On Mon, 2011-08-15 at 14:20 +0200, Martin Kosek wrote:
> A new version of bind-dyndb-ldap has been released. Thanks to the new
> persistent search feature, the name server can immediately pull new DNS
> zones when they are created in IPA.
> 
> Since the bind-dyndb-ldap plugin has not been released in F-15 yet, one
> has to use the provided src.rpm:
> 
> http://mkosek.fedorapeople.org/bind-dyndb-ldap/srpm/bind-dyndb-ldap-0.2.0-5.fc17.src.rpm
> 
> or rpms I built for x86_64 F-15:
> 
> http://mkosek.fedorapeople.org/bind-dyndb-ldap/x86_64/
> 
> There is one setback though. When I investigated DNS persistent search
> behavior I still miss the ability to detect changes to the DNS zone
> itself. Adding a record (for example MX record) to the zone does not
> trigger an update of the zone in nameserver cache. We still have to wait
> for cache timeout (argument "cache_ttl"). We cannot therefore use this
> feature as a solution of:
> 
> https://fedorahosted.org/freeipa/ticket/1114
> https://fedorahosted.org/freeipa/ticket/1125
> https://fedorahosted.org/freeipa/ticket/1126
> 
> Martin
> 

Sending a rebased version of the patch. It requires new bind-dyndb-ldap
version that Adam has just sent to the list.

Martin
>From 2efceb25237cdc55c05875a03fb9cf57614cccc3 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Wed, 31 Aug 2011 14:42:57 +0200
Subject: [PATCH] Let Bind track data changes

Integrate new bind-dyndb-ldap features to automatically track
DNS data changes:

 1) Zone refresh
    Set --zone-refresh in installation to define number of seconds
    between bind-dyndb-ldap polls for new DNS zones. User now
    doesn't have to restart name server when a new zone is added.

 2) New zone notifications
    Use LDAP persistent search mechanism to immediately get
    notification when any new DNS zone is added. Use --zone-notif
    install option to enable. This option is mutually exclusive
    with Zone refresh.

To enable this functionality in existing IPA installations,
update a list of arguments for bind-dyndb-ldap in /etc/named.conf.
An example when zone refresh is disabled and DNS data change
notifications are enabled:

dynamic-db "ipa" {
...
        arg "zone_refresh 0";
        arg "psearch on";
};

This patch requires bind-dyndb-ldap-1.0.0-0.1.b1 or later.

https://fedorahosted.org/freeipa/ticket/826
---
 install/share/bind.named.conf.template |    2 ++
 install/tools/ipa-dns-install          |   20 +++++++++++++++++++-
 install/tools/ipa-server-install       |   20 +++++++++++++++++++-
 install/tools/man/ipa-dns-install.1    |    6 ++++++
 install/tools/man/ipa-server-install.1 |    6 ++++++
 ipalib/constants.py                    |    3 +++
 ipaserver/install/bindinstance.py      |   11 +++++++++--
 7 files changed, 64 insertions(+), 4 deletions(-)

diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template
index e843b4c005cbbbee55a2f9ef5374a6a3f12dbfca..f133b089a9eb428e9ad76b66a3ff162b45e5a779 100644
--- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template
@@ -44,4 +44,6 @@ dynamic-db "ipa" {
 	arg "auth_method sasl";
 	arg "sasl_mech GSSAPI";
 	arg "sasl_user DNS/$FQDN";
+	arg "zone_refresh $ZONE_REFRESH";
+	arg "psearch $PERSISTENT_SEARCH";
 };
diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install
index cf400dd75cdf747ec24ccfc7d2dabd4873c8962b..09006a2009c42a61ab80172637eeaf87a9db0635 100755
--- a/install/tools/ipa-dns-install
+++ b/install/tools/ipa-dns-install
@@ -29,6 +29,7 @@ from ipapython import version
 from ipapython import ipautil, sysrestore
 from ipalib import api, errors, util
 from ipapython.config import IPAOptionParser
+from ipalib.constants import DNS_ZONE_REFRESH
 import krbV
 import ldap
 
