Bug 713798
Summary: | Set allow-recursion by default in IPA DNS | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Marko Myllynen <myllynen> |
Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
Status: | CLOSED ERRATA | QA Contact: | Chandrasekar Kannan <ckannan> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.1 | CC: | benl, dpal, grajaiya, jgalipea, ssorce |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-2.1.0-1.el6 | Doc Type: | Bug Fix |
Doc Text: |
Cause: DNS lookups not forwarded if they originate in a subnet not managed by IPA.
Consequence: DNS lookups for names outside the IPA domain will not work on some subnets.
Fix: Configure the DNS server to allow recursion by default.
Result: The IPA DNS will forward requests even from subnets it does not control.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2011-12-06 18:34:05 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Marko Myllynen
2011-06-16 14:52:09 UTC
A bit of history. The problem we found is that if clients are in a different subnet they will not be allowed to get any forwarded query resolved. This means that if you configure these clients to use FreeIPA's DNS server they will be allowed to query any name in all the FreeIPA DNS managed zones but forwarding to resolve any other names will not work. Given we do allow to configure forwarders we should also do either: - allow recursion by default and let the admin close it down if they want it. - ask for the addresses of the subnets the server needs to server at ipa-dns-install time and add each of these subnets to the allow-recurese configuration option in the global options. I think that setting allow-recurse any is an acceptable compromise to make things work out of the box without affecting security too much. master: 5f4c75eb28b3d50a35fbf3a86a6d842bce8e72f9 ipa-2-0: 99669f5f0cce625579c81e356a9503e092a50809 Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: DNS lookups not forwarded if they originate in a subnet not managed by IPA. Consequence: DNS lookups for names outside the IPA domain will not work on some subnets. Fix: Configure the DNS server to allow recursion by default. Result: The IPA DNS will forward requests even from subnets it does not control. Verified. [root@ipaqavma ~]# rpm -qi ipa-server | head Name : ipa-server Relocations: (not relocatable) Version : 2.1.3 Vendor: Red Hat, Inc. Release : 9.el6 Build Date: Mon 07 Nov 2011 03:00:54 PM EST Install Date: Tue 08 Nov 2011 01:32:36 AM EST Build Host: x86-001.build.bos.redhat.com Group : System Environment/Base Source RPM: ipa-2.1.3-9.el6.src.rpm Size : 3382131 License: GPLv3+ Signature : (none) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://www.freeipa.org/ Summary : The IPA authentication server [root@ipaqavma ~]# Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2011-1533.html |