diff options
author | Martin Kosek <mkosek@redhat.com> | 2012-02-24 09:30:39 +0100 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2012-02-24 09:40:43 +0100 |
commit | 860579022532ee4133fc74e8f916cb40dc3ea239 (patch) | |
tree | 475fa305e89561b10fcd3523d34acd7e8b981f5a /ipaserver/install/bindinstance.py | |
parent | 2cf58937615c28527d1c78f883dad8726331c6df (diff) | |
download | freeipa-860579022532ee4133fc74e8f916cb40dc3ea239.tar.gz freeipa-860579022532ee4133fc74e8f916cb40dc3ea239.tar.xz freeipa-860579022532ee4133fc74e8f916cb40dc3ea239.zip |
Query and transfer ACLs for DNS zones
Provide a way to specify BIND allow-query and allow-transfer ACLs
for DNS zones.
IMPORTANT: new bind-dyndb-ldap adds a zone transfer ability. To
avoid zone information leaks to unintended places, allow-transfer
ACL for every zone is by default set to none and has to be
explicitly enabled by an Administrator. This is done both for new
DNS zones and old DNS zones during RPM update via new DNS upgrade
plugin.
https://fedorahosted.org/freeipa/ticket/1211
Diffstat (limited to 'ipaserver/install/bindinstance.py')
-rw-r--r-- | ipaserver/install/bindinstance.py | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 2fa12565f..9dc12e276 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -214,7 +214,9 @@ def add_zone(name, zonemgr=None, dns_backup=None, ns_hostname=None, ns_ip_addres idnssoarname=unicode(zonemgr), ip_address=unicode(ns_ip_address), idnsallowdynupdate=True, - idnsupdatepolicy=unicode(update_policy)) + idnsupdatepolicy=unicode(update_policy), + idnsallowquery=u'any', + idnsallowtransfer=u'none',) except (errors.DuplicateEntry, errors.EmptyModlist): pass @@ -252,7 +254,9 @@ def add_reverse_zone(zone, ns_hostname=None, ns_ip_address=None, idnssoamname=unicode(ns_main+'.'), idnsallowdynupdate=True, ip_address=unicode(ns_ip_address), - idnsupdatepolicy=unicode(update_policy)) + idnsupdatepolicy=unicode(update_policy), + idnsallowquery=u'any', + idnsallowtransfer=u'none',) except (errors.DuplicateEntry, errors.EmptyModlist): pass |