Description
DNS integration testing.
Setup
- Make sure you have a working FreeIPA server (see QA:Testcase_freeipav2_installation) installed with DNS
- Make sure the CLI works as expected (see QA:Testcase_freeipav2_cli)
How to test
DNS integration overview
The DNS integration is done using the dns plugin. Please see ipa help dns to see a more detailed overview.
Checking what zones are available
Upon installing the FreeIPA server with DNS integration, a forward and reverse zone will be available. Try listing them and checking what kind of records are stored in the zones:
ipa dnszone-find Zone name: example.com Authoritative name server: ipa.example.com Administrator e-mail address: root.example.com SOA serial: 2011140201 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Zone name: 122.168.192.in-addr.arpa. Authoritative name server: ipa.example.com Administrator e-mail address: root.122.168.192.in-addr.arpa. SOA serial: 2011140201 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE ---------------------------- Number of entries returned 2 ---------------------------- ipa dnsrecord-find example.com Record name: @ NS record: example.com <output trimmed>
Adding a new zone
A new zone is added using the dnszone-add command:
ipa dnszone-add example.com --name-server nameserver.example.com \
--ip-address 192.168.1.1 \
--admin-email admin@example.com
Please note that in the current FreeIPA version, the zone will not be automatically registered in nameserver until its instance is restarted. Also the name server must either be resolvable, or you need to use the ip-address option to add a forward record at the same time as seen in the previous example.
Reload the nameserver to register the zone:
service named reload
Verify the zone has been added:
ipa dnszone-show example.com
We can now proceed to adding records into the new zone.
Adding and managing a record
A typical example is an A record with an IP address:
ipa dnsrecord-add example.com www --a-rec 192.168.1.2
The new record should be immediatelly visible:
ipa dnsrecord-show example.com www
Find A records with value 192.168.1.2 in zone example.com:
ipa dnsrecord-find example.com --a-rec 192.168.1.2
To check the entry is resolvable by DNS, you can either try the internal dns-resolve command:
ipa dns-resolve www.example.com
Or use the dig command (install bind-utils to get it):
dig www.example.com
Some records have more complex RDATA format. The SRV records, for example. The followting commands add new SRV records for LDAP servers. Three quarters of the requests should go to fast.example.com, one quarter to slow.example.com. If neither is available, switch to backup.example.com.
ipa dnsrecord-add example.com _ldap._tcp --srv-rec="0 3 389 fast.example.com" ipa dnsrecord-add example.com _ldap._tcp --srv-rec="0 1 389 slow.example.com" ipa dnsrecord-add example.com _ldap._tcp --srv-rec="1 1 389 backup.example.com"
Verify the records were added with either dnsrecord-show:
ipa dnsrecord-show example.com _ldap._tcp Record name: _ldap._tcp SRV record: 0 3 389 fast.example.com, 0 1 389 slow.example.com, 1 1 389 backup.example.com
You can also resolve the records with dig:
dig -t SRV _ldap._tcp.example.com
Expected Results
All the test steps should end with the specified results.