[Freeipa-devel] [PATCH] 195-199 New DNS features

Thu Feb 23 19:32:23 UTC 2012

Martin Kosek wrote:
> On Mon, 2012-02-20 at 12:46 -0500, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> On Tue, 2012-02-14 at 09:10 -0500, Rob Crittenden wrote:
>>>> Simo Sorce wrote:
>>>>> On Tue, 2012-02-14 at 12:09 +0100, Martin Kosek wrote:
>>>>>> A new version of bind-dyndb-ldap has been released, sending fixed
>>>>>> patches with the following major changes:
>>>>>> - Since bind-dyndb-ldap supports only idnsForwarders global option at
>>>>>> this time, all other global options were removed from the API. They
>>>>>> were
>>>>>> left in the schema though so that the schema is consistent with
>>>>>> bind-dyndb-ldap supported schema and the support of these options in
>>>>>> the
>>>>>> future can be added more seamlessly
>>>>>> - idnsAllowQuery and idnsAllowTransfer format has changed to follow
>>>>>> BIND
>>>>>> format (ACI elements separated with semicolon). An example of such
>>>>>> element:
>>>>>>
>>>>>> ipa dnszone-mod example.com --allow-query="10.0.0.1;!10.0.0.0/8;any;"
>>>>>>
>>>>>> This ACI would forbid machine from any IP from 10.0.0.0/8 network
>>>>>> besides 10.0.0.1 to query the name server. All other machines are
>>>>>> allowed to issue queries.
>>>>>
>>>>> Any good reason why this is not a multi-value attribute ?
>>>>> Do these ACIs need to be ordered ? (that would be probably a good
>>>>> reason).
>>>>
>>>> That's exactly it!
>>>>
>>>> rob
>>>>
>>>
>>> Yup. Previous release of bind-dyndb-ldap followed the multi-valued LDAP
>>> attribute format, but we found out that we cannot do it this way as the
>>> ACI list need to be ordered.
>>>
>>> When bind evaluates if it should allow/reject query/tranfer request it
>>> simply traverses the ACI list, one by one, and accepts the result of the
>>> first match, i.e. the order is crucial there.
>>>
>>> Martin
>>>
>>
>> There is no help for dnsconfig.
>
> dnsconfig is defined in dns.py module and thus its help is defined in a
> scope of dns module:
>
> $ ipa help dns
> ...
>   Show global DNS configuration:
>     ipa dnsconfig-show
>
>   Modify global DNS configuration and set a list of global forwarders:
>     ipa dnsconfig-mod --forwarder=10.0.0.1
>
> Topic commands:
> ...
>
>>
>> If you set global forwarders then named will fail to restart if there
>> forwarders is defined in named.conf. We should warn users when setting
>> this (and/or in the help).
>
> Yes, this is the problem that Petr Spacek mentioned. Adding him on the
> CC list. IIUC, he and Adam Tkac already have a patch that should fix
> this bug.
>
> There is not much we can do on IPA side in this case. named just must
> not crash when forwarders definitions (LDAP and named.conf) are both
> set.
>
>>
>> I can't get forwarded domains to work. I think I followed the test
>> instructions in the ticket but my bogus domain always resolves to the root.
>
> As investigated on the IRC, the problem was in too restrictive firewall
> on the side of the second DNS server.
>
> Martin
>

Things are working for me today, ACK x4.

rob