowest-numbered priority they can reach.
--uri-weight URI-WEIGHTRelative weight for entries with the same priority.
--uri-target URI-TARGETTarget Uniform Resource Identifier according to RFC 3986
--setattr SETATTRSet an attribute to a name/value pair. Format is attr=value.
--addattr ADDATTRAdd an attribute/value pair. Format is attr=value. The attribute
--forceforce NS record creation even if its hostname is not in DNS
--structuredParse all raw DNS records and return them in a structured way
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.

dnsrecord-del

Usage: ipa [global-options] dnsrecord-del DNSZONE NAME [options]

Delete DNS resource record.

Arguments

ArgumentRequiredDescription
DNSZONEyesZone name (FQDN)

NAME yes Record name

Options

OptionDescription
--ttl TTLTime to live
--a-rec A-RECRaw A records
--aaaa-rec AAAA-RECRaw AAAA records
--a6-rec A6-RECRaw A6 records
--afsdb-rec AFSDB-RECRaw AFSDB records
--cert-rec CERT-RECRaw CERT records
--cname-rec CNAME-RECRaw CNAME records
--dlv-rec DLV-RECRaw DLV records
--dname-rec DNAME-RECRaw DNAME records
--ds-rec DS-RECRaw DS records
--kx-rec KX-RECRaw KX records
--loc-rec LOC-RECRaw LOC records
--mx-rec MX-RECRaw MX records
--naptr-rec NAPTR-RECRaw NAPTR records
--ns-rec NS-RECRaw NS records
--ptr-rec PTR-RECRaw PTR records
--srv-rec SRV-RECRaw SRV records
--sshfp-rec SSHFP-RECRaw SSHFP records
--tlsa-rec TLSA-RECRaw TLSA records
--txt-rec TXT-RECRaw TXT records
--uri-rec URI-RECRaw URI records
--del-allDelete all associated records
--structuredParse all raw DNS records and return them in a structured way
--raw

dnsrecord-find

Usage: ipa [global-options] dnsrecord-find DNSZONE [CRITERIA] [options]

Search for DNS resources.

Arguments

ArgumentRequiredDescription
DNSZONEyesZone name (FQDN)

CRITERIA no A string searched in all relevant object attributes

Options

OptionDescription
--name NAMERecord name
--ttl TTLTime to live
--a-rec A-RECRaw A records
--aaaa-rec AAAA-RECRaw AAAA records
--a6-rec A6-RECRaw A6 records
--afsdb-rec AFSDB-RECRaw AFSDB records
--cert-rec CERT-RECRaw CERT records
--cname-rec CNAME-RECRaw CNAME records
--dlv-rec DLV-RECRaw DLV records
--dname-rec DNAME-RECRaw DNAME records
--ds-rec DS-RECRaw DS records
--kx-rec KX-RECRaw KX records
--loc-rec LOC-RECRaw LOC records
--mx-rec MX-RECRaw MX records
--naptr-rec NAPTR-RECRaw NAPTR records
--ns-rec NS-RECRaw NS records
--ptr-rec PTR-RECRaw PTR records
--srv-rec SRV-RECRaw SRV records
--sshfp-rec SSHFP-RECRaw SSHFP records
--tlsa-rec TLSA-RECRaw TLSA records
--txt-rec TXT-RECRaw TXT records
--uri-rec URI-RECRaw URI records
--timelimit TIMELIMITTime limit of search in seconds (0 is unlimited)
--sizelimit SIZELIMITMaximum number of entries returned (0 is unlimited)
--structuredParse all raw DNS records and return them in a structured way
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--pkey-onlyResults should contain primary key attribute only (“name”)

dnsrecord-mod

Usage: ipa [global-options] dnsrecord-mod DNSZONE NAME [options]

Modify a DNS resource record.

