Martin Kosek wrote:
This set of patches implements support and API for features introduced
in a new bind-dyndb-ldap (bind-dyndb-ldap-1.1.0-0.6.a1):
   - global bind-dyndb-ldap settings in LDAP (cn=dns,$SUFFIX)
   - conditional per-zone forwarding
   - per-zone configuration of automatic PTR updates
   - zone transfer
   - AllowQuery and AllowTransfer ACIs
   - new bind-dyndb-ldap now also skips invalid records in a zone instead
of refusing to load an entire zone

More detailed description and examples are in these separate patches. In
order to test it, a new bind-dyndb-ldap version is needed. It is not in
updates-testing repo yet as it waits for a new release of bind which
should occur in few next days. But it can be downloaded from koji:

F15: http://koji.fedoraproject.org/koji/buildinfo?buildID=294138
F16: http://koji.fedoraproject.org/koji/buildinfo?buildID=294137

Have fun!
Martin


In patch 195 there is a white-space fix to the idnsRecord. Was this intentional? Also a typo in the commit message, AllowTransger.

In patch 197 there is this suspicious code in _normalize_ipnetmask

+        ipnetmask = ipnetmask

The comment and copyright date in dns.py::update_dnszone_acls() needs to be updated

Patch 98 I think you want to drop the worth "with" in this?

+ Forward all request for sub-zone of example.com to another nameserver with
+ using a "first" policy (it will send the queries to the selected forwarder
yes,

And now for some things I saw when testing.

I upgraded an existing instance installed with DNS.

ipa dnsconfig-show returned nothing. I disabled persistent search then set it to '' and now I always see

Zone refresh interval: 0

Not sure if I should have seen that initially or not.

I tried testing the query policy but was unable to get it working:

# ipa dnszone-mod example.com --allow-query="\!10.0.0.1,any"
# service named restart

'dig -t soa example.com' always worked.

My test hosts are behind a NAT but I tried both the real and the NAT IP address and in both cases it worked.

So I set up transfer rules instead and this time was very picky about what IP address to accept and used on the NAT address. Using that it worked as expected.

So I went back and worked on query again. It seems like the ! addresses aren't working as expected, that or it is an ordering problem perhaps (e.g. I wonder if I'm seeing the problem in your comment #16 in ticket 1211).

I wonder if the summary should reflect that named needs to be restarted.

rob

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to