IPA DNS interface allows users to add DNS zones to IPA even if the very same zone is already configured on different servers.
This ultimately leads to chaos where different sets of clients see different (non-synchronized) sets of data without obvious reason. Situation is even worse if the zone is signed because some sub-set of clients will detect this as an attack and refuse data for this zone.
Commands ipa dnszone-add and ipa dnsforwardzone-add should test existence of the zone (simply by querying for SOA record) and refuse to add the zone if the name already exists.
ipa dnszone-add
ipa dnsforwardzone-add
SOA
We should provide --force switch as an override.
--force
[[TicketQuery(id=3681&id=5014,order=id,desc=1,format=table,col=summary)]]
FreeIPA 4.2.1 was released, moving to 4.2.x.
master:
FreeIPA now checks if specified DNS domains exist prior adding DNS domain to integrated DNS and refuses to add conflicting domain definitions.
Metadata Update from @pspacek: - Issue assigned to dkupka - Issue set to the milestone: FreeIPA 4.3
Login to comment on this ticket.