Arguments

ArgumentRequiredDescription
DNSZONEyesZone name (FQDN)

NAME yes Record name

Options

OptionDescription
--ttl TTLTime to live
--a-rec A-RECRaw A records
--a-ip-address A-IP-ADDRESSA IP Address
--aaaa-rec AAAA-RECRaw AAAA records
--aaaa-ip-address AAAA-IP-ADDRESSAAAA IP Address
--a6-rec A6-RECRaw A6 records
--a6-data A6-DATAA6 Record data
--afsdb-rec AFSDB-RECRaw AFSDB records
--afsdb-subtype AFSDB-SUBTYPEAFSDB Subtype
--afsdb-hostname AFSDB-HOSTNAMEAFSDB Hostname
--cert-rec CERT-RECRaw CERT records
--cert-type CERT-TYPECERT Certificate Type
--cert-key-tag CERT-KEY-TAGCERT Key Tag
--cert-algorithm CERT-ALGORITHMCERT Algorithm
--cert-certificate-or-crl CERT-CERTIFICATE-OR-CRLCERT Certificate/CRL
--cname-rec CNAME-RECRaw CNAME records
--cname-hostname CNAME-HOSTNAMEA hostname which this alias hostname points to
--dlv-rec DLV-RECRaw DLV records
--dlv-key-tag DLV-KEY-TAGDLV Key Tag
--dlv-algorithm DLV-ALGORITHMDLV Algorithm
--dlv-digest-type DLV-DIGEST-TYPEDLV Digest Type
--dlv-digest DLV-DIGESTDLV Digest
--dname-rec DNAME-RECRaw DNAME records
--dname-target DNAME-TARGETDNAME Target
--ds-rec DS-RECRaw DS records
--ds-key-tag DS-KEY-TAGDS Key Tag
--ds-algorithm DS-ALGORITHMDS Algorithm
--ds-digest-type DS-DIGEST-TYPEDS Digest Type
--ds-digest DS-DIGESTDS Digest
--kx-rec KX-RECRaw KX records
--kx-preference KX-PREFERENCEPreference given to this exchanger. Lower values are more preferred
--kx-exchanger KX-EXCHANGERA host willing to act as a key exchanger
--loc-rec LOC-RECRaw LOC records
--loc-lat-deg LOC-LAT-DEGLOC Degrees Latitude
--loc-lat-min LOC-LAT-MINLOC Minutes Latitude
--loc-lat-sec LOC-LAT-SECLOC Seconds Latitude
--loc-lat-dir LOC-LAT-DIRLOC Direction Latitude
--loc-lon-deg LOC-LON-DEGLOC Degrees Longitude
--loc-lon-min LOC-LON-MINLOC Minutes Longitude
--loc-lon-sec LOC-LON-SECLOC Seconds Longitude
--loc-lon-dir LOC-LON-DIRLOC Direction Longitude
--loc-altitude LOC-ALTITUDELOC Altitude
--loc-size LOC-SIZELOC Size
--loc-h-precision LOC-H-PRECISIONLOC Horizontal Precision
--loc-v-precision LOC-V-PRECISIONLOC Vertical Precision
--mx-rec MX-RECRaw MX records
--mx-preference MX-PREFERENCEPreference given to this exchanger. Lower values are more preferred
--mx-exchanger MX-EXCHANGERA host willing to act as a mail exchanger
--naptr-rec NAPTR-RECRaw NAPTR records
--naptr-order NAPTR-ORDERNAPTR Order
--naptr-preference NAPTR-PREFERENCENAPTR Preference
--naptr-flags NAPTR-FLAGSNAPTR Flags
--naptr-service NAPTR-SERVICENAPTR Service
--naptr-regexp NAPTR-REGEXPNAPTR Regular Expression
--naptr-replacement NAPTR-REPLACEMENTNAPTR Replacement
--ns-rec NS-RECRaw NS records
--ns-hostname NS-HOSTNAMENS Hostname
--ptr-rec PTR-RECRaw PTR records
--ptr-hostname PTR-HOSTNAMEThe hostname this reverse record points to
--srv-rec SRV-RECRaw SRV records
--srv-priority SRV-PRIORITYLower number means higher priority. Clients will attempt to contact the server with the lowest-numbered priority they can reach.
--srv-weight SRV-WEIGHTRelative weight for entries with the same priority.
--srv-port SRV-PORTSRV Port
--srv-target SRV-TARGETThe domain name of the target host or ’.’ if the service is decidedly not available at this domain
--sshfp-rec SSHFP-RECRaw SSHFP records
--sshfp-algorithm SSHFP-ALGORITHMSSHFP Algorithm
--sshfp-fp-type SSHFP-FP-TYPESSHFP Fingerprint Type
--sshfp-fingerprint SSHFP-FINGERPRINTSSHFP Fingerprint
--tlsa-rec TLSA-RECRaw TLSA records
--tlsa-cert-usage TLSA-CERT-USAGETLSA Certificate Usage
--tlsa-selector TLSA-SELECTORTLSA Selector
--tlsa-matching-type TLSA-MATCHING-TYPETLSA Matching Type
--tlsa-cert-association-data TLSA-CERT-ASSOCIATION-DATATLSA Certificate Association Data
--txt-rec TXT-RECRaw TXT records
--txt-data TXT-DATATXT Text Data
--uri-rec URI-RECRaw URI records
--uri-priority URI-PRIORITYLower number means higher priority. Clients will attempt to contact the URI with the lowest-numbered priority they can reach.
--uri-weight URI-WEIGHTRelative weight for entries with the same priority.
--uri-target URI-TARGETTarget Uniform Resource Identifier according to RFC 3986
--setattr SETATTRSet an attribute to a name/value pair. Format is attr=value.
--addattr ADDATTRAdd an attribute/value pair. Format is attr=value. The attribute
--delattr DELATTRDelete an attribute/value pair. The option will be evaluated
--rightsDisplay the access rights of this entry (requires —all). See ipa man page for details.
--structuredParse all raw DNS records and return them in a structured way
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--rename RENAMERename the DNS resource record object

