[Freeipa-devel] [PATCH] 195-199 New DNS features

Rob Crittenden rcritten at redhat.com
Wed Jan 25 21:45:56 UTC 2012 

Martin Kosek wrote:
> This set of patches implements support and API for features introduced
> in a new bind-dyndb-ldap (bind-dyndb-ldap-1.1.0-0.6.a1):
>    - global bind-dyndb-ldap settings in LDAP (cn=dns,$SUFFIX)
>    - conditional per-zone forwarding
>    - per-zone configuration of automatic PTR updates
>    - zone transfer
>    - AllowQuery and AllowTransfer ACIs
>    - new bind-dyndb-ldap now also skips invalid records in a zone instead
> of refusing to load an entire zone
>
> More detailed description and examples are in these separate patches. In
> order to test it, a new bind-dyndb-ldap version is needed. It is not in
> updates-testing repo yet as it waits for a new release of bind which
> should occur in few next days. But it can be downloaded from koji:
>
> F15: http://koji.fedoraproject.org/koji/buildinfo?buildID=294138
> F16: http://koji.fedoraproject.org/koji/buildinfo?buildID=294137
>
> Have fun!
> Martin


In patch 195 there is a white-space fix to the idnsRecord. Was this 
intentional? Also a typo in the commit message, AllowTransger.

In patch 197 there is this suspicious code in _normalize_ipnetmask

+        ipnetmask = ipnetmask

The comment and copyright date in dns.py::update_dnszone_acls() needs to 
be updated

Patch 98 I think you want to drop the worth "with" in this?

+ Forward all request for sub-zone of example.com to another nameserver with
+ using a "first" policy (it will send the queries to the selected forwarder
yes,

And now for some things I saw when testing.

I upgraded an existing instance installed with DNS.

ipa dnsconfig-show returned nothing. I disabled persistent search then 
set it to '' and now I always see

Zone refresh interval: 0

Not sure if I should have seen that initially or not.

I tried testing the query policy but was unable to get it working:

# ipa dnszone-mod example.com --allow-query="\!10.0.0.1,any"
# service named restart

'dig -t soa example.com' always worked.

My test hosts are behind a NAT but I tried both the real and the NAT IP 
address and in both cases it worked.

So I set up transfer rules instead and this time was very picky about 
what IP address to accept and used on the NAT address. Using that it 
worked as expected.

So I went back and worked on query again. It seems like the ! addresses 
aren't working as expected, that or it is an ordering problem perhaps 
(e.g. I wonder if I'm seeing the problem in your comment #16 in ticket 
1211).

I wonder if the summary should reflect that named needs to be restarted.

rob

More information about the Freeipa-devel mailing list