Bug 701677

Summary: Allow specifying query and transfer policy settings for a zone
Product: Red Hat Enterprise Linux 6 Reporter: Adam Tkac <atkac>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: high Docs Contact:
Priority: high    
Version: 6.0CC: benl, dpal, grajaiya, jgalipea, kevinu, lucas.yamanishi, mgregg, mkosek, ovasik, syeghiay
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-2.2.0-3.el6 Doc Type: Enhancement
Doc Text:
Cause: DNS plugin does not allow setting query or transfer policy for a zone managed by IPA. Consequence: Users could not control who can query or transfer the zones in the same way they do with zones stored in plain text files. Fix: Users can set ACLs for every zone managed by IPA. Result: User can control who can query their zones or run zone transfers.
 Story Points: ---
Clone Of: 667729 Environment:
Last Closed: 2012-06-20 13:13:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 667729, 733371, 766233    
Bug Blocks: 667704, 756082    

Comment 1 Adam Tkac 2011-05-03 14:28:05 UTC 
FreeIPA schema should allow to specify following attributes for idnsZone attribute:

attributetype ( 2.16.840.1.113730.3.8.5.11
        NAME 'idnsAllowQuery'
        DESC 'BIND9 allow-query ACL element'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 2.16.840.1.113730.3.8.5.12
        NAME 'idnsAllowTransfer'
        DESC 'BIND9 allow-transfer ACL element'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

Those attributes allows to set ACLs for querying/transfering DNS zone content.
Comment 4 Dmitri Pal 2011-05-09 22:31:38 UTC 
https://fedorahosted.org/freeipa/ticket/1211
Comment 8 Martin Kosek 2012-02-24 09:07:30 UTC 
Fixed upstream:

master: 860579022532ee4133fc74e8f916cb40dc3ea239
ipa-2-2: c614d6801389bcbf7c06bed8ba051979f478d2cb
Comment 11 Gowrishankar Rajaiyan 2012-03-28 10:41:52 UTC 
Verified: 
ipa-server-2.2.0-5.el6.x86_64
bind-9.8.2-0.6.rc1.el6.x86_64
bind-dyndb-ldap-1.1.0-0.5.b1.el6.x86_64
Comment 12 Martin Kosek 2012-04-18 20:01:53 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: DNS plugin does not allow setting query or transfer policy for a zone managed by IPA.
Consequence: Users could not control who can query or transfer the zones in the same way they do with zones stored in plain text files.
Fix: Users can set ACLs for every zone managed by IPA.
Result: User can control who can query their zones or run zone transfers.
Comment 15 errata-xmlrpc 2012-06-20 13:13:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html