Jump to: navigation, search

V4/Forward zones

Name: V4/Forward zones
Ticket: #3210
Target version: 4.1.0
Incomplete.png Pending review
Last updated: 2016-04-25 by Alich

Overview

Forward zones allow to configure the name server to use forwarding only for a particular zone.

In older versions of IPA, to allow forwarding per zone, was required to create master zone with forward statement together with unnecessary records. Current implementation allows separate forward and master zones in FreeIPA DNS to follow BIND design and achieve consistent behavior.

Use Cases

Forwarding queries per a zone

Generally using global forwarders is all or nothing solution. Using forward zones give more control to admin, which zones and how should be forwarded.

Forwarding policy in forward and master zones

Forwarding follows BIND design, here is short overview in table bellow, for more information please read BIND manual.

IPA forward-policy behavior
none
  1. search local database for an authoritative answer
  2. if local server is authoritative, return the answer (including NXDOMAIN if DNS name was not found)
  3. if local server is not authoritative, try only recursion (if recursion is allowed), no forwarding
  4. return an answer obtained by recursion
first (or <empty> as default)
  1. search local database for an authoritative answer
  2. if local server is authoritative, return the answer (including NXDOMAIN if DNS name was not found)
  3. if local server is not authoritative, try to query forwarders
  4. if query to forwarders failed, try recursion (if recursion is allowed)
  5. return an answer from forwarder or recursion
only
  1. search local database for an authoritative answer
  2. if local server is authoritative, return the answer (including NXDOMAIN if DNS name was not found)
  3. if local server is not authoritative, try to query forwarders
  4. return an answer from forwarders or return SERVFAIL (if designated forwarders did not reply)

Avoid an ineffective forward zone

Be careful using following set of zones, where a master zone exists for a forward zone.

$ ipa dnszone-add example.com.
$ ipa dnsforwardzone-add  fw.example.com. --forwarder 192.0.2.1

In this case, forwarding will not work, because zone example.com. is authoritative, and server return NXDOMAIN answer. To make forward zone effective, you need delegate this forward domain using NS record to different name server.

To add proper NS record use following command:

$ ipa dnsrecord-add example.com. fw --ns-rec=<nameserver>

Design

No changes for master zones required ('idnsZone' objectclass).

Forward zone will use own objectclass 'idnsForwardZone'. (see below).

objectClass ( 2.16.840.1.113730.3.8.6.3
	NAME 'idnsForwardZone'
	DESC 'Forward Zone class'
	SUP top
	STRUCTURAL
	MUST ( idnsName $ idnsZoneActive )
	MAY ( idnsForwarders $ idnsForwardPolicy ) )

The idnsName, idnsZoneActive, idnsForwarders, idnsForwardPolicy are the same attributes as the 'idnsZone' objectclass uses.

Both types are stored in LDAP, under idnsname=$DOMAIN,cn=dns,$SUFFIX Only one zone type can be stored under the same name. (To add forward zone with same name you must remove master zone and vice versa)

Forward zones are enabled by default.

Forward Policy

forward-policy = {first, only, none}, default: first

  • none - disable forwarding, forwarders are not required
  • only - forward queries to forwarders (require to specify forwarders)
  • first - forward queries, if unanswered try to answer the query (require to specify forwarders)
IPA Bind
none
zone "fwd.test." in {
  type forward;
  forwarders { };
};
first (or <empty> as default)
zone "fwd.test." in {
  type forward;
  forwarders { <forwarders> };
};
only
zone "fwd.test." in {
  type forward;
  forward only;
  forwarders { <forwarders> };
};

New IPA commands

  • dnsforwardzone-add, to add a new forward zone
  • dnsforwardzone-mod, to modify a forward zone
  • dnsforwardzone-show, to show a forward zone
  • dnsforwardzone-find, to find a forward zone(s)
  • dnsforwardzone-del, to delete a forward zone(s)
  • dnsforwardzone-enable, to enable a forward zone(s)
  • dnsforwardzone-disable, to disable a forward zone(s)
  • dnsforwardzone-add-permission, to add the permission for per forward zone access delegation
  • dnsforwardzone-remove-permission, to remove the permission for per forward zone access delegation

Feature Management

UI

A new page Network Services/DNS/DNS Forward Zones in WebUI. This page handle all required operations: show current list of forward zones, add a new forward zone, delete a forward zone, display a forward zone, allows to modify forwarders and forward policy per a forward zone, disable/enable a forward zone.

Forward zone consists of a name, forwarders, forwarding policy, and enabled/disabled status

CLI

dnsforwardzone-*

Args --forwarder, --forward-policy, --name-from-ip have same behavior as they have in dnszone-* commands.

