On Fri, 2011-12-09 at 04:11 -0500, Jiri Kuncar wrote:
> I have prepared an initial support for forward zones. There is still an open 
> question about global forwarder. The current solution consists in creating 
> forward root zone:
> 
> 1) `ipa dnszone-add "."`
> 2) addForwarder.ldif:
> dn: idnsname=.,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> changetype: modify
> add: idnsForwarders
> idnsForwarders: 10.16.255.2 (use your own one)
> 3) `ldapmodify -Y GSSAPI -f addForwarder.ldif`
> 
> https://fedorahosted.org/freeipa/ticket/2108
> https://bugzilla.redhat.com/show_bug.cgi?id=754433
> 
> Jiri

I have been thinking about that and as we discussed today I don't like
"abusing" a real DNS root zone for purpose of storing bind-dyndb-ldap
global. I see 2 issues with this approach:
1) User has to create a real root DNS zone "." with all MUST attributes
(SOA, NS records etc.) even though these values are being ignored in
bind-dyndb-ldap.
2) With expansion of bind-dyndb-ldap abilities I expect more (global or
per-zone) settings to show up. For example any settings related to
DNSSEC (keys, etc.). And I don't think we want to place all these to the
root zone LDAP object and extend idnsZone objectClass every time we add
a global bind-dyndb-ldap setting stored in LDAP.

This is my idea of what could be done:
1) Introduce a new objectClass "idnsConfigObject" which would hold all
bind-dyndb-ldap global settings attributes. I would add the following
attributes:
* idnsAllowSyncPTR: global settings with semantics of sync_ptr in
named.conf.
* dnsForwardPolicy
* idnsForwarders
* idnsZoneRefresh (zone_refresh argument in named.conf)
* idnsPersistentSearch (psearch argument in named.conf)

2) Create a config object in FreeIPA (in replicated space):
cn=dns,cn=etc,$SUFFIX

3) Add a support for this global settings object to bind-dyndb-ldap and
create a config option in named.conf pointing to the global config base
DN:
dynamic-db "ipa" {
...
    arg "config_base cn=dns,cn=etc,dc=example,dc=com";
...
};

4) Add API for global DNS config to FreeIPA server. Example commands:
$ ipa dnsconfig-show
$ ipa dnsconfig-mod --forwarders=10.0.0.1,10.0.0.2 --forward-policy=only

Martin

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to