On 11/14/2011 01:40 PM, Stephen Gallagher wrote:
On Sun, 2011-11-13 at 19:19 +0100, Sigbjorn Lie wrote:
On 11/13/2011 02:48 PM, Simo Sorce wrote:
On Sat, 2011-11-12 at 15:55 +0100, Sigbjorn Lie wrote:

I notice that when sssd is configured to update DNS, it's only updating
the DNS forward zone, it's not updating the DNS reverse zone. And I
cannot find any option for enabling updating of the reverse dns zone.

Have I missed something? Or is updating the reverse zone not supported?
It is not supported at this time.
While we have a way to determine if your host has any right to update
the machine A/AAAA name because we can check if the host authenticated
using a key of type host/<A-name>@REALM we have no way to validate that
a host has any right to update a PTR record.

Allowing a host to change any PTR record in any reverse zone would be
very disruptive as a compromised host could change PTR records for
important servers.

Ok, I see the issue.

I notice ISC dhcpd adds a TXT record along with the updated record with
a string that identifies that host record being "owned" by that dhcpd.
And it does not attempt to update DNS if it cannot validate the content
of the TXT record, or there already exists a record without a
corresponding TXT record.

Perhaps a similar approach could be applied to IPA? Using attributes in
the LDAP DNS tree instead of TXT records.. ?

SSSD doesn't user LDAP in any way while updating the DNS records. We
actually just use GSS-TSIG to speak directly to the DNS server. We
suggested using XML-RPC communication to the FreeIPA server at one
point, but we decided that it was probably for the best to just stick
with the standardized approach for now.

The flip side of this is, of course, that we cannot update the PTR
records (due to the security risks that Simo pointed out). So maybe we
should consider putting this back on the table.

We are trying to make sure (patches, configurations) that reverse
resolution is disabled for kerberos and canonicalization does not use it
by default as it is unreliable in any case.
Yes, I've noticed. :) Authentication based on forward/reverse lookups
aside, being able to look up reverse IP records does help
troubleshooting. And it becomes almost a requirement for being able to
manage IPv6 networks.

It would be very nice to see reverse address update implemented in SSSD
at some point. Is there already an open RFE?
There is no RFE for this yet. Please feel free to open one at

How about an option in SSSD for reverse update using the same GSS-TSIG, but turned off by default? IPA seem to ready for this by setting the "BIND update policy" and Dynamic update options under DNS -> reverse-zone -> Settings ?

Hopefully the admin would configure the dhcp dynamic ip range outside of where he placed the servers, or have the clients on a different subnet than the servers. Where the server reverse zone can be disabled for dynamic updates, and the client reverse zone can be enabled for dynamic updates.

At least having the option would be great. :)

Besides, if the admin manages to configure his dhcp server so that duplicate IP address allocation occour, reverse dns will be the least of his problems. :)


Freeipa-users mailing list

Reply via email to