infrastructure
/
meta
7
0
Issues 51 Pull Requests Projects 5 Releases Activity

[Infrastructure]: Fix internal/external use of DNS #58

New Issue
Open
opened 2024-03-22 21:31:41 +00:00 by label · 0 comments
label commented 2024-03-22 21:31:41 +00:00
Owner
Copy Link

Checklist

Each IPA server should be configured based on their location

  • Per-zone conditional forwarding (as forward or delegated) for specific domains
  • Per-server conditional forwarding (ORD to forward to 1.1.1.1, 1.0.0.1, 169.254.169.253 and recurse)
  • Per-server conditional forwarding (IAD will only recurse approved domains)
  • Separate bind/equivalent service that acts as an NS for each internal domain[1]
  • Utilize internal repositories that already have A records
  • Utilize mirror manager to handle private mirrors (ORD) - This sort of works now. http002 is the only one that appears, which is probably fine.
  • Utilize mirror manager to handle private mirrors (IAD) (neil)
  • Systems should have one of or all IPA nodes in their DC listed as nameservers first before opnsense or pfsense

Checklist (immediate needs)

  • dl.rl.o and mirrors.rl.o internal names situated -> They should point to internal addresses
  • Open 80/443 on the SG's for mirrors.rl.o to facilitate the above
  • Open 80/443 on the SG's for dl.rl.o (if necessary; repopool servers already have this open)
  • Change ORD systems to use IPA servers as primaries before opnsense/pfsense

Checklist (public)

  • Verify existing DNS entries
  • Policy to track DNS entries from requests (e.g. regular checks)

Footnotes

[1] pfsense and opnsense don't support this directly. with that said, ensuring some other standalone DNS internally is a slave of all internal domains would ensure that records are still resolvable if services point to both IPA and this internal service, assuming IPA's DNS disappears for some reason.

## Checklist Each IPA server should be configured based on their location * [ ] Per-zone conditional forwarding (as forward or delegated) for specific domains * [ ] Per-server conditional forwarding (ORD to forward to 1.1.1.1, 1.0.0.1, 169.254.169.253 and recurse) * [ ] Per-server conditional forwarding (IAD will only recurse approved domains) * [ ] Separate bind/equivalent service that acts as an NS for each internal domain[1] * [ ] Utilize internal repositories that already have A records * [X] Utilize mirror manager to handle private mirrors (ORD) - This sort of works now. http002 is the only one that appears, which is probably fine. * [ ] Utilize mirror manager to handle private mirrors (IAD) (neil) * [ ] Systems should have one of or all IPA nodes in their DC listed as nameservers first before opnsense or pfsense ## Checklist (immediate needs) * [ ] dl.rl.o and mirrors.rl.o internal names situated -> They should point to internal addresses * [ ] Open 80/443 on the SG's for mirrors.rl.o to facilitate the above * [ ] Open 80/443 on the SG's for dl.rl.o (if necessary; repopool servers already have this open) * [ ] Change ORD systems to use IPA servers as primaries before opnsense/pfsense ## Checklist (public) * [ ] Verify existing DNS entries * [ ] Policy to track DNS entries from requests (e.g. regular checks) ## Footnotes [1] pfsense and opnsense don't support this directly. with that said, ensuring some other standalone DNS internally is a slave of all internal domains would ensure that records are still resolvable if services point to both IPA and this internal service, assuming IPA's DNS disappears for some reason.
label added the
task
 label 2024-03-22 21:31:41 +00:00
label added the
gain
high
component/idm
 labels 2024-03-22 22:45:01 +00:00
label added the
priority
high
 label 2024-03-22 23:31:51 +00:00
label added this to the RESF Infrastructure Identity Management project 2024-03-24 01:23:47 +00:00
Sign in to join this conversation.
main
Branches Tags
Clear current reference
main
Clear current reference
Labels
Clear labels   
bug

Something is not working

  
component/ansible

   
component/git

   
component/idm

   
component/mattermost

   
component/mirrors

   
duplicate

This issue or pull request already exists

  
effort
high

  
effort
low

  
effort
medium

  
enhancement

New feature

  
gain
high

  
gain
low

  
gain
medium

  
help wanted

Need some help

  
invalid

Something is wrong

  
issue

   
needinfo

More information is needed

  
permissions
  
priority
high

  
priority
low

  
priority
medium

  
task

   
wontfix

This won't be fixed

No Label
bug
component/ansible
component/git
component/idm
component/mattermost
component/mirrors
duplicate
effort
high
effort
low
effort
medium
enhancement
gain
high
gain
low
gain
medium
help wanted
invalid
issue
needinfo
permissions
priority
high
priority
low
priority
medium
task
wontfix
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
RESF Infrastructure Identity Management
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: infrastructure/meta#58
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?