Bug 701677 - Allow specifying query and transfer policy settings for a zone
Summary: Allow specifying query and transfer policy settings for a zone
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On: 667729 733371 766233
Blocks: 667704 756082
TreeView+ depends on / blocked
 
Reported: 2011-05-03 14:24 UTC by Adam Tkac
Modified: 2015-05-20 15:21 UTC (History)
10 users (show)

Fixed In Version: ipa-2.2.0-3.el6
Doc Type: Enhancement
Doc Text:
Cause: DNS plugin does not allow setting query or transfer policy for a zone managed by IPA. Consequence: Users could not control who can query or transfer the zones in the same way they do with zones stored in plain text files. Fix: Users can set ACLs for every zone managed by IPA. Result: User can control who can query their zones or run zone transfers.
Clone Of: 667729
Environment:
Last Closed: 2012-06-20 13:13:48 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0819 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2012-06-19 20:34:17 UTC

Comment 1 Adam Tkac 2011-05-03 14:28:05 UTC 
FreeIPA schema should allow to specify following attributes for idnsZone attribute:

attributetype ( 2.16.840.1.113730.3.8.5.11
        NAME 'idnsAllowQuery'
        DESC 'BIND9 allow-query ACL element'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 2.16.840.1.113730.3.8.5.12
        NAME 'idnsAllowTransfer'
        DESC 'BIND9 allow-transfer ACL element'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

Those attributes allows to set ACLs for querying/transfering DNS zone content.
Comment 4 Dmitri Pal 2011-05-09 22:31:38 UTC 
https://fedorahosted.org/freeipa/ticket/1211
Comment 8 Martin Kosek 2012-02-24 09:07:30 UTC 
Fixed upstream:

master: 860579022532ee4133fc74e8f916cb40dc3ea239
ipa-2-2: c614d6801389bcbf7c06bed8ba051979f478d2cb
Comment 11 Gowrishankar Rajaiyan 2012-03-28 10:41:52 UTC 
Verified: 
ipa-server-2.2.0-5.el6.x86_64
bind-9.8.2-0.6.rc1.el6.x86_64
bind-dyndb-ldap-1.1.0-0.5.b1.el6.x86_64
Comment 12 Martin Kosek 2012-04-18 20:01:53 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: DNS plugin does not allow setting query or transfer policy for a zone managed by IPA.
Consequence: Users could not control who can query or transfer the zones in the same way they do with zones stored in plain text files.
Fix: Users can set ACLs for every zone managed by IPA.
Result: User can control who can query their zones or run zone transfers.
Comment 15 errata-xmlrpc 2012-06-20 13:13:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html
Note You need to log in before you can comment on or make changes to this bug.