dnsrecord-show

Usage: ipa [global-options] dnsrecord-show DNSZONE NAME [options]

Display DNS resource.

Arguments

ArgumentRequiredDescription
DNSZONEyesZone name (FQDN)

NAME yes Record name

Options

OptionDescription
--rightsDisplay the access rights of this entry (requires —all). See ipa man page for details.
--structuredParse all raw DNS records and return them in a structured way
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.

dnsserver-add

Usage: ipa [global-options] dnsserver-add HOSTNAME [options]

Add a new DNS server.

Arguments

ArgumentRequiredDescription
HOSTNAMEyesDNS Server name

Options

OptionDescription
--soa-mname-override SOA-MNAME-OVERRIDESOA mname (authoritative server) override
--forwarder FORWARDERPer-server forwarders. A custom port can be specified for each forwarder using a standard format “IP_ADDRESS port PORT”
--forward-policy FORWARD-POLICYPer-server conditional forwarding policy. Set to “none” to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.
--setattr SETATTRSet an attribute to a name/value pair. Format is attr=value.
--addattr ADDATTRAdd an attribute/value pair. Format is attr=value. The attribute
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.

dnsserver-del

Usage: ipa [global-options] dnsserver-del HOSTNAME [options]

Delete a DNS server

Arguments

ArgumentRequiredDescription
HOSTNAMEyesDNS Server name

Options

OptionDescription
--continueContinuous mode: Don’t stop on errors.

dnsserver-find

Usage: ipa [global-options] dnsserver-find [CRITERIA] [options]

Search for DNS servers.

Arguments

Argument Required Description


CRITERIA no A string searched in all relevant object attributes

Options

OptionDescription
--hostname HOSTNAMEDNS Server name
--soa-mname-override SOA-MNAME-OVERRIDESOA mname (authoritative server) override
--forwarder FORWARDERPer-server forwarders. A custom port can be specified for each forwarder using a standard format “IP_ADDRESS port PORT”
--forward-policy FORWARD-POLICYPer-server conditional forwarding policy. Set to “none” to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.
--timelimit TIMELIMITTime limit of search in seconds (0 is unlimited)
--sizelimit SIZELIMITMaximum number of entries returned (0 is unlimited)
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--pkey-onlyResults should contain primary key attribute only (“hostname”)

dnsserver-mod

Usage: ipa [global-options] dnsserver-mod HOSTNAME [options]

Modify DNS server configuration

Arguments

ArgumentRequiredDescription
HOSTNAMEyesDNS Server name

Options

OptionDescription
--soa-mname-override SOA-MNAME-OVERRIDESOA mname (authoritative server) override
--forwarder FORWARDERPer-server forwarders. A custom port can be specified for each forwarder using a standard format “IP_ADDRESS port PORT”
--forward-policy FORWARD-POLICYPer-server conditional forwarding policy. Set to “none” to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.
--setattr SETATTRSet an attribute to a name/value pair. Format is attr=value.
--addattr ADDATTRAdd an attribute/value pair. Format is attr=value. The attribute
--delattr DELATTRDelete an attribute/value pair. The option will be evaluated
--rightsDisplay the access rights of this entry (requires —all). See ipa man page for details.
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.

dnsserver-show

Usage: ipa [global-options] dnsserver-show HOSTNAME [options]

Display configuration of a DNS server.

