Bug 1269947

Summary: [RFE] IPA DNS with LDAP slave mode support
Product: Red Hat Enterprise Linux 7 Reporter: kludhwan
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED WONTFIX QA Contact: Namita Soman <nsoman>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.3CC: mkosek, pspacek, pvoborni, rcritten
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-10-27 12:08:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description kludhwan 2015-10-08 14:40:58 UTC 
1. What is the nature and description of the request?  

Need to be able create slave zone with IPA DNS servers and it zone must be replicated by LDAP servers. Must be support to configure in the WEB-GUI address of master server, from which zone must be trasfered. Must to be support to configure in the WEB-GUI TSIG key for zone transfer.
      
2. Why do you need this? (List the business requirements here)

We have many sites and on that sites we have one or more IPA server. It is hard to configure on every IPA server named.conf files, maintains it. Much easier if once to configure zone it will replicate on every site/IPA server.
      
3. How would you like to achieve this? (List the functional requirements here) 

WEB-GUI/CLI settings to configure a slave zone. Master server addres option, TSIG key option. Replicate zone between all of IPA servers by LDAP. Possible to recieve and react on notify. 
      
4. For each functional requirement listed, specify how Red Hat and you can test to confirm the requirement is successfully implemented.  

Create stanalone authority DNS based on BIND, NSD or other. Create master zone. Configure it to transfer to IPA server. On IPA server create slave zone and configure it to transfer from master DNS. Change serial number  SOA on master and slave must recieve notify and transer new zone from master.


5. Does you have any specific timeline dependencies and which release would they like to target (i.e. RHEL6, RHEL7)?  

RHEL 7. As soon as possible. We need this functionality today. 

6. List any affected packages or components.

BIND, bind-dyndb-ldap, ipa-admin-tools
      
7. Would you be able to assist in testing this functionality if implemented?"

Yes
Comment 2 Petr Spacek 2015-10-09 11:45:05 UTC 
This can be implemented but LDAP would be used only for configuration, not for zone data. I.e. BIND on slaves will be configured with master IP addresses and keys from LDAP, but zone data will be transfered from master to files on disk, not to LDAP.

In other words, every IPA DNS server would transfer the data from master independently.
Comment 3 Petr Vobornik 2015-10-13 10:30:52 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5363
Comment 4 Petr Vobornik 2015-10-13 10:33:31 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5364

ticket 5363 was added by mistake
Comment 6 Martin Kosek 2015-10-27 12:08:50 UTC 
The development team discussed this RFE. What customer is asking for is currently achievable through manual BIND name server configuration that is present on base RHEL system. Just for the record, standalone DNS name server can serve as a slave zone to zones managed by IdM as it supports zone transfers.

IdM DNS server being a slave DNS for a DNS zone *not* managed by IdM is not a use case we are targeting with IdM and it's LDAP storage/interface for DNS records. This should be rather done via BIND configuration.

I am thus closing the request as WONTFIX.