Description of problem:

Up to now, we have recommended that IdM be used as the DNS server on the undercloud and overcloud nodes when deploying TLS Everywhere.  The idea is to use IdM locally and then have IdM act as a forwarder to the customer's real DNS servers to get any other addresses.

This allows novajoin and other processes to find the relevant DNS entries to properly do kerberos authentication, and for the overcloud nodes to join IdM correctly.

There are some customers who would prefer not to do this.  Some for instance already have a highly available DNS architecture and do not want to set up a similar IdM architecture to prevent a single point of failure.

We've gotten things working on customer sites by adding missing entries ahead of time in the external DNS server.

This RFE is to make sure that this is a supported deployment model - which means that we need to test and document what is required - and make sure its part of our downstream CI.

It is likely that the entries needed will be different for novajoin vs. tripleo-ipa.  We need to note the differences between the two cases (and test both cases).

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info: