Red Hat Bugzilla – Bug 869658
It is not possible to disable forwarding on per-zone basics
Last modified: 2013-02-21 04:29:08 EST
This bug is created as a clone of upstream ticket: https://fedorahosted.org/freeipa/ticket/3209 This is IPA-part of bind-dyndb-ldap ticket https://fedorahosted.org/bind-dyndb-ldap/ticket/98 It is necessary to allow string "none" to be written to idnsForwarders attribute in DNS zones. For further details see original ticket.
Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/610594156eafee2d0ced3a4d0484e4436b6f973d ipa-3-0: https://fedorahosted.org/freeipa/changeset/f3ebc61b4926de837eb8ce80a10d24ba17b021ae
Reproducer: 1) Install IPA server with global forwarder configured: # ipa-server-install --setup-dns --forwarder $FORWARDER_IP 2) Create a zone and delegate its sub-zone to other name server (which may be for example IPA server with IP 10.0.0.2) # ipa dnszone-add example.com # ipa dnsrecord-add example.com ns.sub --a-rec=10.0.0.2 # IP address of second IPA server with configured sub.example.com zone # ipa dnsrecord-add example.com sub --ns-rec=ns.sub.example.com. On second IPA server (with IP 10.0.0.2) # ipa dnszone-add sub.example.com --nameserver ns --ip-address 10.0.0.2 # ipa dnsrecord-add sub.example.com client --a-rec 10.0.0.5 3) When you try to resolve client.sub.example.com on the first IPA server, the request will be routed through $FORWARDER_IP. You can verify that for example with tcpdump run on the first IPA server machine: # tcpdump -ni eth0 udp port 53 4) Now, when you update the forwarders for example.com to "none", request for client.sub.example.com should go directly to second IPA server (i.e. 10.0.0.2) # ipa dnszone-mod example.com --forwarder=none # host client.sub.example.com
Web UI part fixed upstream: * ipa-3-0: 7f9d3dc3ddf41cfaeeedf83f669c852032f29549 * master: 1bf537db9e6e5a66a7c3ce58019693098ff090f7
I am able to make it work using a alternate set of directions listed below, the steps to reproduce from above aren't quite right. The IP address of zippyvm11 is 10.14.5.226 The IP address of zippyvm4 is 10.14.5.136 [root@zippyvm4 ~]# ipa dnszone-add example.com --name-server=zippyvm4.testrelm.com. --admin-email=hostmaster.example.com. Zone name: example.com Authoritative nameserver: zippyvm4.testrelm.com. Administrator e-mail address: hostmaster.example.com. SOA serial: 1358895286 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self * AAAA; grant TESTRELM.COM krb5-self * SSHFP; Active zone: TRUE Dynamic update: FALSE Allow query: any; Allow transfer: none; [root@zippyvm4 ~]# ipa dnsrecord-add example.com ns.sub --a-rec=10.14.5.226 Record name: ns.sub A record: 10.14.5.226 [root@zippyvm4 ~]# ipa dnsrecord-add example.com sub --ns-rec=ns.sub.example.com. Record name: sub NS record: ns.sub.example.com. [root@zippyvm4 ~]# ipa dnszone-mod --forwarder=10.14.5.226 example.com Zone name: example.com Authoritative nameserver: zippyvm4.testrelm.com. Administrator e-mail address: hostmaster.example.com. SOA serial: 1358895375 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Allow query: any; Allow transfer: none; Zone forwarders: 10.14.5.226 [root@zippyvm11 ~]# ipa dnszone-add sub.example.com --name-server zippyvm11.testrelm.com. Administrator e-mail address [hostmaster.sub.example.com.]: Zone name: sub.example.com Authoritative nameserver: zippyvm11.testrelm.com. Administrator e-mail address: hostmaster.sub.example.com. SOA serial: 1358896319 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self * AAAA; grant TESTRELM.COM krb5-self * SSHFP; Active zone: TRUE Dynamic update: FALSE Allow query: any; Allow transfer: none; [root@zippyvm11 ~]# ipa dnsrecord-add sub.example.com client --a-rec 10.14.5.226 Record name: client A record: 10.14.5.226 [root@zippyvm4 ~]# dig client.sub.example.com ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.16.rc1.el6 <<>> client.sub.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40603 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;client.sub.example.com. IN A ;; ANSWER SECTION: client.sub.example.com. 86400 IN A 10.14.5.226 ;; AUTHORITY SECTION: sub.example.com. 86400 IN NS zippyvm11.testrelm.com. ;; ADDITIONAL SECTION: zippyvm11.testrelm.com. 1200 IN A 10.14.5.226 ;; Query time: 15 msec ;; SERVER: 10.14.5.136#53(10.14.5.136) ;; WHEN: Tue Jan 22 18:14:48 2013 ;; MSG SIZE rcvd: 105 [root@zippyvm4 ~]# ipa dnszone-mod example.com --forwarder= Zone name: example.com Authoritative nameserver: zippyvm4.testrelm.com. Administrator e-mail address: hostmaster.example.com. SOA serial: 1358896093 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Allow query: any; Allow transfer: none; [root@zippyvm4 ~]# dig client.sub.example.com ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.16.rc1.el6 <<>> client.sub.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 19492 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;client.sub.example.com. IN A ;; Query time: 93 msec ;; SERVER: 10.14.5.136#53(10.14.5.136) ;; WHEN: Tue Jan 22 18:15:26 2013 ;; MSG SIZE rcvd: 40 I do seem to be able to remove the per-zone forwarder.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0528.html