[Freeipa-devel] discussion needed: Support for IPv6 elements in idnsForwarders attribute
Adam Tkac
atkac at redhat.com
Mon Mar 5 13:03:53 UTC 2012
On Mon, Mar 05, 2012 at 01:56:14PM +0100, Petr Spacek wrote:
> Hello,
>
> we are back with another proposal from Adam. See last lines.
Hello,
reply is below...
>
> On 03/05/2012 12:32 PM, Adam Tkac wrote:
> >On Thu, Mar 01, 2012 at 07:55:33PM +0100, Petr Spacek wrote:
> >>> Hello,
> >>>
> >>> here is (again) reworked patch for
> >>> https://fedorahosted.org/bind-dyndb-ldap/ticket/49 .
> >>>
> >>> Adam pointed me to existing BIND parser, which I missed. Now is all
> >>> parsing& socket magic done inside BIND libraries. Our code is a bit
> >>> shorter and syntax is 100% BIND-compatible. (But it means same as
> >>> discussed yesterday:-)
> >>>
> >>> Adam, please review it.
> >Thanks for the patch Petr, see my comments below.
> >
> >>> Petr^2 Spacek
> >>>
> >>> On 03/01/2012 03:22 PM, Petr Spacek wrote:
> >>>> >Hello,
> >>>> >
> >>>> >here is reworked patch for
> >>>> >https://fedorahosted.org/bind-dyndb-ldap/ticket/49 .
> >>>> >
> >>>> >Changes after yesterday's discussion on IRC with Simo and Mkosek:
> >>>> >It follows BIND9 syntax for optional specification of port& adds
> >>>> >documentation for this new syntax.
> >>>> >
> >>>> >Petr^2 Spacek
> >>>> >
> >>>> >On 02/29/2012 05:33 PM, Martin Kosek wrote:
> >>>>> >>I agree that we should keep the BIND syntax and separate port and IP
> >>>>> >>address with a space. We will at least avoid possible issues with IP
> >>>>> >>address decoding in the future.
> >>>>> >>
> >>>>> >>Since this is a new attribute we have a good chance to do changes now so
> >>>>> >>that it is used correctly. I created an upstream ticket to change the
> >>>>> >>behavior and validators in FreeIPA:
> >>>>> >>
> >>>>> >>https://fedorahosted.org/freeipa/ticket/2462
> >>>>> >>
> >>>>> >>Martin
> >>>>> >>
> >>>>> >>On Wed, 2012-02-29 at 16:44 +0100, Petr Spacek wrote:
> >>>>>> >>>On 02/29/2012 04:30 PM, Simo Sorce wrote:
> >>>>>>> >>>>Either way looks ok to me.
> >>>>>>> >>>>I agree that using a space may be less confusing if this syntax never
> >>>>>>> >>>>allows to specify multiple addresses.
> >>>>>>> >>>>If multiple address can be specified than it may be less ideal to use
> >>>>>>> >>>>spaces.
> >>>>>>> >>>>
> >>>>>>> >>>>Simo.
> >>>>>> >>>
> >>>>>> >>>idnsForwarders is multi-value attribute, so each value contain single
> >>>>>> >>>forwarder address.
> >>>>>> >>>
> >>>>>> >>>Petr^2 Spacek
> >>>>>> >>>
> >>>>>>> >>>>On Wed, 2012-02-29 at 15:14 +0100, Petr Spacek wrote:
> >>>>>>>> >>>>>And there is the patch, sorry.
> >>>>>>>> >>>>>
> >>>>>>>> >>>>>Petr^2
> >>>>>>>> >>>>>
> >>>>>>>> >>>>>On 02/29/2012 03:10 PM, Petr Spacek wrote:
> >>>>>>>>> >>>>>>Hello,
> >>>>>>>>> >>>>>>
> >>>>>>>>> >>>>>>this patch fixeshttps://fedorahosted.org/bind-dyndb-ldap/ticket/49 ,
> >>>>>>>>> >>>>>>but I want to discuss one (unimplemented) change:
> >>>>>>>>> >>>>>>
> >>>>>>>>> >>>>>>I propose a change in (currently very strange) forwarders syntax.
