I suggest adding the following doc to the end of chapter "5.6. DNS" (after the paragraphs about forwarders):
Any host is permitted to issue recursive queries against configured forwarders by default. When required, this behavior can be changed in /etc/named.conf in "allow-recursion" statement. Please consult name server documentation for details how to edit the configuration statement. ---- How to test: 1) install IPA with --setup-dns and defined --forwarder 2) query record not-managed by installed IPA (e.g. www.freeipa.org) from localhost - should pass both with and without the patch 3) query record not-managed by installed IPA from other computer from different subnet - fails without the patch and should pass with the patch ---- Update name server configuration file to allow any host to issue recursive queries (allow-recursion statement). https://fedorahosted.org/freeipa/ticket/1335
>From 3dd16fab887d70675bf6359b0afdf2d32932b911 Mon Sep 17 00:00:00 2001 From: Martin Kosek <mko...@redhat.com> Date: Wed, 22 Jun 2011 08:35:50 +0200 Subject: [PATCH] Allow recursion by default Update name server configuration file to allow any host to issue recursive queries (allow-recursion statement). https://fedorahosted.org/freeipa/ticket/1335 --- install/share/bind.named.conf.template | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template index 71facbaf7f3e14f009b2aa9d6ba7a5d8bd0372af..e843b4c005cbbbee55a2f9ef5374a6a3f12dbfca 100644 --- a/install/share/bind.named.conf.template +++ b/install/share/bind.named.conf.template @@ -11,6 +11,9 @@ options { forward first; forwarders {$FORWARDERS}; + // Any host is permitted to issue recursive queries + allow-recursion { any; }; + tkey-gssapi-credential "DNS/$FQDN"; tkey-domain "$REALM"; }; -- 1.7.5.4
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel