For security reasons, dynamic updates are not enabled for new DNS zones. In order to enable the dynamic zone securely, one need to create also an update policy:
ipa dnszone-mod example.com --dynamic-update=TRUE \ --update-policy="grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA; grant EXAMPLE.COM krb5-self * SSHFP;"
It can be difficult to create this policy for regular users, we should rather fill the policy by default and let user just switch dynamic updates to on or off:
ipa dnszone-mod example.com --dynamic-update=TRUE ipa dnszone-mod example.com --dynamic-update=FALSE
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=798355
attachment freeipa-mkosek-271-fill-new-dns-zone-update-policy-by-default.patch
Patch freeipa-mkosek-271-fill-new-dns-zone-update-policy-by-default.patch sent for review
master: c06cbb1
Metadata Update from @mkosek: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 3.0 Beta 1
Login to comment on this ticket.