@@ -49,6 +50,14 @@ def parse_options():
                       default=False, help="Do not create reverse DNS zone")
     parser.add_option("--zonemgr", dest="zonemgr", 
                       help="DNS zone manager e-mail address. Defaults to root")
+    parser.add_option("--zone-notif", dest="zone_notif",
+                      action="store_true", default=False,
+                      help="Let name server receive notification when a new zone is added." \
+                           "Zone refresh is turned off when zone notification is enabled")
+    parser.add_option("--zone-refresh", dest="zone_refresh",
+                      default=DNS_ZONE_REFRESH, type="int",
+                      help="A delay between checks for new DNS zones. Defaults to %d" \
+                              % DNS_ZONE_REFRESH)
     parser.add_option("-U", "--unattended", dest="unattended", action="store_true",
                       default=False, help="unattended installation never prompts the user")
 
@@ -64,6 +73,12 @@ def parse_options():
         if not options.forwarders and not options.no_forwarders:
             parser.error("You must specify at least one --forwarder option or --no-forwarders option")
 
+    if options.zone_refresh < 0:
+        parser.error("negative numbers not allowed for --zone-refresh")
+
+    if options.zone_notif:   # mutually exclusive features
+        options.zone_refresh = 0
+
     return safe_options, options
 
 def main():
@@ -179,7 +194,10 @@ def main():
         print "Please wait until the prompt is returned."
         print ""
 
-    bind.setup(api.env.host, ip_address, api.env.realm, api.env.domain, dns_forwarders, conf_ntp, reverse_zone, zonemgr=options.zonemgr)
+    bind.setup(api.env.host, ip_address, api.env.realm, api.env.domain,
+               dns_forwarders, conf_ntp, reverse_zone, zonemgr=options.zonemgr,
+               zone_refresh=options.zone_refresh,
+               zone_notif=options.zone_notif)
     bind.create_instance()
 
 
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 3828a9c486f76ac632a20131636c39696cad5835..e8a48fad22778c8a6b85904d14c1bf1003cfa8a0 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -61,6 +61,7 @@ from ipalib.parameters import IA5Str
 from ipapython.config import IPAOptionParser
 from ipalib.dn import DN
 from ipalib.x509 import load_certificate_from_file, load_certificate_chain_from_file
+from ipalib.constants import DNS_ZONE_REFRESH
 
 pw_name = None
 uninstalling = False
@@ -140,6 +141,14 @@ def parse_options():
     parser.add_option("--zonemgr", action="callback", callback=zonemgr_callback,
                       type="string",
                       help="DNS zone manager e-mail address. Defaults to root")
+    parser.add_option("--zone-notif", dest="zone_notif",
+                      action="store_true", default=False,
+                      help="Let name server receive notification when a new zone is added." \
+                           "Zone refresh is turned off when zone notification is enabled")
+    parser.add_option("--zone-refresh", dest="zone_refresh",
+                      default=DNS_ZONE_REFRESH, type="int",
+                      help="A delay between checks for new DNS zones. Defaults to %d" \
+                              % DNS_ZONE_REFRESH)
     parser.add_option("-U", "--unattended", dest="unattended", action="store_true",
                       default=False, help="unattended installation never prompts the user")
     parser.add_option("", "--uninstall", dest="uninstall", action="store_true",
@@ -247,6 +256,12 @@ def parse_options():
     if not options.pkinit_pkcs12 and not options.selfsign:
         options.setup_pkinit = False
 
+    if options.zone_refresh < 0:
+        parser.error("negative numbers not allowed for --zone-refresh")
+
+    if options.zone_notif:   # these 2 features are mutually exclusive
+        options.zone_refresh = 0
+
     return safe_options, options
 
 def signal_handler(signum, frame):
@@ -992,7 +1007,10 @@ def main():
 
     # Create a BIND instance
     bind = bindinstance.BindInstance(fstore, dm_password)
-    bind.setup(host_name, ip_address, realm_name, domain_name, dns_forwarders, options.conf_ntp, reverse_zone, zonemgr=options.zonemgr)
+    bind.setup(host_name, ip_address, realm_name, domain_name, dns_forwarders,
+               options.conf_ntp, reverse_zone, zonemgr=options.zonemgr,
+               zone_refresh=options.zone_refresh,
+               zone_notif=options.zone_notif)
     if options.setup_dns:
         api.Backend.ldap2.connect(bind_dn="cn=Directory Manager", bind_pw=dm_password)
 
