[Freeipa-devel] [PATCH] 195-199 New DNS features

Martin Kosek mkosek at redhat.com
Tue Feb 14 11:09:48 UTC 2012 

On Thu, 2012-01-26 at 16:58 +0100, Martin Kosek wrote:
> On Wed, 2012-01-25 at 16:45 -0500, Rob Crittenden wrote:
> > Martin Kosek wrote:
> > > This set of patches implements support and API for features introduced
> > > in a new bind-dyndb-ldap (bind-dyndb-ldap-1.1.0-0.6.a1):
> > >    - global bind-dyndb-ldap settings in LDAP (cn=dns,$SUFFIX)
> > >    - conditional per-zone forwarding
> > >    - per-zone configuration of automatic PTR updates
> > >    - zone transfer
> > >    - AllowQuery and AllowTransfer ACIs
> > >    - new bind-dyndb-ldap now also skips invalid records in a zone instead
> > > of refusing to load an entire zone
> > >
> > > More detailed description and examples are in these separate patches. In
> > > order to test it, a new bind-dyndb-ldap version is needed. It is not in
> > > updates-testing repo yet as it waits for a new release of bind which
> > > should occur in few next days. But it can be downloaded from koji:
> > >
> > > F15: http://koji.fedoraproject.org/koji/buildinfo?buildID=294138
> > > F16: http://koji.fedoraproject.org/koji/buildinfo?buildID=294137
> > >
> > > Have fun!
> > > Martin
> > 
> > 
> 
> Rob, thanks for review, I know that all this may really time-consuming.
> I updated all tickets where the testing may be tricky and provided a
> howto for testing.
> 
> I also did some more tests of bind-dyndb-ldap and found few bugs:
> 
> Dynamic update for zone without idnsAllowSyncPTR does not work:
> https://bugzilla.redhat.com/show_bug.cgi?id=784815
> 
> Conditional forwarding does not work for sub-zones:
> https://bugzilla.redhat.com/show_bug.cgi?id=784820
> 
> > In patch 195 there is a white-space fix to the idnsRecord. Was this 
> > intentional? 
> 
> Yes.
> 
> > Also a typo in the commit message, AllowTransger.
> 
> Fixed. You have very keen eyes :-)
> 
> > 
> > In patch 197 there is this suspicious code in _normalize_ipnetmask
> > 
> > +        ipnetmask = ipnetmask
> 
> Fixed.
> 
> > 
> > The comment and copyright date in dns.py::update_dnszone_acls() needs to 
> > be updated
> 
> Fixed. I explained why we need to set idnsAllowTransfer in all
> configured zones in the fixed comment.
> 
> > 
> > Patch 98 I think you want to drop the worth "with" in this?
> > 
> > + Forward all request for sub-zone of example.com to another nameserver with
> > + using a "first" policy (it will send the queries to the selected forwarder
> > yes,
> > 
> 
> Yup. Fixed.
> 
> > And now for some things I saw when testing.
> > 
> > I upgraded an existing instance installed with DNS.
> > 
> > ipa dnsconfig-show returned nothing. I disabled persistent search then 
> > set it to '' and now I always see
> > 
> > Zone refresh interval: 0
> > 
> > Not sure if I should have seen that initially or not.
> 
> I used to automatically disable zone refresh when persistent search was
> enabled, but I see it may confuse users. I fixed this part to rather
> check the current configuration in LDAP, compare it to passed values and
> raise ValidationError only when an invalid combination could happen.
> 
> > 
> > I tried testing the query policy but was unable to get it working:
> > 
> > # ipa dnszone-mod example.com --allow-query="\!10.0.0.1,any"
> > # service named restart
> > 
> > 'dig -t soa example.com' always worked.
> > 
> > My test hosts are behind a NAT but I tried both the real and the NAT IP 
> > address and in both cases it worked.
> > 
> > So I set up transfer rules instead and this time was very picky about 
> > what IP address to accept and used on the NAT address. Using that it 
> > worked as expected.
> > 
> > So I went back and worked on query again. It seems like the ! addresses 
> > aren't working as expected, that or it is an ordering problem perhaps 
> > (e.g. I wonder if I'm seeing the problem in your comment #16 in ticket 
> > 1211).
> 
> I see you hit the same error as I hit yesterday. The main problem here
> is that idnsAllowQuery and idnsAllowTransfer attribute holding the query
> and transfer ACLs are multi-valued attributes. However, the evaluation
> is very order-sensitive which does not play well with LDAP nature.
> 
> I discussed this with Adam Tkac and the plan is to change these ACL
> attributes to single-valued and divide the ACLs with semicolon (the same
> approach is already used for idnsupdatepolicy) to ensure the order.
> 
> This is a relevant upstream ticket:
> https://fedorahosted.org/bind-dyndb-ldap/ticket/50
> 
> > 
> > I wonder if the summary should reflect that named needs to be restarted.
> > 
> > rob
> 
> Hmm, interesting idea. I will have to discuss the situations and changes
> of configuration in LDAP when named needs to be reloaded/restarted. A
> notice in the Summary may help prevent confusion.
> 
> I will keep fixed patches in my local tree until the bind-dyndb-ldap
> with fixed ACLs is released as it will require some more changes in this
> patch set.
> 
> Martin
> 

A new version of bind-dyndb-ldap has been released, sending fixed
patches with the following major changes:
- Since bind-dyndb-ldap supports only idnsForwarders global option at
this time, all other global options were removed from the API. They were
left in the schema though so that the schema is consistent with
bind-dyndb-ldap supported schema and the support of these options in the
future can be added more seamlessly
- idnsAllowQuery and idnsAllowTransfer format has changed to follow BIND
format (ACI elements separated with semicolon). An example of such
element:

ipa dnszone-mod example.com --allow-query="10.0.0.1;!10.0.0.0/8;any;"

This ACI would forbid machine from any IP from 10.0.0.0/8 network
besides 10.0.0.1 to query the name server. All other machines are
allowed to issue queries.

Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-195-2-update-schema-for-bind-dyndb-ldap.patch
Type: text/x-patch
Size: 9675 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120214/5009e5e5/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-196-2-global-dns-options.patch
Type: text/x-patch
Size: 7838 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120214/5009e5e5/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-197-2-query-and-transfer-acls.patch
Type: text/x-patch
Size: 25444 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120214/5009e5e5/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-198-2-add-dns-conditional-forwarding.patch
Type: text/x-patch
Size: 7422 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120214/5009e5e5/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-199-2-add-api-for-ptr-sync-control.patch
Type: text/x-patch
Size: 5988 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120214/5009e5e5/attachment-0004.bin>

More information about the Freeipa-devel mailing list