Cause: All DNS records in IPA Directory Server instance are publicly accessible.
Consequence: With a publicly accessible DNS tree in the Directory Server instance, anyone with an access to the server can get all DNS data as with a zone transfer which is otherwise restricted with access control rules. It is a common security practice to keep this information restricted to only a selected group of users.
Change: Entire LDAP tree with DNS records is now accessible only to LDAP driver which feeds the data to the name server, admin users or users with a new permission called "Read DNS Entries".
Result: Only permitted users can now access all DNS records in IPA Directory Server instance which increases a security of IPA server.