I think it may be a good idea to let bind-dyndb-ldap read global
forwarding/conditional forwarding from LDAP and set named properly.
Right now, we add the global forwarder to named.conf during ipa-dns-install
time. Therefore, this value can now only be changed by user with a root access
to IPA server. This RFE would let IPA users with DNS Administrator role
fix/change forwarding from any machine.
I see the relevant upstream ticket has been pushed:
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.