I apologize if this is not the correct venue for this discussion, but was hoping to get some feedback and two different possibly ways to solve an issue, each of which would require some development effort.
Background:
We use static IP addresses and Microsoft DNS. The plugin which provides dns_dnscmd (allows creation/removal of static DNS records) is not usable as we are running RedHat satellite, and windows is not supported as a capsule operating system by RedHat.
Years ago, we implemented the dns_nsupdate_gss provider with a kerberos Keytab file. It works really well and ensures that all dns records are automatically created and removed properly as hosts are built and deleted, and that a dns record or IP address is not in use before allowing a host to build.
There is a problem though, the timestamp used by scavenging is never updated. The account saved in the kerberos Keytab file becomes the owner of the DNS record in MS DNS, which means that even if we configure the clients (once built) to send secure DNS updates using kerberos authenticating with the AD computer account, they get an ‘access denied’ as the DNS zone only allows secure updates and the computer account does not have access to its own DNS record.
I can see two potential ways of resolving this - but I am sure others exist:
- Extending the dns_nsupdate_gss provider to send DDNS updates on a schedule. The DNS service account would remain the owner of the records, and foreman/satellite would manage them fully.
- With powershell 6+, if you enable the openssh server feature on windows it is now possible to use Powershell remoting from linux to windows. The existing dnscmd plugin could be extended to use powershell shell remoting to run the same commands on a remote server instead of where the dns proxy role is installed. This gets a little bit complicated and has a lot of points of failure; but would likely work.