[Freeipa-devel] [PATCH] 271 Fill new DNS zone update policy by default

[Martin Kosek]

On Tue, 2012-06-05 at 14:44 +0930, William Brown wrote:
> > I think the example should be something like:
> > 
> >   Modify the zone to allow dynamic updates for hosts own records in
> > realm EXAMPLE.COM:
> >    ipa dnszone-mod example.com --dynamic-update=TRUE
> > 
> >   This is the equivalent of:
> >    ipa dnszone-mod example.com --dynamic-update=TRUE \\
> >         --update-policy="grant EXAMPLE.COM krb5-self * A; grant
> > EXAMPLE.COM krb5-self * AAAA;"
> > 
> 
> What about reverse zones?

With the patch I just pushed is the update policy for reverse zone
automatically generated as well:

# ipa dnszone-add 3.2.1.in-addr.arpa. --name-server=ns.example.com
Administrator e-mail address [hostmaster.3.2.1.in-addr.arpa.]: 
  Zone name: 3.2.1.in-addr.arpa.
  Authoritative nameserver: ns.example.com.
  Administrator e-mail address: hostmaster.3.2.1.in-addr.arpa.
  SOA serial: 2012060501
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant EXAMPLE.COM krb5-subdomain
3.2.1.in-addr.arpa. PTR;
  Active zone: TRUE
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;

# ipa dnszone-mod 3.2.1.in-addr.arpa. --dynamic-update=TRUE
  Zone name: 3.2.1.in-addr.arpa.
  Authoritative nameserver: ns.example.com.
  Administrator e-mail address: hostmaster.3.2.1.in-addr.arpa.
  SOA serial: 2012060501
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Dynamic update: TRUE
  Allow query: any;
  Allow transfer: none;

With the second change, dynamic updates for the reverse zone are enabled
without users having to be knowledgeable about BIND update policy
format.

Martin