On Mon, 2011-11-14 at 07:40 -0500, Stephen Gallagher wrote:
> On Sun, 2011-11-13 at 19:19 +0100, Sigbjorn Lie wrote:
> > On 11/13/2011 02:48 PM, Simo Sorce wrote:
> > > On Sat, 2011-11-12 at 15:55 +0100, Sigbjorn Lie wrote:
> > >> Hi,
> > >>
> > >> I notice that when sssd is configured to update DNS, it's only updating
> > >> the DNS forward zone, it's not updating the DNS reverse zone. And I
> > >> cannot find any option for enabling updating of the reverse dns zone.
> > >>
> > >> Have I missed something? Or is updating the reverse zone not supported?
> > > It is not supported at this time.
> > > While we have a way to determine if your host has any right to update
> > > the machine A/AAAA name because we can check if the host authenticated
> > > using a key of type host/<A-name>@REALM we have no way to validate that
> > > a host has any right to update a PTR record.
> > >
> > > Allowing a host to change any PTR record in any reverse zone would be
> > > very disruptive as a compromised host could change PTR records for
> > > important servers.
> > >
> > Ok, I see the issue.
> > I notice ISC dhcpd adds a TXT record along with the updated record with
> > a string that identifies that host record being "owned" by that dhcpd.
> > And it does not attempt to update DNS if it cannot validate the content
> > of the TXT record, or there already exists a record without a
> > corresponding TXT record.
> > Perhaps a similar approach could be applied to IPA? Using attributes in
> > the LDAP DNS tree instead of TXT records.. ?
> SSSD doesn't user LDAP in any way while updating the DNS records. We
> actually just use GSS-TSIG to speak directly to the DNS server. We
> suggested using XML-RPC communication to the FreeIPA server at one
> point, but we decided that it was probably for the best to just stick
> with the standardized approach for now.
> The flip side of this is, of course, that we cannot update the PTR
> records (due to the security risks that Simo pointed out). So maybe we
> should consider putting this back on the table.
No, we made some vague plan to have a config option in LDAP and let
bind-dyndb-ldap autonomously change the PTR record is the A/AAAA record
change was successful and we do control the reverse.
This has one downside which is that the same DNS server must be
authoritative and manage both direct and reverse maps, but it allows for
a simpler client side.
Simo Sorce * Red Hat, Inc * New York
Freeipa-users mailing list