[Freeipa-devel] [PATCH] 271 Fill new DNS zone update policy by default
Martin Kosek
mkosek at redhat.com
Tue Jun 5 06:42:42 UTC 2012
On Mon, 2012-06-04 at 22:39 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > For security reasons, dynamic updates are not enabled for new DNS
> > zones. In order to enable the dynamic zone securely, user needs to
> > allow dynamic updates and create a zone update policy.
> >
> > The policy is not easy to construct for regular users, we should
> > rather fill it by default and let users just switch the policy
> > on or off.
> >
> > https://fedorahosted.org/freeipa/ticket/2441
>
> I think the example should be something like:
>
> Modify the zone to allow dynamic updates for hosts own records in
> realm EXAMPLE.COM:
> ipa dnszone-mod example.com --dynamic-update=TRUE
>
> This is the equivalent of:
> ipa dnszone-mod example.com --dynamic-update=TRUE \\
> --update-policy="grant EXAMPLE.COM krb5-self * A; grant
> EXAMPLE.COM krb5-self * AAAA;"
Right, I did that change.
>
> Otherwise ACK.
>
> rob
Thanks. I also found out that I forgot to update DNS unit tests, so I
fixed that as well before pushing.
Pushed to master.
Martin
More information about the Freeipa-devel
mailing list