Fill new DNS zone update policy by default

For security reasons, dynamic updates are not enabled for new DNS zones. In order to enable the dynamic zone securely, user needs to allow dynamic updates and create a zone update policy. The policy is not easy to construct for regular users, we should rather fill it by default and let users just switch the policy on or off. https://fedorahosted.org/freeipa/ticket/2441
2025-02-25 18:55:28 -06:00 · 2012-06-04 17:53:34 +02:00
parent 7d9abecbb6
commit c06cbb12ac
7 changed files with 60 additions and 14 deletions
--- a/ipaserver/install/plugins/dns.py
+++ b/ipaserver/install/plugins/dns.py
@@ -70,9 +70,9 @@ class update_dnszones(PostUpdate):
                # do not open zone transfers by default
                update['idnsallowtransfer'] = u'none;'

-            old_policy = util.gen_dns_update_policy(api.env.realm, ('A', 'AAAA'))
+            old_policy = util.get_dns_forward_zone_update_policy(api.env.realm, ('A', 'AAAA'))
            if zone.get('idnsupdatepolicy', [''])[0] == old_policy:
-                update['idnsupdatepolicy'] = util.gen_dns_update_policy(\
+                update['idnsupdatepolicy'] = util.get_dns_forward_zone_update_policy(\
                        api.env.realm)

            if update: