DNS upgrade: change global forwarding policy in LDAP to "only" if private IPs are used

This change is necessary to override automatic empty zone configuration
in latest BIND and bind-dyndb-ldap 9.0+.

This procedure is still not complete because we need to handle global
forwarders in named.conf too (independently on each server).

https://fedorahosted.org/freeipa/ticket/5710

Reviewed-By: Martin Basti <mbasti@redhat.com>

1 files changed, 16 insertions, 0 deletions

diff --git a/ipaserver/install/plugins/dns.py b/ipaserver/install/plugins/dns.py
index f3fed9a18..3c1d4e9a4 100644
--- a/ipaserver/install/plugins/dns.py
+++ b/ipaserver/install/plugins/dns.py
@@ -461,6 +461,19 @@ class update_dnsforward_emptyzones(DNSUpdater):
             self.log.debug('Zone %s was sucessfully modified to use '
                            'forward policy "only"', zone['idnsname'][0])
 
+    def update_global_ldap_forwarder(self):
+        config = self.api.Command['dnsconfig_show'](all=True,
+                                                    raw=True)['result']
+        if (
+            config.get('idnsforwardpolicy', [u'first'])[0] == u'first'
+            and config.get('idnsforwarders', [])
+        ):
+            self.log.info('Global forward policy in LDAP for all servers will '
+                          'be changed to "only" to avoid conflicts with '
+                          'automatic empty zones')
+            self.backup_zone(config)
+            self.api.Command['dnsconfig_mod'](idnsforwardpolicy=u'only')
+
     def execute(self, **options):
         # check LDAP if DNS subtree already uses new semantics
         if not self.version_update_needed(target_version=2):
@@ -473,4 +486,7 @@ class update_dnsforward_emptyzones(DNSUpdater):
         self.api.Command['dnsconfig_mod'](ipadnsversion=2)
 
         self.update_zones()
+        if dnsutil.has_empty_zone_addresses(self.api.env.host):
+            self.update_global_ldap_forwarder()
+
         return False, []