On Fri, 2011-12-09 at 04:11 -0500, Jiri Kuncar wrote:
> I have prepared an initial support for forward zones. There is still an open 
> question about global forwarder. The current solution consists in creating 
> forward root zone:
> 1) `ipa dnszone-add "."`
> 2) addForwarder.ldif:
> dn: idnsname=.,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> changetype: modify
> add: idnsForwarders
> idnsForwarders: (use your own one)
> 3) `ldapmodify -Y GSSAPI -f addForwarder.ldif`
> https://fedorahosted.org/freeipa/ticket/2108
> https://bugzilla.redhat.com/show_bug.cgi?id=754433
> Jiri

I have been thinking about that and as we discussed today I don't like
"abusing" a real DNS root zone for purpose of storing bind-dyndb-ldap
global. I see 2 issues with this approach:
1) User has to create a real root DNS zone "." with all MUST attributes
(SOA, NS records etc.) even though these values are being ignored in
2) With expansion of bind-dyndb-ldap abilities I expect more (global or
per-zone) settings to show up. For example any settings related to
DNSSEC (keys, etc.). And I don't think we want to place all these to the
root zone LDAP object and extend idnsZone objectClass every time we add
a global bind-dyndb-ldap setting stored in LDAP.

This is my idea of what could be done:
1) Introduce a new objectClass "idnsConfigObject" which would hold all
bind-dyndb-ldap global settings attributes. I would add the following
* idnsAllowSyncPTR: global settings with semantics of sync_ptr in
* dnsForwardPolicy
* idnsForwarders
* idnsZoneRefresh (zone_refresh argument in named.conf)
* idnsPersistentSearch (psearch argument in named.conf)

2) Create a config object in FreeIPA (in replicated space):

3) Add a support for this global settings object to bind-dyndb-ldap and
create a config option in named.conf pointing to the global config base
dynamic-db "ipa" {
    arg "config_base cn=dns,cn=etc,dc=example,dc=com";

4) Add API for global DNS config to FreeIPA server. Example commands:
$ ipa dnsconfig-show
$ ipa dnsconfig-mod --forwarders=, --forward-policy=only


Freeipa-devel mailing list

Reply via email to