Currently we don't provide any way to specify a query or transfer acl. For now, we should at least allow query by default. We might later add a new idns attribute that would be used to specify the policy.
https://bugzilla.redhat.com/show_bug.cgi?id=701677
IPA implementation is ready, but there is a problem in bind-dyndb-ldap plugin, which cannot read a values of new idnsAllowQuery attribute. So far it looks like a bug in openldap library. atkac is investigating.
bind-dyndb-ldap
idnsAllowQuery
So far atkac reported that this may be caused by an openldap bug. Pushing ticket to July milestone as it won't be resolved in June.
openldap
Moving to the next milestone - problem in openldap has not been resolved yet.
There was no response regarding the bug reported to atkac so I created a BZ ticket to improve our tracking of the bug:
https://bugzilla.redhat.com/show_bug.cgi?id=733371
Moving to the proper milestone where the blocking ticket is planned.
attachment freeipa-mkosek-197-query-and-transfer-acls.patch
How to test:
Create a new zone
ipa dnszone-add example.com --name-server=hostname
hostname
Test query ACL 1. Set query policy. No machine from network 10.0.0.0/8 is allowed to query for a zone, except a machine with IP address 10.0.0.1. Other machines are allowed to query for the zone.
# ipa dnszone-mod example.com --allow-query='10.0.0.1;!10.0.0.0/8;any;' # service named restart
Check that zone is queriable from computer with address != 10.0.0.1
dig -t soa example.com
Check that zone is NOT queriable from computer with address = 10.0.0.1
Test other ACL combinations
Test zone transfer ACL
Tested in the same way as query ACL, just use --allow-transfer option for setting the transfer ACL and
--allow-transfer
dig example.com axfr
command to test if zone transfer works/is allowed.
A relevant fix in bind-dyndb-ldap upstream (ACLs cannot be an LDAP multivalued attribute as it depends on precise value order which may change in LDAP):
https://fedorahosted.org/bind-dyndb-ldap/ticket/50
Moving to next month iteration.
(In #2394) #1211 (on review) contains a plugin for dnszone modifications, we can reuse that one.
master: 8605790[[BR]] ipa-2-2: c614d68
Metadata Update from @dpal: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/02
Login to comment on this ticket.