Martin Kosek wrote:
On Mon, 2012-02-20 at 12:46 -0500, Rob Crittenden wrote:
Martin Kosek wrote:
On Tue, 2012-02-14 at 09:10 -0500, Rob Crittenden wrote:
Simo Sorce wrote:
On Tue, 2012-02-14 at 12:09 +0100, Martin Kosek wrote:
A new version of bind-dyndb-ldap has been released, sending fixed
patches with the following major changes:
- Since bind-dyndb-ldap supports only idnsForwarders global option at
this time, all other global options were removed from the API. They
left in the schema though so that the schema is consistent with
bind-dyndb-ldap supported schema and the support of these options in
future can be added more seamlessly
- idnsAllowQuery and idnsAllowTransfer format has changed to follow
format (ACI elements separated with semicolon). An example of such

ipa dnszone-mod --allow-query=";!;any;"

This ACI would forbid machine from any IP from network
besides to query the name server. All other machines are
allowed to issue queries.

Any good reason why this is not a multi-value attribute ?
Do these ACIs need to be ordered ? (that would be probably a good

That's exactly it!


Yup. Previous release of bind-dyndb-ldap followed the multi-valued LDAP
attribute format, but we found out that we cannot do it this way as the
ACI list need to be ordered.

When bind evaluates if it should allow/reject query/tranfer request it
simply traverses the ACI list, one by one, and accepts the result of the
first match, i.e. the order is crucial there.


There is no help for dnsconfig.

dnsconfig is defined in module and thus its help is defined in a
scope of dns module:

$ ipa help dns
  Show global DNS configuration:
    ipa dnsconfig-show

  Modify global DNS configuration and set a list of global forwarders:
    ipa dnsconfig-mod --forwarder=

Topic commands:

If you set global forwarders then named will fail to restart if there
forwarders is defined in named.conf. We should warn users when setting
this (and/or in the help).

Yes, this is the problem that Petr Spacek mentioned. Adding him on the
CC list. IIUC, he and Adam Tkac already have a patch that should fix
this bug.

There is not much we can do on IPA side in this case. named just must
not crash when forwarders definitions (LDAP and named.conf) are both

I can't get forwarded domains to work. I think I followed the test
instructions in the ticket but my bogus domain always resolves to the root.

As investigated on the IRC, the problem was in too restrictive firewall
on the side of the second DNS server.


Things are working for me today, ACK x4.


Freeipa-devel mailing list

Reply via email to