Arguments

ArgumentRequiredDescription
HOSTNAMEyesDNS Server name

Options

OptionDescription
--rightsDisplay the access rights of this entry (requires —all). See ipa man page for details.
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.

dnszone-add

Usage: ipa [global-options] dnszone-add NAME [options]

Create new DNS zone (SOA record).

Arguments

ArgumentRequiredDescription
NAMEyesZone name (FQDN)

Options

OptionDescription
--name-from-ip NAME-FROM-IPIP network to create reverse zone name from
--forwarder FORWARDERPer-zone forwarders. A custom port can be specified for each forwarder using a standard format “IP_ADDRESS port PORT”
--forward-policy FORWARD-POLICYPer-zone conditional forwarding policy. Set to “none” to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.
--name-server NAME-SERVERAuthoritative nameserver domain name
--admin-email ADMIN-EMAILAdministrator e-mail address
--refresh REFRESHSOA record refresh time
--retry RETRYSOA record retry time
--expire EXPIRESOA record expire time
--minimum MINIMUMHow long should negative responses be cached
--ttl TTLTime to live for records at zone apex
--default-ttl DEFAULT-TTLTime to live for records without explicit TTL definition
--update-policy UPDATE-POLICYBIND update policy
--dynamic-update DYNAMIC-UPDATEAllow dynamic updates.
--allow-query ALLOW-QUERYSemicolon separated list of IP addresses or networks which are allowed to issue queries
--allow-transfer ALLOW-TRANSFERSemicolon separated list of IP addresses or networks which are allowed to transfer the zone
--allow-sync-ptr ALLOW-SYNC-PTRAllow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone
--dnssec DNSSECAllow inline DNSSEC signing of records in the zone
--nsec3param-rec NSEC3PARAM-RECNSEC3PARAM record for zone in format: hash_algorithm flags iterations salt
--setattr SETATTRSet an attribute to a name/value pair. Format is attr=value.
--addattr ADDATTRAdd an attribute/value pair. Format is attr=value. The attribute
--skip-overlap-checkForce DNS zone creation even if it will overlap with an existing zone.
--forceForce DNS zone creation even if nameserver is not resolvable. (Deprecated)
--skip-nameserver-checkForce DNS zone creation even if nameserver is not resolvable.
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.

dnszone-add-permission

Usage: ipa [global-options] dnszone-add-permission NAME [options]

Add a permission for per-zone access delegation.

Arguments

ArgumentRequiredDescription
NAMEyesZone name (FQDN)

dnszone-del

Usage: ipa [global-options] dnszone-del NAME [options]

Delete DNS zone (SOA record).

Arguments

ArgumentRequiredDescription
NAMEyesZone name (FQDN)

Options

OptionDescription
--continueContinuous mode: Don’t stop on errors.

dnszone-disable

Usage: ipa [global-options] dnszone-disable NAME [options]

Disable DNS Zone.

Arguments

ArgumentRequiredDescription
NAMEyesZone name (FQDN)

dnszone-enable

Usage: ipa [global-options] dnszone-enable NAME [options]

Enable DNS Zone.

Arguments

ArgumentRequiredDescription
NAMEyesZone name (FQDN)

dnszone-find

Usage: ipa [global-options] dnszone-find [CRITERIA] [options]

Search for DNS zones (SOA records).

