[Freeipa-devel] [PATCH] 271 Fill new DNS zone update policy by default
Rob Crittenden
rcritten at redhat.com
Tue Jun 5 02:39:05 UTC 2012
Martin Kosek wrote:
> For security reasons, dynamic updates are not enabled for new DNS
> zones. In order to enable the dynamic zone securely, user needs to
> allow dynamic updates and create a zone update policy.
>
> The policy is not easy to construct for regular users, we should
> rather fill it by default and let users just switch the policy
> on or off.
>
> https://fedorahosted.org/freeipa/ticket/2441
I think the example should be something like:
Modify the zone to allow dynamic updates for hosts own records in
realm EXAMPLE.COM:
ipa dnszone-mod example.com --dynamic-update=TRUE
This is the equivalent of:
ipa dnszone-mod example.com --dynamic-update=TRUE \\
--update-policy="grant EXAMPLE.COM krb5-self * A; grant
EXAMPLE.COM krb5-self * AAAA;"
Otherwise ACK.
rob
More information about the Freeipa-devel
mailing list