https://bugzilla.redhat.com/show_bug.cgi?id=753483
IPA should support BIND forward zones, conditional forwarding based on the domain suffix of the name trying to be resolved, in addition to the global forwarders that it already supports For example, all records that end with someDomain.example.com forwarded to 10.0.0.1 It would be nice to be able to prioritize forwarding. Global forwarders and conditional forwarders could be ranked in a list box like someDomain.example.com -> 10.0.0.1 (conditional Forwarder) * -> 192.168.1.1 (Global Forwarder) from BIND manual: A "forward zone" is a way to configure forwarding on a per-domain basis. A zone statement of type forward can contain a forward and/or forwarders statement, which will apply to queries within the domain given by the zone name. If no forwarders statement is present or an empty list for forwarders is given, then no forwarding will be done for the domain, canceling the effects of any forwarders in the options statement. Thus if you want to use this type of zone to change the behavior of the global forward option (that is, "forward first to", then "forward only", or vice versa, but want to use the same servers as set globally) you need to respecify the global forwarders.
May need to file bug against bind-dyndb-ldap to add support.
Eventually this ticket will go to 3.1 backlog after pre-work is done.
bind-dyndb-ldap upstream ticket:
bind-dyndb-ldap
https://fedorahosted.org/bind-dyndb-ldap/ticket/42
The ticket was already fixed:
http://git.fedorahosted.org/git?p=bind-dyndb-ldap.git;a=commit;h=de6d75dae59eeb66f71544b4c9b6a68c9dc8fb95
Moving to the proper milestone where the blocking ticket is planned.
attachment freeipa-mkosek-198-add-dns-conditional-forwarding.patch
How to test:
example.com
example2.com
Back on the first FreeIPA server add a domain example.com that will be forwarded to the second server:
$ ipa dnszone-add example.com --name-server=hostname
hostname
Instruct bind-dyndb-ldap to forward all requests to example.com to the DNS server managed by second FreeIPA (example assumes that it's address is 10.0.0.2):
$ ipa dnszone-mod example.com --forwarder=10.0.0.2
Now test that requests issued to the first FreeIPA server for zones other than example.com ($SOMEZONE) are resolved by this server (or one of its global forwarders):
dig -t soa $SOMEZONE
You can also see all DNS packets sent by the first FreeIPA server to make sure that no request is sent to the second FreeIPA server (10.0.0.2):
10.0.0.2
tcpdump -ni eth0 udp port 53
Now you can check that the zone example.com is really forwarded to and resolved by the second FreeIPA server:
dig -t soa example.com
You can also set --forward-policy and use tcpdump to check that when its set to first or no value it forwards the request to both second FreeIPA server and configured global forwardwers and that when its set to only it forwards the request only to the second FreeIPA server.
tcpdump
first
only
I filed a relevant bug (conditional forwarding does not work when the forwarded zone is a sub-zone of other managed zone):
https://bugzilla.redhat.com/show_bug.cgi?id=784820
Moving to next month iteration.
master: 210d913[[BR]] ipa-2-2: ec937dc
Metadata Update from @rcritten: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/02
Login to comment on this ticket.