Hide Forgot
This bug is created as a clone of upstream ticket: https://fedorahosted.org/freeipa/ticket/2441 For security reasons, dynamic updates are not enabled for new DNS zones. In order to enable the dynamic zone securely, one need to create also an update policy: {{{ ipa dnszone-mod example.com --dynamic-update=TRUE \ --update-policy="grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA; grant EXAMPLE.COM krb5-self * SSHFP;" }}} It can be difficult to create this policy for regular users, we should rather fill the policy by default and let user just switch dynamic updates to on or off: {{{ ipa dnszone-mod example.com --dynamic-update=TRUE ipa dnszone-mod example.com --dynamic-update=FALSE }}}
Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/c06cbb12ac2080e75578645b5e74adf7496de1fa Forward and reverse zone has update policy is now automatically generated when the zone is being created.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0528.html