Bug 747612 - [RFE] IPA should support and manage DNS sites
Summary: [RFE] IPA should support and manage DNS sites
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.0
Hardware: All
OS: Linux
Target Milestone: rc
: 7.1
Assignee: Pavel Picka
QA Contact: Namita Soman
Marc Muehlfeld
: 991229 1044733 (view as bug list)
Depends On: 743503 1204506
Blocks: 1203710 1349053
TreeView+ depends on / blocked
Reported: 2011-10-20 13:55 UTC by Dmitri Pal
Modified: 2019-12-16 04:23 UTC (History)
19 users (show)

Fixed In Version: ipa-4.4.0-1.el7
Doc Type: Enhancement
Doc Text:
IdM now supports DNS locations This update adds support for DNS location management to the Identity Management (IdM) integrated DNS server to improve cross-site implementations. Previously, clients using DNS records to locate IdM servers could not distinguish local servers from servers located in remote geographical locations. This update enables clients using DNS discovery to find the nearest servers, and to use the network in an optimized way. As a result, administrators can manage DNS locations and assign servers to them in the IdM web user interface and from the command line. For details, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#dns-locations
Clone Of:
: 1044733 1349053 (view as bug list)
Last Closed: 2016-11-04 05:42:46 UTC
Target Upstream Version:

Attachments (Terms of Use)
evidence (903 bytes, text/plain)
2016-08-23 11:28 UTC, Pavel Picka
no flags Details

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Dmitri Pal 2011-10-20 13:55:41 UTC
It is related to bug #743503 but to mange the site on the server side.

The original request is the following:

Has there been given any thought to the concept of sites within IPA to improve cross-site implementations? This should be easy to implement as you are already using DNS SRV records to locate the ldap/kerberos servers.

Site: Boston
Site: London

Create a subdomain of the IPA dns domain named _sites, and a subdomain of _sites for each site.

Boston._sites.ipa.domain.com would contain the srv entries for IPA servers in Boston:
_ldap._tcp        in    srv    0 100 389 boston-ipa-server1
_ldap._tcp        in    srv    0 100 389 boston-ipa-server2

London._sites.ipa.domain.com would contain the srv entries for IPA serers in London:
_ldap._tcp        in    srv    0 100 389 london-ipa-server1
_ldap._tcp        in    srv    0 100 389 london-ipa-server2

Now point the client's DNS "search" entry to point to the local site first, then search the full name space:
Boston client's /etc/resolv.conf:
search Boston._sites.ipa.domain.com ipa.domain.com

London client's /etc/resolv.conf:
search London._sites.ipa.domain.com ipa.domain.com

The main ipa.domain.com could still contain srv records for all IPA servers, or selected IPA servers at the central hub.

I know I can do this manually within the DNS managment in IPA today, however it would be a lot easier to maintain "Sites" within the IPA webui/cli. *blink* ;)

Comment 1 Dmitri Pal 2011-10-20 14:00:10 UTC
Upstream ticket:

Comment 2 Martin Kosek 2013-08-06 07:25:47 UTC
*** Bug 991229 has been marked as a duplicate of this bug. ***

Comment 4 Martin Kosek 2015-03-27 13:35:45 UTC
*** Bug 1044733 has been marked as a duplicate of this bug. ***

Comment 6 Petr Vobornik 2016-04-14 14:10:33 UTC
Upstream ticket:

Comment 7 Petr Vobornik 2016-06-02 10:18:11 UTC
Upstream ticket:

Comment 8 Petr Vobornik 2016-06-02 13:00:56 UTC
Upstream ticket:

Comment 22 Martin Bašti 2016-06-28 13:25:47 UTC
Fixed upstream

Comment 24 Petr Vobornik 2016-06-29 14:36:20 UTC
additonal webui part:


Comment 26 Petr Spacek 2016-07-07 10:35:43 UTC
All the information we have about the feature can be found on

Please let me or mbasti know if something is unclear or if an infomation is missing.

Comment 36 Pavel Picka 2016-08-23 11:28:45 UTC
Created attachment 1193302 [details]

Verified using upstream test on 4.4.0-8.el7

Comment 38 errata-xmlrpc 2016-11-04 05:42:46 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.