Learn more about these different git repos.
Other Git URLs
ISC can accept patches with the new functionality.
Previous discussion about PTR record updates can be found in mailing list archive: https://www.redhat.com/archives/freeipa-devel/2013-March/msg00006.html
Current state - why we need a new type:
krb5-self
ms-self
tcp-self
Proposal
Add new match-types tcp-krb5-self and tcp-ms-self for secure PTR updates.
tcp-krb5-self
tcp-ms-self
Proposed match-types require same valid signature as krb5-self and ms-self, i.e.
host/<hostname>@CONFIGURED.REALM
<hostname>$@CONFIGURED.REALM
Source IP address of the TCP connection have to exactly match updated name in the same way as for tcp-self.
New PTR data sent by client have to match host name in the signature.
Example - an update request allowed by tcp-krb5-self:
update-policy = 'grant EXAMPLE.COM tcp-krb5-self;' source IP address = 192.0.2.1 Kerberos principal = host/client.example.com@EXAMPLE.COM update request = update add 2.0.192.in-addr.arpa. 3600 IN PTR client.example.com
Request above should be denied if:
Record deletion is a problem, but we tend to allow client to delete all PTR records under name associated with it's IP address.
Moved according to April 2, 2013 meeting.
The plan is:
Moving back to NEEDS_TRIAGE as it is not realistic to add this functionality in Fedora 20.
Metadata Update from @pspacek: - Issue assigned to someone - Issue set to the milestone: The Backlog
Login to comment on this ticket.