[Freeipa-devel] [PATCH] 195-199 New DNS features
Martin Kosek
mkosek at redhat.com
Thu Jan 26 15:58:19 UTC 2012
On Wed, 2012-01-25 at 16:45 -0500, Rob Crittenden wrote:
> Martin Kosek wrote:
> > This set of patches implements support and API for features introduced
> > in a new bind-dyndb-ldap (bind-dyndb-ldap-1.1.0-0.6.a1):
> > - global bind-dyndb-ldap settings in LDAP (cn=dns,$SUFFIX)
> > - conditional per-zone forwarding
> > - per-zone configuration of automatic PTR updates
> > - zone transfer
> > - AllowQuery and AllowTransfer ACIs
> > - new bind-dyndb-ldap now also skips invalid records in a zone instead
> > of refusing to load an entire zone
> >
> > More detailed description and examples are in these separate patches. In
> > order to test it, a new bind-dyndb-ldap version is needed. It is not in
> > updates-testing repo yet as it waits for a new release of bind which
> > should occur in few next days. But it can be downloaded from koji:
> >
> > F15: http://koji.fedoraproject.org/koji/buildinfo?buildID=294138
> > F16: http://koji.fedoraproject.org/koji/buildinfo?buildID=294137
> >
> > Have fun!
> > Martin
>
>
Rob, thanks for review, I know that all this may really time-consuming.
I updated all tickets where the testing may be tricky and provided a
howto for testing.
I also did some more tests of bind-dyndb-ldap and found few bugs:
Dynamic update for zone without idnsAllowSyncPTR does not work:
https://bugzilla.redhat.com/show_bug.cgi?id=784815
Conditional forwarding does not work for sub-zones:
https://bugzilla.redhat.com/show_bug.cgi?id=784820
> In patch 195 there is a white-space fix to the idnsRecord. Was this
> intentional?
Yes.
> Also a typo in the commit message, AllowTransger.
Fixed. You have very keen eyes :-)
>
> In patch 197 there is this suspicious code in _normalize_ipnetmask
>
> + ipnetmask = ipnetmask
Fixed.
>
> The comment and copyright date in dns.py::update_dnszone_acls() needs to
> be updated
Fixed. I explained why we need to set idnsAllowTransfer in all
configured zones in the fixed comment.
>
> Patch 98 I think you want to drop the worth "with" in this?
>
> + Forward all request for sub-zone of example.com to another nameserver with
> + using a "first" policy (it will send the queries to the selected forwarder
> yes,
>
Yup. Fixed.
> And now for some things I saw when testing.
>
> I upgraded an existing instance installed with DNS.
>
> ipa dnsconfig-show returned nothing. I disabled persistent search then
> set it to '' and now I always see
>
> Zone refresh interval: 0
>
> Not sure if I should have seen that initially or not.
I used to automatically disable zone refresh when persistent search was
enabled, but I see it may confuse users. I fixed this part to rather
check the current configuration in LDAP, compare it to passed values and
raise ValidationError only when an invalid combination could happen.
>
> I tried testing the query policy but was unable to get it working:
>
> # ipa dnszone-mod example.com --allow-query="\!10.0.0.1,any"
> # service named restart
>
> 'dig -t soa example.com' always worked.
>
> My test hosts are behind a NAT but I tried both the real and the NAT IP
> address and in both cases it worked.
>
> So I set up transfer rules instead and this time was very picky about
> what IP address to accept and used on the NAT address. Using that it
> worked as expected.
>
> So I went back and worked on query again. It seems like the ! addresses
> aren't working as expected, that or it is an ordering problem perhaps
> (e.g. I wonder if I'm seeing the problem in your comment #16 in ticket
> 1211).
I see you hit the same error as I hit yesterday. The main problem here
is that idnsAllowQuery and idnsAllowTransfer attribute holding the query
and transfer ACLs are multi-valued attributes. However, the evaluation
is very order-sensitive which does not play well with LDAP nature.
I discussed this with Adam Tkac and the plan is to change these ACL
attributes to single-valued and divide the ACLs with semicolon (the same
approach is already used for idnsupdatepolicy) to ensure the order.
This is a relevant upstream ticket:
https://fedorahosted.org/bind-dyndb-ldap/ticket/50
>
> I wonder if the summary should reflect that named needs to be restarted.
>
> rob
Hmm, interesting idea. I will have to discuss the situations and changes
of configuration in LDAP when named needs to be reloaded/restarted. A
notice in the Summary may help prevent confusion.
I will keep fixed patches in my local tree until the bind-dyndb-ldap
with fixed ACLs is released as it will require some more changes in this
patch set.
Martin
More information about the Freeipa-devel
mailing list