Martin Kosek wrote:
On Mon, 2012-02-20 at 12:46 -0500, Rob Crittenden wrote:
Martin Kosek wrote:
On Tue, 2012-02-14 at 09:10 -0500, Rob Crittenden wrote:
Simo Sorce wrote:
On Tue, 2012-02-14 at 12:09 +0100, Martin Kosek wrote:
A new version of bind-dyndb-ldap has been released, sending fixed
patches with the following major changes:
- Since bind-dyndb-ldap supports only idnsForwarders global option at
this time, all other global options were removed from the API. They
were
left in the schema though so that the schema is consistent with
bind-dyndb-ldap supported schema and the support of these options in
the
future can be added more seamlessly
- idnsAllowQuery and idnsAllowTransfer format has changed to follow
BIND
format (ACI elements separated with semicolon). An example of such
element:

ipa dnszone-mod example.com --allow-query="10.0.0.1;!10.0.0.0/8;any;"

This ACI would forbid machine from any IP from 10.0.0.0/8 network
besides 10.0.0.1 to query the name server. All other machines are
allowed to issue queries.

Any good reason why this is not a multi-value attribute ?
Do these ACIs need to be ordered ? (that would be probably a good
reason).

That's exactly it!

rob


Yup. Previous release of bind-dyndb-ldap followed the multi-valued LDAP
attribute format, but we found out that we cannot do it this way as the
ACI list need to be ordered.

When bind evaluates if it should allow/reject query/tranfer request it
simply traverses the ACI list, one by one, and accepts the result of the
first match, i.e. the order is crucial there.

Martin


There is no help for dnsconfig.

dnsconfig is defined in dns.py module and thus its help is defined in a
scope of dns module:

$ ipa help dns
...
  Show global DNS configuration:
    ipa dnsconfig-show

  Modify global DNS configuration and set a list of global forwarders:
    ipa dnsconfig-mod --forwarder=10.0.0.1

Topic commands:
...


If you set global forwarders then named will fail to restart if there
forwarders is defined in named.conf. We should warn users when setting
this (and/or in the help).

Yes, this is the problem that Petr Spacek mentioned. Adding him on the
CC list. IIUC, he and Adam Tkac already have a patch that should fix
this bug.

There is not much we can do on IPA side in this case. named just must
not crash when forwarders definitions (LDAP and named.conf) are both
set.


I can't get forwarded domains to work. I think I followed the test
instructions in the ticket but my bogus domain always resolves to the root.

As investigated on the IRC, the problem was in too restrictive firewall
on the side of the second DNS server.

Martin


Things are working for me today, ACK x4.

rob

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to