Issue #2176: GSS-TSIG DNS updates should update reverse entries as well - freeipa

freeipa

#2176 GSS-TSIG DNS updates should update reverse entries as well

Closed: Fixed None Opened 12 years ago by sgallagh.

Cloned Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=767725

Moved to FreeIPA from https://fedorahosted.org/sssd/ticket/1089

Customers have requested on the mailing lists that updating DNS entries with SSSD should also update the reverse entry in DNS. For security reasons, we cannot have SSSD do this with GSS-TSIG (because it would require giving each client the capability to update any reverse entry in the domain).

Our recommended solution would be to add a plugin to the BIND LDAP driver to allow it to set the reverse entry automatically whenever the forward entry is updated.

mkosek commented 12 years ago

This was already fixed in bind-dyndb-ldap upstream: https://fedorahosted.org/bind-dyndb-ldap/ticket/33

We just have to add some means of per-zone configuration to FreeIPA DNS module. bind-dyndb-ldap upstream ticket is already worked on:

https://fedorahosted.org/bind-dyndb-ldap/ticket/39

dpal commented 12 years ago

This is to track server side.

dpal commented 12 years ago

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=767725

mkosek commented 12 years ago

attachment
freeipa-mkosek-199-add-api-for-ptr-sync-control.patch

mkosek commented 12 years ago

A relevant bug I filed: https://bugzilla.redhat.com/show_bug.cgi?id=784815

mkosek commented 12 years ago

How to test:

Install FreeIPA server with DNS support
Install FreeIPA client and enroll it to the server
Go to client and get host/$HOST@$REALM

/usr/bin/kinit -k -t /etc/krb5.keytab host/hostname
Prepare data for nsupdate to update. The example below will create/update forward record in zone example.com managed by FreeIPA server:

cat nsupdate.txt

zone exaple.com.
update delete client.example.com. IN A
send
update add client.example.com. 1200 IN A 10.0.0.2
send
Run the update:

/usr/bin/nsupdate -g nsupdate.txt
Now, if the relevant zones on the server do not have PTR sync enabled:

ipa dnszone-show ZONE

...
Allow PTR sync: TRUE

then no PTR record should be created in appropriate reverse zone and just the forward record for client.example.com. should be created.
7. If you allow PTR sync for relevant zones (dnszone-mod ZONE --allow-sync-ptr=1) and restart the name server, the nsupdate command should also create PTR record in the reverse zone.

mkosek commented 12 years ago

Moving to next month iteration.

mkosek commented 12 years ago

master: 1c898e3[[BR]]
ipa-2-2: 40063c0

Metadata Update from @sgallagh:
- Issue assigned to mkosek
- Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/02

7 years ago

Metadata

Assignee

mkosek

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

FreeIPA 2.2 Core Effort - 2012/02

None

affects_doc

None

source

None

knownissue

None

type

enhancement

blockedby

2215

test_case

None

component

DNS

blocking

2351

on_review

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=767725

tester

None

changelog

None

design

None

freeipa

Source Code

#2176 GSS-TSIG DNS updates should update reverse entries as well Closed: Fixed None Opened 12 years ago by sgallagh.

cat nsupdate.txt

ipa dnszone-show ZONE

Metadata

#2176 GSS-TSIG DNS updates should update reverse entries as well

Closed: Fixed None Opened 12 years ago by sgallagh.