ipa dns-update-system-records command provides a way to get a list of DNS records about of IPA servers and their services - the records which are maintained by IPA installers and DNS location support.

Output of this command is human readable, but it cannot be used for updating external DNS system without preprocessing.

ipa dns-update-system-records command should be enhanced so that it will provide an option to create file with nsupdate format output that can be consumed by nsupdate command. The directives should update external DNS system to match IPA cofiguration.

Goal is to enable integration with external DNS system with minimum changes. It should be tested with both TSIG and GSS-TSIG auth metods (doesn't have to be part of the command output).

Automatic updates are a goal of #4424

Use story:

As an administrator I want to keep DNS records of all IPA masters and their configured services up to date with minimal manual effort. I.e. after a change in topology such as installation or uninstallation of replica or installation of IPA subsystem (CA, DNS, KRA, Trusts) I want to run simple script or series of few commands which I don’t want to invent but can copy it from provided source which would do the work only with specifying few options like external DNS hostname and necessary authentication credentials.

Acceptace criteria:

  • Limitation: External DNS server supports updates from nsupdate command (RFC 2136) with either TSIG or GSS-TSIG auth mechanism
  • Limitation: Only records currently displayed by ipa dns-update-system-records --dry-run are subject of these updates
  • Example how to use it is published on freeipa.org wiki
  • Example covers both TSIG or GSS-TSIG auth mechanism
  • Old or invalid records are removed
  • New records are added
  • No coding is required from administrator, he should only replace constants or values of options in provided example


