Currently DNAME records are not checked properly.
New checks:
RFC 6672 section 2.3:
<snip> The domain name that owns a DNAME record is allowed to have other resource record types at that domain name, except DNAMEs, CNAMEs, or other types that have restrictions on what they can coexist with. <snip> DNAME RRs MUST NOT appear at the same owner name as an NS RR unless the owner name is the zone apex; if it is not the zone apex, then the NS RR signifies a delegation point, and the DNAME RR must in that case appear below the zone cut at the zone apex of the child zone. If a DNAME record is present at the zone apex, there is still a need to have the customary SOA and NS resource records there as well. Such a DNAME cannot be used to mirror a zone completely, as it does not mirror the zone apex.
RFC 6672 section 2.4:
DNAME is a singleton type, meaning only one DNAME is allowed per name. The owner name of a DNAME can only have one DNAME RR, and no CNAME RRs can exist at that name. These rules make sure that for a single domain name, only one redirection exists; thus, there's no confusion about which one to follow. A server ought to refuse to load a zone that violates these rules.
This work is related to IPA ticket #3440 and bind-dyndb-ldap ticket #63.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=915805
Moving unfinished March tickets to April milestone.
master: 30a1bc1
Metadata Update from @pspacek: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 3.2 - 2013/04 (Beta)
Login to comment on this ticket.