[Freeipa-devel] [PATCH] 195-199 New DNS features
Rob Crittenden
rcritten at redhat.com
Mon Feb 20 17:46:01 UTC 2012
Martin Kosek wrote:
> On Tue, 2012-02-14 at 09:10 -0500, Rob Crittenden wrote:
>> Simo Sorce wrote:
>>> On Tue, 2012-02-14 at 12:09 +0100, Martin Kosek wrote:
>>>> A new version of bind-dyndb-ldap has been released, sending fixed
>>>> patches with the following major changes:
>>>> - Since bind-dyndb-ldap supports only idnsForwarders global option at
>>>> this time, all other global options were removed from the API. They
>>>> were
>>>> left in the schema though so that the schema is consistent with
>>>> bind-dyndb-ldap supported schema and the support of these options in
>>>> the
>>>> future can be added more seamlessly
>>>> - idnsAllowQuery and idnsAllowTransfer format has changed to follow
>>>> BIND
>>>> format (ACI elements separated with semicolon). An example of such
>>>> element:
>>>>
>>>> ipa dnszone-mod example.com --allow-query="10.0.0.1;!10.0.0.0/8;any;"
>>>>
>>>> This ACI would forbid machine from any IP from 10.0.0.0/8 network
>>>> besides 10.0.0.1 to query the name server. All other machines are
>>>> allowed to issue queries.
>>>
>>> Any good reason why this is not a multi-value attribute ?
>>> Do these ACIs need to be ordered ? (that would be probably a good
>>> reason).
>>
>> That's exactly it!
>>
>> rob
>>
>
> Yup. Previous release of bind-dyndb-ldap followed the multi-valued LDAP
> attribute format, but we found out that we cannot do it this way as the
> ACI list need to be ordered.
>
> When bind evaluates if it should allow/reject query/tranfer request it
> simply traverses the ACI list, one by one, and accepts the result of the
> first match, i.e. the order is crucial there.
>
> Martin
>
There is no help for dnsconfig.
If you set global forwarders then named will fail to restart if there
forwarders is defined in named.conf. We should warn users when setting
this (and/or in the help).
I can't get forwarded domains to work. I think I followed the test
instructions in the ticket but my bogus domain always resolves to the root.
rob
More information about the Freeipa-devel
mailing list