Hi @here Whoever decided that all outgoing DNS traffic should only go to 185.85.248.19 (iodine.enidan.com): I decided that it's time to be a bit more generic and use 9.9.9.10, 9.9.9.9, 8.8.8.8 and 1.1.1.1 (in this order) for now for all DNS queries that go out from our infra.opensuse.org network into the world. I also changed from dnsmasq to bind on anna/elsa and (re-)enabled the infra.opensuse.org zone on chip.infra.opensuse.org (including in-addr.arpa). At the moment, FreeIPA is still authoritative for all infra.opensuse.org DNS entries - nothing changed here. But now it's just a single "click" away to make chip our "one and only" DNS hidden master server. Please note that we have another hidden master since a while: scar is providing DNS for all openVPN clients: ~> host lrupp.vpn.opensuse.org lrupp.vpn.opensuse.org has address 192.168.253.202 lrupp.vpn.opensuse.org has address 192.168.252.202 lrupp.vpn.opensuse.org mail is handled by 1 relay.infra.opensuse.org. ~> host lrupp.tcp.vpn.opensuse.org lrupp.tcp.vpn.opensuse.org has address 192.168.253.202 lrupp.tcp.vpn.opensuse.org mail is handled by 1 relay.infra.opensuse.org. ~> host lrupp.udp.vpn.opensuse.org lrupp.udp.vpn.opensuse.org has address 192.168.252.202 lrupp.udp.vpn.opensuse.org mail is handled by 1 relay.infra.opensuse.org. ~> host 192.168.253.202 202.253.168.192.in-addr.arpa domain name pointer lrupp.tcp.vpn.opensuse.org. ~> host 192.168.252.202 202.252.168.192.in-addr.arpa domain name pointer lrupp.udp.vpn.opensuse.org. This means that hosts that currently use anna/elsa as resolver, should show which VPN "user" is or was conntected to a machine. Next task is to get LDAP authentication on chip up and running for the WebUI. At the moment it looks like either the tool does not like me or I do not like the LDAP settings in our FreeIPA - who knows... Regarding DNSSec, I got good news from SUSE IT: while they currently face some issues with our registrar, they want to support us as good as possible. So we might end up in some temporary workaround - but that should not block us. We might even get a dedicated account at another registrar to manage the domains under openSUSE heroes control completely on our own in the future. While this is currently not 100% clear, I see this as a very positive sign that SUSE-IT is hearing us and tries to do their best to support us. Meanwhile, I like to get our DNS setup in order. Anyone who likes to join me in this is more than welcome! With kind regards, Lars