Product SiteDocumentation Site

8.6. Modifying DNS Zones

A zone is created with a certain amount of configuration, set to default values.
Example 8.2. Default DNS Zone Entry Settings
  dn: idnsname=example.com,cn=dns,dc=example,dc=com
  idnsname: example.com
  idnssoamname: server.example.com.
  idnssoarname: root.server.example.com.
  idnssoaserial: 2011130701
  idnssoarefresh: 3600
  idnssoaretry: 900
  idnssoaexpire: 1209600
  idnssoaminimum: 3600
  idnsupdatepolicy: grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA;
  idnszoneactive: TRUE
  idnsallowdynupdate: TRUE
  nsrecord: server.example.com.
  objectclass: top
  objectclass: idnsrecord
  objectclass: idnszone

All of the possible zone settings are listed in Table 8.3, “Zone Attributes”. Along with setting the actual information for the zone, the settings define how the DNS server handles the start of authority (SOA) record entries and how it updates its records from the DNS name server.
Table 8.3. Zone Attributes
Attribute Command-Line Option Description
Zone name --name Sets the name of the zone.
Authoritative nameserver --name-server Sets the fully-qualified domain name of the DNS name server.
Administrator e-mail address --admin-email Sets the email address to use for the zone administrator. This defaults to the root account on the host.
SOA serial --serial Sets a version number for the SOA record file.
SOA refresh --refresh Sets the interval, in seconds, for a secondary DNS server to wait before requesting updates from the primary DNS server.
SOA retry --retry Sets the time, in seconds, to wait before retrying a failed refresh operation.
SOA expire --expire Sets the time, in seconds, that a secondary DNS server will try to perform a refresh update before ending the operation attempt.
SOA minimum --minimum Sets the minimum amount of time, in seconds, that data are kept in cache.
SOA time to live --ttl Sets the maximum time, in seconds, that information is kept in the data cache.
SOA class --class Sets the type of record. This is almost always IN, which stands for Internet.
BIND update policy --update-policy Sets the permissions allowed to clients in the DNS zone.

IMPORTANT

If this is set to false, FreeIPA client machines will not be able to add or update their IP address. See Section 8.7, “Enabling Dynamic DNS Updates” for more information.
Dynamic update --allow-dynupdate Enables dynamic updates to DNS records for clients.
Name server --ip-address Adds the DNS name server by its IP address.

8.6.1. Editing the Zone Configuration in the Web UI

  1. Open the Identity tab, and select the DNS subtab.
  2. Click the name of the DNS zone to edit.
  3. Open the Settings tab.
  4. Change any of the DNS zone settings. The full list of attributes is described in Table 8.3, “Zone Attributes”. There are some common attributes to change:
    • Authoritative name server, the fully-qualified domain name of the DNS name server.
    • Dynamic update, to enable dynamic updates to DNS records for clients.

      IPORTANT

      Dynamic updates are enabled by default when a zone is created. This allows FreeIPA clients to update their own DNS entries.
      However, when a DNS zone entry is edited, the Dynamic update is set to false. This must be manually set to true every time the zone is modified to continue to allow clients to update their DNS entries.
    • SOA refresh, the interval, in seconds, for a secondary DNS server to wait before requesting updates from the primary DNS server.
  5. Click the Update link at the top of the settings page.

8.6.2. Editing the Zone Configuration in the Command Line

The zone can be created with additional attributes and values different from the default by passing additional options with the dnszone-add command. Likewise, attributes can be added or modified in the zone entry by passing the same attribute options with the dnszone-mod command. These are listed in Table 8.3, “Zone Attributes”.
If an attribute does not exist in the DNS zone entry, than the dnszone-mod command adds the attribute. If the attribute exists, then it overwrites the current value with the specified value.
For example, to set a time to live for SOA records:
$ ipa dnszone-mod server.example.com --ttl=1800 --allow-dynupdate

IMPORTANT

Dynamic updates are enabled by default when a zone is created. This allows FreeIPA clients to update their own DNS entries.
However, when a DNS zone entry is edited, the dynamic update setting is set to false. This --allow-dynupdate option must be specified every time the zone is modified to continue to allow clients to update their DNS entries.
This adds a new attribute to the DNS zone entry:
  dn: idnsname=example.com,cn=dns,dc=example,dc=com
  idnsname: example.com
  idnssoamname: server.example.com.
  idnssoarname: root.server.example.com.
  idnssoaserial: 2011130701
  idnssoarefresh: 3600
  idnssoaretry: 900
  idnssoaexpire: 1209600
  idnssoaminimum: 3600
  dnsttl: 1800
  idnsupdatepolicy: grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA;
  idnszoneactive: TRUE
  idnsallowdynupdate: TRUE
  nsrecord: server.example.com.
  objectclass: top
  objectclass: idnsrecord
  objectclass: idnszone