Disable global forwarding per-zone

bind-dyndb-ldap allows disabling global forwarder per-zone. This may
be useful in a scenario when we do not want requests to delegated
sub-zones (like sub.example.com. in zone example.com.) to be routed
through global forwarder.

Few lines to help added to explain the feature to users too.

https://fedorahosted.org/freeipa/ticket/3209

4 files changed, 27 insertions, 8 deletions

diff --git a/API.txt b/API.txt
index 04a4f231..e33445c2 100644
--- a/API.txt
+++ b/API.txt
@@ -620,7 +620,7 @@ output: Output('value', <type 'unicode'>, None)
 command: dnsconfig_mod
 args: 0,11,3
 option: Str('idnsforwarders', attribute=True, autofill=False, cli_name='forwarder', csv=True, multivalue=True, required=False)
-option: StrEnum('idnsforwardpolicy', attribute=True, autofill=False, cli_name='forward_policy', multivalue=False, required=False, values=(u'only', u'first'))
+option: StrEnum('idnsforwardpolicy', attribute=True, autofill=False, cli_name='forward_policy', multivalue=False, required=False, values=(u'only', u'first', u'none'))
 option: Bool('idnsallowsyncptr', attribute=True, autofill=False, cli_name='allow_sync_ptr', multivalue=False, required=False)
 option: Int('idnszonerefresh', attribute=True, autofill=False, cli_name='zone_refresh', minvalue=0, multivalue=False, required=False)
 option: Str('setattr*', cli_name='setattr', exclude='webui')
@@ -1026,7 +1026,7 @@ option: Bool('idnsallowdynupdate', attribute=True, autofill=True, cli_name='dyna
 option: Str('idnsallowquery', attribute=True, autofill=True, cli_name='allow_query', default=u'any;', multivalue=False, required=False)
 option: Str('idnsallowtransfer', attribute=True, autofill=True, cli_name='allow_transfer', default=u'none;', multivalue=False, required=False)
 option: Str('idnsforwarders', attribute=True, cli_name='forwarder', csv=True, multivalue=True, required=False)
-option: StrEnum('idnsforwardpolicy', attribute=True, cli_name='forward_policy', multivalue=False, required=False, values=(u'only', u'first'))
+option: StrEnum('idnsforwardpolicy', attribute=True, cli_name='forward_policy', multivalue=False, required=False, values=(u'only', u'first', u'none'))
 option: Bool('idnsallowsyncptr', attribute=True, cli_name='allow_sync_ptr', multivalue=False, required=False)
 option: Str('setattr*', cli_name='setattr', exclude='webui')
 option: Str('addattr*', cli_name='addattr', exclude='webui')
@@ -1083,7 +1083,7 @@ option: Bool('idnsallowdynupdate', attribute=True, autofill=False, cli_name='dyn
 option: Str('idnsallowquery', attribute=True, autofill=False, cli_name='allow_query', default=u'any;', multivalue=False, query=True, required=False)
 option: Str('idnsallowtransfer', attribute=True, autofill=False, cli_name='allow_transfer', default=u'none;', multivalue=False, query=True, required=False)
 option: Str('idnsforwarders', attribute=True, autofill=False, cli_name='forwarder', csv=True, multivalue=True, query=True, required=False)
-option: StrEnum('idnsforwardpolicy', attribute=True, autofill=False, cli_name='forward_policy', multivalue=False, query=True, required=False, values=(u'only', u'first'))
+option: StrEnum('idnsforwardpolicy', attribute=True, autofill=False, cli_name='forward_policy', multivalue=False, query=True, required=False, values=(u'only', u'first', u'none'))
 option: Bool('idnsallowsyncptr', attribute=True, autofill=False, cli_name='allow_sync_ptr', multivalue=False, query=True, required=False)
 option: Int('timelimit?', autofill=False, minvalue=0)
 option: Int('sizelimit?', autofill=False, minvalue=0)
@@ -1114,7 +1114,7 @@ option: Bool('idnsallowdynupdate', attribute=True, autofill=False, cli_name='dyn
 option: Str('idnsallowquery', attribute=True, autofill=False, cli_name='allow_query', default=u'any;', multivalue=False, required=False)
 option: Str('idnsallowtransfer', attribute=True, autofill=False, cli_name='allow_transfer', default=u'none;', multivalue=False, required=False)
 option: Str('idnsforwarders', attribute=True, autofill=False, cli_name='forwarder', csv=True, multivalue=True, required=False)
-option: StrEnum('idnsforwardpolicy', attribute=True, autofill=False, cli_name='forward_policy', multivalue=False, required=False, values=(u'only', u'first'))
+option: StrEnum('idnsforwardpolicy', attribute=True, autofill=False, cli_name='forward_policy', multivalue=False, required=False, values=(u'only', u'first', u'none'))
 option: Bool('idnsallowsyncptr', attribute=True, autofill=False, cli_name='allow_sync_ptr', multivalue=False, required=False)
 option: Str('setattr*', cli_name='setattr', exclude='webui')
 option: Str('addattr*', cli_name='addattr', exclude='webui')
diff --git a/VERSION b/VERSION
index 69f9cfab..691aa317 100644
--- a/VERSION
+++ b/VERSION
@@ -79,4 +79,4 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=45
+IPA_API_VERSION_MINOR=46
diff --git a/freeipa.spec.in b/freeipa.spec.in
index f382f9cd..6c8d54d6 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -181,7 +181,7 @@ Requires: policycoreutils >= %{POLICYCOREUTILSVER}
 # IPA but if it is configured we need a way to require versions
 # that work for us.
 %if 0%{?fedora} >= 18
-Conflicts: bind-dyndb-ldap < 1.1.0-0.16.rc1
+Conflicts: bind-dyndb-ldap < 2.3-2
 %else
 Conflicts: bind-dyndb-ldap < 1.1.0-0.12.rc1
 %endif
@@ -829,6 +829,10 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
 