Arguments

Argument Required Description


CRITERIA no A string searched in all relevant object attributes

Options

OptionDescription
--name NAMEZone name (FQDN)
--name-from-ip NAME-FROM-IPIP network to create reverse zone name from
--zone-active ZONE-ACTIVEIs zone active?
--forwarder FORWARDERPer-zone forwarders. A custom port can be specified for each forwarder using a standard format “IP_ADDRESS port PORT”
--forward-policy FORWARD-POLICYPer-zone conditional forwarding policy. Set to “none” to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.
--name-server NAME-SERVERAuthoritative nameserver domain name
--admin-email ADMIN-EMAILAdministrator e-mail address
--refresh REFRESHSOA record refresh time
--retry RETRYSOA record retry time
--expire EXPIRESOA record expire time
--minimum MINIMUMHow long should negative responses be cached
--ttl TTLTime to live for records at zone apex
--default-ttl DEFAULT-TTLTime to live for records without explicit TTL definition
--update-policy UPDATE-POLICYBIND update policy
--dynamic-update DYNAMIC-UPDATEAllow dynamic updates.
--allow-query ALLOW-QUERYSemicolon separated list of IP addresses or networks which are allowed to issue queries
--allow-transfer ALLOW-TRANSFERSemicolon separated list of IP addresses or networks which are allowed to transfer the zone
--allow-sync-ptr ALLOW-SYNC-PTRAllow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone
--dnssec DNSSECAllow inline DNSSEC signing of records in the zone
--nsec3param-rec NSEC3PARAM-RECNSEC3PARAM record for zone in format: hash_algorithm flags iterations salt
--timelimit TIMELIMITTime limit of search in seconds (0 is unlimited)
--sizelimit SIZELIMITMaximum number of entries returned (0 is unlimited)
--forward-onlySearch for forward zones only
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--pkey-onlyResults should contain primary key attribute only (“name”)

dnszone-mod

Usage: ipa [global-options] dnszone-mod NAME [options]

Modify DNS zone (SOA record).

Arguments

ArgumentRequiredDescription
NAMEyesZone name (FQDN)

Options

OptionDescription
--name-from-ip NAME-FROM-IPIP network to create reverse zone name from
--forwarder FORWARDERPer-zone forwarders. A custom port can be specified for each forwarder using a standard format “IP_ADDRESS port PORT”
--forward-policy FORWARD-POLICYPer-zone conditional forwarding policy. Set to “none” to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.
--name-server NAME-SERVERAuthoritative nameserver domain name
--admin-email ADMIN-EMAILAdministrator e-mail address
--refresh REFRESHSOA record refresh time
--retry RETRYSOA record retry time
--expire EXPIRESOA record expire time
--minimum MINIMUMHow long should negative responses be cached
--ttl TTLTime to live for records at zone apex
--default-ttl DEFAULT-TTLTime to live for records without explicit TTL definition
--update-policy UPDATE-POLICYBIND update policy
--dynamic-update DYNAMIC-UPDATEAllow dynamic updates.
--allow-query ALLOW-QUERYSemicolon separated list of IP addresses or networks which are allowed to issue queries
--allow-transfer ALLOW-TRANSFERSemicolon separated list of IP addresses or networks which are allowed to transfer the zone
--allow-sync-ptr ALLOW-SYNC-PTRAllow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone
--dnssec DNSSECAllow inline DNSSEC signing of records in the zone
--nsec3param-rec NSEC3PARAM-RECNSEC3PARAM record for zone in format: hash_algorithm flags iterations salt
--setattr SETATTRSet an attribute to a name/value pair. Format is attr=value.
--addattr ADDATTRAdd an attribute/value pair. Format is attr=value. The attribute
--delattr DELATTRDelete an attribute/value pair. The option will be evaluated
--rightsDisplay the access rights of this entry (requires —all). See ipa man page for details.
--forceForce nameserver change even if nameserver not in DNS
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.

dnszone-remove-permission

Usage: ipa [global-options] dnszone-remove-permission NAME [options]

Remove a permission for per-zone access delegation.

Arguments

ArgumentRequiredDescription
NAMEyesZone name (FQDN)

dnszone-show

Usage: ipa [global-options] dnszone-show NAME [options]

Display information about a DNS zone (SOA record).

Arguments

ArgumentRequiredDescription
NAMEyesZone name (FQDN)

Options

OptionDescription
--rightsDisplay the access rights of this entry (requires —all). See ipa man page for details.
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.