> >>>>>>>>> >>>>>>
> >>>>>>>>> >>>>>>Current syntax:
> >>>>>>>>> >>>>>><IP>[.port]
> >>>>>>>>> >>>>>>
> >>>>>>>>> >>>>>>examples:
> >>>>>>>>> >>>>>>1.2.3.4 (without optional port)
> >>>>>>>>> >>>>>>1.2.3.4.5553 (optional port 5553)
> >>>>>>>>> >>>>>>A::B (IPv6, without optional port)
> >>>>>>>>> >>>>>>A::B.5553
> >>>>>>>>> >>>>>>::FFFF:1.2.3.4 (6to4, without optional port)
> >>>>>>>>> >>>>>>::FFFF:1.2.3.4.5553 (6to4, with optional port 5553)
> >>>>>>>>> >>>>>>
> >>>>>>>>> >>>>>>I find this syntax confusing, non-standard and not-typo-proof.
> >>>>>>>>> >>>>>>
> >>>>>>>>> >>>>>>
> >>>>>>>>> >>>>>>IMHO better choice is to follow BIND forwarders syntax:
> >>>>>>>>> >>>>>><IP> [port ip_port] (port is string delimited with spaces)
> >>>>>>>>> >>>>>>
> >>>>>>>>> >>>>>>(From:http://www.zytrax.com/books/dns/ch7/queries.html#forwarders)
> >>>>>>>>> >>>>>>
> >>>>>>>>> >>>>>>
> >>>>>>>>> >>>>>>*Current syntax is not documented*, so probably is not used anywhere.
> >>>>>>>>> >>>>>>(And DNS server on non-standard port is probably useful only for
> >>>>>>>>> >>>>>>testing
> >>>>>>>>> >>>>>>purposes, but it's another story.)
> >>>>>>>>> >>>>>>
> >>>>>>>>> >>>>>>
> >>>>>>>>> >>>>>>What is you opinion?
> >>> From 14056200915a90c2a957e8a2219819bd3b7f9365 Mon Sep 17 00:00:00 2001
> >>> From: Petr Spacek<pspacek at redhat.com>
> >>> Date: Thu, 1 Mar 2012 15:08:10 +0100
> >>> Subject: [PATCH] Add support for IPv6 elements in idnsForwarders attribute
> >>> and make syntax compatible with BIND9 forwarders.
> >>> Signed-off-by: Petr Spacek<pspacek at redhat.com>
> >>>
> >>> ---
> >>> NEWS | 3 +
> >>> README | 8 ++-
> >>> src/acl.c | 89 ++++++++++++++++++++++++++++++++++
> >>> src/acl.h | 3 +
> >>> src/ldap_helper.c | 136 ++++++-----------------------------------------------
> >>> 5 files changed, 116 insertions(+), 123 deletions(-)
> >>>
> >>> diff --git a/NEWS b/NEWS
> >>> index ced6250..a97a5f3 100644
> >>> --- a/NEWS
> >>> +++ b/NEWS
> >>> @@ -1,3 +1,6 @@
> >>> +[1] Add support for IPv6 elements in idnsForwarders attribute
> >>> + and make syntax compatible with BIND9 forwarders.
> >>> +
> >>> 1.1.0a2
> >>> ======
> >>>
> >>> diff --git a/README b/README
> >>> index 914abdc..aedb88c 100644
> >>> --- a/README
> >>> +++ b/README
> >>> @@ -89,8 +89,12 @@ example zone ldif is available in the doc directory.
> >>> with a valid idnsForwarders attribute.
> >>>
> >>> * idnsForwarders
> >>> - Defines multiple IP addresses (TODO: optional port numbers) to which
> >>> - queries will be forwarded.
> >>> + Defines multiple IP addresses to which queries will be forwarded.
> >>> + It is multi-value attribute: Each IP address (and optional port) has to
> >>> + be in own value. BIND9 syntax for "forwarders" is required.
> >>> + Optional port can be specified by adding " port<number>" after IP
> >>> + address. IPv4 and IPv6 addresses are supported.
> >>> + Examples: "1.2.3.4" or "1.2.3.4 port 553" or "A::B" or "A::B port 553"
>
> On 03/05/2012 12:32 PM, Adam Tkac wrote:
> >In my opinion we should mark the idnsForwarders attribute single-value and deal
> >with them as with idnsAllow{Query,Transfer} (i.e. specify forwarders splitted by
> >semi-colon). It will be more consistent with idnsAllow{Query,Transfer}. What do
> >you think about this?
>
> It sounds good to me. It's more consistent with real BIND
> configuration and other parts of plugin.
>
> What about upgrade process? It is necessary to change schema and
> convert existing entries to new format.
If idnsForward is already in use, I'm ok with multival attribute because
ordering is not an issue here.
Please incorporate changes which I suggested (if you don't dissagree, of course)
and then push the patch. Thank you in advance!
Regards, Adam
--
Adam Tkac, Red Hat, Inc.
More information about the Freeipa-devel
mailing list