freeipa

Clone
Source Code
GIT

#4149 [RFE] Support DNS root zone in LDAP
Closed: Fixed None Opened 10 years ago by mkosek.

Closed: Fixed
Reopen Issue

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1056202

Description of problem:

In BETA testing RHEL7 and the IPA/IdM, it is discovered that root hints are
enabled when --setup-dns is specified. On isolated and secure networks, this is
a security configuration finding (specifically DISA STIG finding).

Suggested solution:
A way to fix this with IPA/IdM would be to add an option in the webui DNS
configuration to disable root hints as well as an ipa dnsconfig-mod option.

Proposed solution: Add ability to manage DNS root zone in IPA (instead of managing root hints). This is expected to require some changes in bind-dyndb-ldap: See ticket #122.

Support for this can't be implemented in bind-dyndb-ldap until #3210 is implemented on FreeIPA side of things.

Ok. Moving to further release.

It is too late to have this feature in 4.0 GA, prerequisite ticket #3210 is not finished yet - moving to next release.

Prerequisite ticket #3210 is close to be finished, moving to sooner release as this ticket would then only mean allowing "." DNS zone in FreeIPA.

Removing the root zone cause a bind-dyndb-ldap's error, bind is stopped

https://fedorahosted.org/bind-dyndb-ldap/ticket/138

ipa-4-1:

  • c32b89d Fix DNS plugin to allow to add root zone
  • 72e0b33 DNS test: allow '.' as zone name
  • 18460d6 Deprecation of --name-server and --ip-address option in DNS
  • 637a082 Add correct NS records during installation
  • bf61689 DNS: autofill admin email
  • c675808 WebUI: DNS: Remove ip-address, admin-email options
  • b7e3a99 DNS tests: tests update to due to change in options

master:

  • f846e0d Fix DNS plugin to allow to add root zone
  • 94743a3 DNS test: allow '.' as zone name
  • 7bc17bb Deprecation of --name-server and --ip-address option in DNS
  • 7e24e24 Add correct NS records during installation
  • 239adf9 DNS: autofill admin email
  • 23620a4 WebUI: DNS: Remove ip-address, admin-email options
  • bc2eaa1 DNS tests: tests update to due to change in options

We also need to update ipa dns help page to reflect the changes in dnszone-add CLI. This is wrong:

   ipa dnszone-add example.com --name-server=ns \
                               --admin-email=admin@example.com \
                               --ip-address=192.0.2.1



   ipa dnszone-add --name-from-ip=192.0.2.0/24 \
                   --name-server=ns.example.com.

--name-server and --ip-address should probably not be used in help at all.

master:

  • 3f8cfda Remove --ip-address, --name-server otpions from DNS help

ipa-4-1:

  • 0f2eb65 Remove --ip-address, --name-server otpions from DNS help

Bug: ipa-server-install --uninstall doesn't remove all replica NS records

Replica should be uninstalled by ipa-replica-manage del command, which removes all replica NS records. There is no warranty that ipa-server-install --uninstall will be able to connect to LDAP.

This is not big issue and ticket can be closed.

Using ipa-replica-manage del is required to uninstall replica.

This works, closing ticket.

Metadata Update from @mkosek:
- Issue assigned to mbasti
- Issue set to the milestone: FreeIPA 4.1
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
enhancement
#3210
None
DNS
None
1
None
None
pspacek, pvoborni
None
https://bugzilla.redhat.com/show_bug.cgi?id=1056202
None
None
http://www.freeipa.org/page/V4/DNS:_Automatic_Zone_NS/SOA_Record_Maintenance
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.