[Freeipa-devel] [PATCH] 227-228 Add last missing bits in new bind-dyndb-ldap

Mon Mar 19 15:59:32 UTC 2012

On Tue, 2012-03-13 at 10:54 +0100, Petr Spacek wrote:
> On 03/12/2012 07:10 PM, Rob Crittenden wrote:
> > Martin Kosek wrote:
> >> On Thu, 2012-03-01 at 13:19 +0100, Martin Kosek wrote:
> >>> These 2 patches changes the DNS API to support the last missing bits in
> >>> new bind-dyndb-ldap:
> >>>
> >>> 1) Both global and per-zone forwarders now support a conditional custom
> >>> port (with format "IP_ADDRESS PORT")
> >>> 2) Missing global configuration options have been added:
> >>> * idnsforwardpolicy: Default policy for conditional forwarding
> >>> * idnsallowsyncptr: Allow globaly PTR synchronization for dynamic
> >>> updates
> >>> * idnszonerefresh: Default interval between regular polls of the
> >>> name server for new DNS zones
> >>>
> >>> Before these patches are pushed, I will just have to update the minimal
> >>> bind-dyndb-ldap version (it has not been built yet) which have a full
> >>> support for these.
> >>>
> >>> Martin
> >>
> >> New version of bind-dyndb-ldap has been released, attaching a rebased
> >> patch with fixed bind-dyndb-ldap version in spec file.
> >>
> >> I also fixed the forwarder format, it should be "$IP port $PORT", not
> >> "$IP $PORT" as it was in a previous version of the patch. I tested this
> >> new format with bind-dyndb-ldap it forwards the queries properly.
> >>
> >> Unfortunately, fixed version of bind have not been released yet, i.e.
> >> bind will crash if forwarders are defined both in named.conf and LDAP
> >> global configuration (dnsconfig-mod).
> >>
> >> Martin
> >
> > The patch itself looks ok, just a couple of general concerns:
> >
> > 1. By default dnsconfig-show displays nothing. This is a little
> > disconcerting. I don't believe we show empty attributes anywhere else,
> > not sure if we should make an exception here or show some other message,
> > perhaps a varying summary?
> >
> > 2. I don't think there is a lot we can do but this still conflicts with
> > the file-based configuration. For example, someone can add a forwarder
> > and caused named to not restart the next time because there is also one
> > defined in named.conf. I'd almost prefer that one win rather than the
> > daemon not start at all. But for our purposes people may get confused
> > because they don't see the forwarders they configured at install time
> > and merely managing this list can break your name server at some
> > undetermined future point.
> >
> > rob
> 
> This problem is in BZ https://bugzilla.redhat.com/show_bug.cgi?id=795414 .
> 
> Patch for this is ON_QA in RHEL6 and will be pushed to Fedora at some 
> point this week. (This Adam said yesterday on IRC.)
> 
> Current solution prefers value from LDAP before local configuration.
> 
> Petr^2 Spacek
> 

The fix for this BZ has been backported to Fedora 16 and released to
updates-testing:
https://admin.fedoraproject.org/updates/FEDORA-2012-4091/bind-9.8.2-0.4.rc2.fc16

Attaching a patch which properly forbids conflicts with older versions
of bind. The new bind should no longer crash when a configuration
options like forwarders is defined both in LDAP and named.conf.

Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-227-3-allow-port-numbers-for-idnsforwarders.patch
Type: text/x-patch
Size: 3642 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120319/fd0703b8/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-228-3-add-missing-global-options-in-dnsconfig.patch
Type: text/x-patch
Size: 4704 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120319/fd0703b8/attachment-0001.bin>