Disable global forwarding per-zone

bind-dyndb-ldap allows disabling global forwarder per-zone. This may be useful in a scenario when we do not want requests to delegated sub-zones (like sub.example.com. in zone example.com.) to be routed through global forwarder. Few lines to help added to explain the feature to users too. https://fedorahosted.org/freeipa/ticket/3209
2025-02-25 18:55:28 -06:00 · 2012-10-29 09:15:08 +01:00
parent 215fcdfd5e
commit 610594156e
4 changed files with 27 additions and 8 deletions
--- a/API.txt
+++ b/API.txt
@@ -620,7 +620,7 @@ output: Output('value', <type 'unicode'>, None)
 command: dnsconfig_mod
 args: 0,11,3
 option: Str('idnsforwarders', attribute=True, autofill=False, cli_name='forwarder', csv=True, multivalue=True, required=False)
-option: StrEnum('idnsforwardpolicy', attribute=True, autofill=False, cli_name='forward_policy', multivalue=False, required=False, values=(u'only', u'first'))
+option: StrEnum('idnsforwardpolicy', attribute=True, autofill=False, cli_name='forward_policy', multivalue=False, required=False, values=(u'only', u'first', u'none'))
 option: Bool('idnsallowsyncptr', attribute=True, autofill=False, cli_name='allow_sync_ptr', multivalue=False, required=False)
 option: Int('idnszonerefresh', attribute=True, autofill=False, cli_name='zone_refresh', minvalue=0, multivalue=False, required=False)
 option: Str('setattr*', cli_name='setattr', exclude='webui')
@@ -1026,7 +1026,7 @@ option: Bool('idnsallowdynupdate', attribute=True, autofill=True, cli_name='dyna
 option: Str('idnsallowquery', attribute=True, autofill=True, cli_name='allow_query', default=u'any;', multivalue=False, required=False)
 option: Str('idnsallowtransfer', attribute=True, autofill=True, cli_name='allow_transfer', default=u'none;', multivalue=False, required=False)
 option: Str('idnsforwarders', attribute=True, cli_name='forwarder', csv=True, multivalue=True, required=False)
-option: StrEnum('idnsforwardpolicy', attribute=True, cli_name='forward_policy', multivalue=False, required=False, values=(u'only', u'first'))
+option: StrEnum('idnsforwardpolicy', attribute=True, cli_name='forward_policy', multivalue=False, required=False, values=(u'only', u'first', u'none'))
 option: Bool('idnsallowsyncptr', attribute=True, cli_name='allow_sync_ptr', multivalue=False, required=False)
 option: Str('setattr*', cli_name='setattr', exclude='webui')
 option: Str('addattr*', cli_name='addattr', exclude='webui')
@@ -1083,7 +1083,7 @@ option: Bool('idnsallowdynupdate', attribute=True, autofill=False, cli_name='dyn
 option: Str('idnsallowquery', attribute=True, autofill=False, cli_name='allow_query', default=u'any;', multivalue=False, query=True, required=False)
 option: Str('idnsallowtransfer', attribute=True, autofill=False, cli_name='allow_transfer', default=u'none;', multivalue=False, query=True, required=False)
 option: Str('idnsforwarders', attribute=True, autofill=False, cli_name='forwarder', csv=True, multivalue=True, query=True, required=False)
-option: StrEnum('idnsforwardpolicy', attribute=True, autofill=False, cli_name='forward_policy', multivalue=False, query=True, required=False, values=(u'only', u'first'))
+option: StrEnum('idnsforwardpolicy', attribute=True, autofill=False, cli_name='forward_policy', multivalue=False, query=True, required=False, values=(u'only', u'first', u'none'))
 option: Bool('idnsallowsyncptr', attribute=True, autofill=False, cli_name='allow_sync_ptr', multivalue=False, query=True, required=False)
 option: Int('timelimit?', autofill=False, minvalue=0)
 option: Int('sizelimit?', autofill=False, minvalue=0)
@@ -1114,7 +1114,7 @@ option: Bool('idnsallowdynupdate', attribute=True, autofill=False, cli_name='dyn
 option: Str('idnsallowquery', attribute=True, autofill=False, cli_name='allow_query', default=u'any;', multivalue=False, required=False)
 option: Str('idnsallowtransfer', attribute=True, autofill=False, cli_name='allow_transfer', default=u'none;', multivalue=False, required=False)
 option: Str('idnsforwarders', attribute=True, autofill=False, cli_name='forwarder', csv=True, multivalue=True, required=False)
-option: StrEnum('idnsforwardpolicy', attribute=True, autofill=False, cli_name='forward_policy', multivalue=False, required=False, values=(u'only', u'first'))
+option: StrEnum('idnsforwardpolicy', attribute=True, autofill=False, cli_name='forward_policy', multivalue=False, required=False, values=(u'only', u'first', u'none'))
 option: Bool('idnsallowsyncptr', attribute=True, autofill=False, cli_name='allow_sync_ptr', multivalue=False, required=False)
 option: Str('setattr*', cli_name='setattr', exclude='webui')
 option: Str('addattr*', cli_name='addattr', exclude='webui')
--- a/2
+++ b/2
@@ -79,4 +79,4 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=45
+IPA_API_VERSION_MINOR=46
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -181,7 +181,7 @@ Requires: policycoreutils >= %{POLICYCOREUTILSVER}
 # IPA but if it is configured we need a way to require versions
 # that work for us.
 %if 0%{?fedora} >= 18
-Conflicts: bind-dyndb-ldap < 1.1.0-0.16.rc1
+Conflicts: bind-dyndb-ldap < 2.3-2
 %else
 Conflicts: bind-dyndb-ldap < 1.1.0-0.12.rc1
 %endif
@@ -829,6 +829,10 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt

