I suggest adding the following doc to the end of chapter 5.6.
DNS (after the paragraphs about forwarders):
Any host is permitted to issue recursive queries against configured
forwarders by default. When required, this behavior can be changed
in /etc/named.conf in allow-recursion statement. Please consult name
server documentation for details how to edit the configuration
statement.
How to test:
1) install IPA with --setup-dns and defined --forwarder
2) query record not-managed by installed IPA (e.g. www.freeipa.org) from
localhost - should pass both with and without the patch
3) query record not-managed by installed IPA from other computer from
different subnet - fails without the patch and should pass with the
patch
Update name server configuration file to allow any host to issue
recursive queries (allow-recursion statement).
https://fedorahosted.org/freeipa/ticket/1335
From 3dd16fab887d70675bf6359b0afdf2d32932b911 Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Wed, 22 Jun 2011 08:35:50 +0200
Subject: [PATCH] Allow recursion by default
Update name server configuration file to allow any host to issue
recursive queries (allow-recursion statement).
https://fedorahosted.org/freeipa/ticket/1335
---
install/share/bind.named.conf.template |3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template
index 71facbaf7f3e14f009b2aa9d6ba7a5d8bd0372af..e843b4c005cbbbee55a2f9ef5374a6a3f12dbfca 100644
--- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template
@@ -11,6 +11,9 @@ options {
forward first;
forwarders {$FORWARDERS};
+ // Any host is permitted to issue recursive queries
+ allow-recursion { any; };
+
tkey-gssapi-credential DNS/$FQDN;
tkey-domain $REALM;
};
--
1.7.5.4
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
