[Freeipa-devel] [PATCH 0089] Add help about forward zones
Petr Spacek
pspacek at redhat.com
Wed Jul 2 13:46:28 UTC 2014
I have only few nitpicks I didn't notice in the first round:
The original proposal contained also this header:
SUPPORTED ZONE TYPES
* Master zone (dnszone-*) contains authoritative data.
* Forward zone (dnsforwardzone-*) forwards queries to configured forwarders
(a set of DNS servers).
I can't see it in the patch.
Rest of nit picks is in-line:
On 2.7.2014 15:17, Martin Basti wrote:
> - If global forwarder is configured, all requests to sub.example.com will be
> - routed through the global forwarder. To change the behavior for example.com
> - zone only and forward the request directly to ns.sub.example.com., global
> - forwarding may be disabled per-zone:
> + If a global forwarder is configured, all queries for which this server is not
> + authoritative (e.g. sub.example.com) will be routed to the global forwarder.
> + Global forwarding configuration can be overriden per-zone. To change behavior
> + for a particular zone you can specify forwarders and forward-policy per zone.
overriden => overridden (according to my spell checker :-)
Sentence "To change behavior for a particular zone you can specify forwarders
and forward-policy per zone." seems redundant to me.
> + Semantics of forwarding in IPA matches BIND sematics and depends on type
> + of the zone:
> + * Master zone: local BIND replies authoritatively to queries for data in
> + the given zone (including authoritative NXDOMAIN answers) and forwarding
> + affects only queries for names bellow zone cuts (NS records) of locally
> + served zones.
> +
> + * Forward zone: forward zone contains no authoritative data. BIND forwards
> + queries, which cannot be answered from its local cache, to configured
> + forwarders.
> +
> + Semantics of the --forwarder-policy option:
> + * none - disable forwarding for the given zone.
> + * first - forward all queries to configured forwarders. If they fail,
" " should be replaced by " "
> + do resolution using DNS root servers.
> + * only - forward all queries to configured forwarders and if they fail,
> + return failure.
> +
> + Disable global forwarding for given sub-tree:
> ipa dnszone-mod example.com --forward-policy=none
>
> - Forward all requests for the zone external.com to another nameserver using
> - a "first" policy (it will send the queries to the selected forwarder and if
> - not answered it will use global resolvers):
> - ipa dnszone-add external.com
> - ipa dnszone-mod external.com --forwarder=203.0.113.1 \\
> - --forward-policy=first
> + This configuration forwards all queries for names outside the example.com
> + sub-tree to global forwarders. Normal recursive resolution process is used
> + for names inside the example.com sub-tree (i.e. NS records are followed etc.).
> +
> + Forward all requests for the zone external.example.com to another nameserver
nameserver => forwarder (to keep terminology consistent)
> + using a "first" policy (it will send the queries to the selected forwarder
> + and if not answered it will use global resolvers):
resolvers => root servers
> + ipa dnsforwardzone-add external.example.com --forward-policy=first \\
> + --forwarder=203.0.113.1
> +
> + Change forward-policy for external.example.com:
> + ipa dnsforwardzone-mod external.example.com --forward-policy=only
> +
> + Show forward zone external.example.com:
> + ipa dnsforwardzone-show external.example.com
> +
> + List all forward zones:
> + ipa dnsforwardzone-find
> +
> + Delelete forward zone external.example.com:
Delelete => Delete (nice typo! :-))
> + ipa dnsforwardzone-del external.example.com
>
> Delete zone example.com with all resource records:
> ipa dnszone-del example.com
Is there section with examples for master zones? Please move it there if the
answer is yes, otherwise it can stay here.
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list