 %changelog
+* Fri Nov 09 2012 Martin Kosek <mkosek@redhat.com> - 3.0.99-3
+- Set min for bind-dyndb-ldap to 2.3-2 to pick up disabling global
+  forwarder per-zone
+
 * Fri Oct 26 2012 Sumit Bose <sbose@redhat.com> - 3.0.99-2
 - Restart httpd in post install of server-trust-ad

--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -184,6 +184,16 @@ EXAMPLES:
 Show records for resource www in zone example.com
   ipa dnsrecord-show example.com www

+ Delegate zone sub.example to another nameserver:
+   ipa dnsrecord-add example.com ns.sub --a-rec=10.0.100.5
+   ipa dnsrecord-add example.com sub --ns-rec=ns.sub.example.com.
+
+ If global forwarder is configured, all requests to sub.example.com will be
+ routed through the global forwarder. To change the behavior for example.com
+ zone only and forward the request directly to ns.sub.example.com., global
+ forwarding may be disabled per-zone:
+   ipa dnszone-mod example.com --forward-policy=none
+
 Forward all requests for the zone external.com to another nameserver using
 a "first" policy (it will send the queries to the selected forwarder and if
 not answered it will use global resolvers):
@@ -1691,7 +1701,10 @@ class dnszone(LDAPObject):
        StrEnum('idnsforwardpolicy?',
            cli_name='forward_policy',
            label=_('Forward policy'),
-            values=(u'only', u'first',),
+            doc=_('Per-zone conditional forwarding policy. Set to "none" to '
+                  'disable forwarding to global forwarder for this zone. In '
+                  'that case, conditional zone forwarders are disregarded.'),
+            values=(u'only', u'first', u'none'),
        ),
        Bool('idnsallowsyncptr?',
            cli_name='allow_sync_ptr',
@@ -2923,7 +2936,9 @@ class dnsconfig(LDAPObject):
        StrEnum('idnsforwardpolicy?',
            cli_name='forward_policy',
            label=_('Forward policy'),
-            values=(u'only', u'first',),
+            doc=_('Global forwarding policy. Set to "none" to disable '
+                  'any configured global forwarders.'),
+            values=(u'only', u'first', u'none'),
        ),
        Bool('idnsallowsyncptr?',
            cli_name='allow_sync_ptr',