diff --git a/install/tools/man/ipa-dns-install.1 b/install/tools/man/ipa-dns-install.1
index e8c53bf72c33b02dce120cef1c0cdd2f538a87fa..3e98dbe79b1612217daedf20668fc133b69d822e 100644
--- a/install/tools/man/ipa-dns-install.1
+++ b/install/tools/man/ipa-dns-install.1
@@ -49,6 +49,12 @@ Do not create reverse DNS zone
 \fB\-\-zonemgr\fR
 The e\-mail address of the DNS zone manager. Defaults too root@host.domain
 .TP
+\fB\-\-zone\-notif\fR
+Let name server receive notifications when a new zone is added. New zone is then immediately loaded by the name server. This feature uses an LDAP Persistent Search mechanism to receive the data. Zone refresh is turned off when zone notifications are enabled.
+.TP
+\fB\-\-zone\-refresh=\fIZONE_REFRESH\fR
+Number of seconds between regular checks for new DNS zones. When set to 0 the name server does not check for new zones and it needs to be reloaded when a new DNS zone is added.
+.TP
 \fB\-U\fR, \fB\-\-unattended\fR
 An unattended installation that will never prompt for user input
 .SH "EXIT STATUS"
diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
index a06b849c41a64c0098ae00d5e29e9b6ff772af62..0ea8b01beaee04686c719e11fe388312e57c7d00 100644
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -88,6 +88,12 @@ Do not create reverse DNS zone
 \fB\-\-zonemgr\fR
 The e\-mail address of the DNS zone manager. Defaults to root@host.domain
 .TP
+\fB\-\-zone\-notif\fR
+Let name server receive notifications when a new zone is added. New zone is then immediately loaded by the name server. This feature uses an LDAP Persistent Search mechanism to receive the data. Zone refresh is turned off when zone notifications are enabled.
+.TP
+\fB\-\-zone\-refresh=\fIZONE_REFRESH\fR
+Number of seconds between regular checks for new DNS zones. When set to 0 the name server does not check for new zones and it needs to be reloaded when a new DNS zone is added.
+.TP
 \fB\-U\fR, \fB\-\-unattended\fR
 An unattended installation that will never prompt for user input
 .TP
diff --git a/ipalib/constants.py b/ipalib/constants.py
index b4bb86dde411e5c8eb665ee362847a3de38b8cda..6d246288b0bb6ad3509fdb62616a03d678312319 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -195,3 +195,6 @@ DEFAULT_CONFIG = (
     ('log', object),  # Path to context specific log file
 
 )
+
+# Default DNS zone refresh interval in seconds (0 = disabled)
+DNS_ZONE_REFRESH = 30
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 676b1a47623558d62907cd99b222b6002ec05528..c91b6206150bc0243e50a511954ae2c3753d9c67 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -31,6 +31,7 @@ from ipaserver.install.dsinstance import realm_to_serverid
 from ipaserver.install.installutils import resolve_host
 from ipapython import sysrestore
 from ipapython import ipautil
+from ipalib.constants import DNS_ZONE_REFRESH
 
 import ipalib
 from ipalib import api, util, errors
@@ -342,7 +343,9 @@ class BindInstance(service.Service):
         else:
             self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
 
-    def setup(self, fqdn, ip_address, realm_name, domain_name, forwarders, ntp, reverse_zone, named_user="named", zonemgr=None):
+    def setup(self, fqdn, ip_address, realm_name, domain_name, forwarders, ntp,
+              reverse_zone, named_user="named", zonemgr=None,
+              zone_refresh=DNS_ZONE_REFRESH, zone_notif=False):
         self.named_user = named_user
         self.fqdn = fqdn
         self.ip_address = ip_address
@@ -354,6 +357,8 @@ class BindInstance(service.Service):
         self.suffix = util.realm_to_suffix(self.realm)
         self.ntp = ntp
         self.reverse_zone = reverse_zone
+        self.zone_refresh = zone_refresh
+        self.zone_notif = zone_notif
 
         if zonemgr:
             self.zonemgr = zonemgr.replace('@','.')
@@ -439,7 +444,9 @@ class BindInstance(service.Service):
                              FORWARDERS=fwds,
                              SUFFIX=self.suffix,
                              OPTIONAL_NTP=optional_ntp,
-                             ZONEMGR=self.zonemgr)
+                             ZONEMGR=self.zonemgr,
+                             ZONE_REFRESH=self.zone_refresh,
+                             PERSISTENT_SEARCH=self.zone_notif and "yes" or "no")
 
     def __setup_dns_container(self):
         self._ldap_mod("dns.ldif", self.sub_dict)
-- 
1.7.6

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to