[Freeipa-devel] [PATCH] 195-199 New DNS features
Rob Crittenden
rcritten at redhat.com
Wed Jan 25 21:45:56 UTC 2012
Martin Kosek wrote:
> This set of patches implements support and API for features introduced
> in a new bind-dyndb-ldap (bind-dyndb-ldap-1.1.0-0.6.a1):
> - global bind-dyndb-ldap settings in LDAP (cn=dns,$SUFFIX)
> - conditional per-zone forwarding
> - per-zone configuration of automatic PTR updates
> - zone transfer
> - AllowQuery and AllowTransfer ACIs
> - new bind-dyndb-ldap now also skips invalid records in a zone instead
> of refusing to load an entire zone
>
> More detailed description and examples are in these separate patches. In
> order to test it, a new bind-dyndb-ldap version is needed. It is not in
> updates-testing repo yet as it waits for a new release of bind which
> should occur in few next days. But it can be downloaded from koji:
>
> F15: http://koji.fedoraproject.org/koji/buildinfo?buildID=294138
> F16: http://koji.fedoraproject.org/koji/buildinfo?buildID=294137
>
> Have fun!
> Martin
In patch 195 there is a white-space fix to the idnsRecord. Was this
intentional? Also a typo in the commit message, AllowTransger.
In patch 197 there is this suspicious code in _normalize_ipnetmask
+ ipnetmask = ipnetmask
The comment and copyright date in dns.py::update_dnszone_acls() needs to
be updated
Patch 98 I think you want to drop the worth "with" in this?
+ Forward all request for sub-zone of example.com to another nameserver with
+ using a "first" policy (it will send the queries to the selected forwarder
yes,
And now for some things I saw when testing.
I upgraded an existing instance installed with DNS.
ipa dnsconfig-show returned nothing. I disabled persistent search then
set it to '' and now I always see
Zone refresh interval: 0
Not sure if I should have seen that initially or not.
I tried testing the query policy but was unable to get it working:
# ipa dnszone-mod example.com --allow-query="\!10.0.0.1,any"
# service named restart
'dig -t soa example.com' always worked.
My test hosts are behind a NAT but I tried both the real and the NAT IP
address and in both cases it worked.
So I set up transfer rules instead and this time was very picky about
what IP address to accept and used on the NAT address. Using that it
worked as expected.
So I went back and worked on query again. It seems like the ! addresses
aren't working as expected, that or it is an ordering problem perhaps
(e.g. I wonder if I'm seeing the problem in your comment #16 in ticket
1211).
I wonder if the summary should reflect that named needs to be restarted.
rob
More information about the Freeipa-devel
mailing list