 %changelog
+* Fri Nov 09 2012 Martin Kosek <mkosek@redhat.com> - 3.0.0-3
+- Set min for bind-dyndb-ldap to 2.3-2 to pick up disabling global
+  forwarder per-zone
+
 * Fri Oct 26 2012 Sumit Bose <sbose@redhat.com> - 3.0.0-2
 - Restart httpd in post install of server-trust-ad
 
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index e7ac58d2..17a794b5 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -184,6 +184,16 @@ EXAMPLES:
  Show records for resource www in zone example.com
    ipa dnsrecord-show example.com www
 
+ Delegate zone sub.example to another nameserver:
+   ipa dnsrecord-add example.com ns.sub --a-rec=10.0.100.5
+   ipa dnsrecord-add example.com sub --ns-rec=ns.sub.example.com.
+
+ If global forwarder is configured, all requests to sub.example.com will be
+ routed through the global forwarder. To change the behavior for example.com
+ zone only and forward the request directly to ns.sub.example.com., global
+ forwarding may be disabled per-zone:
+   ipa dnszone-mod example.com --forward-policy=none
+
  Forward all requests for the zone external.com to another nameserver using
  a "first" policy (it will send the queries to the selected forwarder and if
  not answered it will use global resolvers):
@@ -1691,7 +1701,10 @@ class dnszone(LDAPObject):
         StrEnum('idnsforwardpolicy?',
             cli_name='forward_policy',
             label=_('Forward policy'),
-            values=(u'only', u'first',),
+            doc=_('Per-zone conditional forwarding policy. Set to "none" to '
+                  'disable forwarding to global forwarder for this zone. In '
+                  'that case, conditional zone forwarders are disregarded.'),
+            values=(u'only', u'first', u'none'),
         ),
         Bool('idnsallowsyncptr?',
             cli_name='allow_sync_ptr',
@@ -2923,7 +2936,9 @@ class dnsconfig(LDAPObject):
         StrEnum('idnsforwardpolicy?',
             cli_name='forward_policy',
             label=_('Forward policy'),
-            values=(u'only', u'first',),
+            doc=_('Global forwarding policy. Set to "none" to disable '
+                  'any configured global forwarders.'),
+            values=(u'only', u'first', u'none'),
         ),
         Bool('idnsallowsyncptr?',
             cli_name='allow_sync_ptr',