Forward zone name has same restrictions as in the master zone (dnszone-*).

dnsforwardzone-add

will add a new forward zone. Is required to specify at least one forwarder if forward-policy is not 'none'.

dnsforwardzone-add zone.test. --forwarder=172.16.0.1 --forwarder=172.16.0.2 --forward-policy=first
  Zone name: zone.test.
  Zone forwarders: 172.16.0.1, 172.16.0.2
  Forward policy: first

dnsforwardzone-mod

will modify a forward zone. Is required to specify at least one forwarder if forward-policy is not 'none'. Modifications can be performed in several ways.

dnsforwardzone-mod zone.test. --forwarder=172.16.0.3
  Zone name: zone.test.
  Zone forwarders: 172.16.0.3
  Forward policy: first
dnsforwardzone-mod zone.test. --forward-policy=only
  Zone name: zone.test.
  Zone forwarders: 172.16.0.3
  Forward policy: only

dnsforwardzone-show

will show specified forward zone

dnsforwardzone-show zone.test.
  Zone name: zone.test.
  Zone forwarders: 172.16.0.5
  Forward policy: first

dnsforwardzone-find

will find specified forward zone

dnsforwardzone-find zone.test.
  Zone name: zone.test.
  Zone forwarders: 172.16.0.3
  Forward policy: first
----------------------------
Number of entries returned 1
----------------------------

dnsforwardzone-del

will delete specified forward zone(s)

dnsforwardzone-del zone.test. 
----------------------------
Deleted forward DNS zone "zone.test."
----------------------------

dnsforwardzone-enable

will enable specified forward zone(s) NOTE: Forward zones are enabled by default.

dnsforwardzone-enable zone.test. 
----------------------------
Enabled forward DNS zone "zone.test."
----------------------------

dnsforwardzone-disable

will disable specified forward zone(s)

dnsforwardzone-disable zone.test. 
----------------------------
Disabled forward DNS zone "zone.test."
----------------------------

dnsforwardzone-add-permission

will add system permission

dnsforwardzone-add-permission zone.test.
---------------------------------------------------------
Added system permission "Manage DNS zone zone.test."
---------------------------------------------------------
  Manage DNS zone zone.test.

dnsforwardzone-remove-permission

will remove system permission

dnsforwardzone-remove-permission zone.test.
---------------------------------------------------------
Removed system permission "Manage DNS zone zone.test."
---------------------------------------------------------
  Manage DNS zone zone.test.

Updates and Upgrades

  • idnsForwardZone objectclass is already supported by bind-dyndb-ldap >= 3.5. This covers also RHEL/CentOS >= 7.0 so upgrades involving only RHEL 7.x machines are seamless.
Warning red.svg

This article or section needs clarification.
Be careful! It is tricky. Following note was missing before 2015-01-05.

  • Unfortunatelly, we did not realize that interaction with RHEL/CentOS < 7.0 && RHEL/CentOS >= 7.1 in the same topology will not be seamless. (See bug 1175318.)
    • RHEL 7.1 ships bind-dyndb-ldap >= 6.0 which relies on new object semantics which is not supported by bind-dyndb-ldap 2.3 shipped with RHEL 6.6. As a result, forward zones will stop working on old replicas as soon as RHEL 7.1 upgrade procedure is executed.
    • Solution is to patch bind-dyndb-ldap in RHEL 6.6.z and add support for idnsForwardZone object class to it (see bug 1176129). It will allow RHEL 6.6.z+ replicas to continue to work after RHEL 7.1+ is joined to the topology.
    • Assumption is that from a moment of upgrade to RHEL 7.1+ on all forward zones are managed from RHEL 7.1+ replicas (so the data are stored in the new format).
  • add idnsForwardZone objectclass to LDAP schema
  • All zones with configured forwarders and forward-policy not equal to none, will be moved to idnsForwardZone objectclass, and idnsZone class will be removed. First, the zones will be exported to LDIF as backup in /var/lib/ipa/backup/ directory, named as dns-forward-zones-backup-%Y-%m-%d-%H-%M-%S.ldif
Migration table
forward-policy none first only <empty>
forwarders master forward forward forward
no forwarders master master master master
  • Transformation to forward zones, is executed only once, by one replica only, and only if ipa version is lower than 4.0. This is ensured by detection: if 'idnsforwardzone' objectclass is presented in schema before schema upgrade, then no transformation is required, else transform master zone to forward zone using rules above.

How to Test

Basic configuration

  1. install IPA server with DNS, do not set up forwarders
  2. Set up an external DNS server (IP: 192.0.2.200)
  3. Configure zone example.test. on external DNS server
  4. Add A record host.example.test. IN A 192.0.2.111 into zone example.test. on external DNS server

Test a forward zone with forwarding only policy

  1. use the basic configuration above
  2. test zone example.test using dig: $ dig @<IPA server> A host.example.test.
  3. expected result: NXDOMAIN
  4. add forward zone on IPA server: $ ipa dnsforwardzone-add example.test. --forward-policy=only --forwarder=192.0.2.200
  5. test zone example.test using dig: $ dig @<IPA server> A host.example.test.
  6. expected result: host.example.test. IN A 192.0.2.111 record in the answer, AUTHORITY SECTION is pointing to external DNS server

Test a forward zone with forwarding none policy

  1. use the basic configuration above
  2. test zone example.test using dig: $ dig @<IPA server> A host.example.test.
  3. expected result: NXDOMAIN
  4. add global forwarder (external DNS server): ipa dnsconfig-mod --forwarder=192.168.2.200
  5. test zone example.test using dig: $ dig @<IPA server> A host.example.test.
  6. expected result: host.example.test. IN A 192.0.2.111 record in the answer, AUTHORITY SECTION is pointing to external DNS server
  7. add forward zone with none policy: $ ipa dnsforward-zone example.test. --forward-policy=none
  8. test zone example.test using dig: $ dig @<IPA server> A host.example.test.
  9. expected result: NXDOMAIN

Test Plan

Unit tests

  • Create forward zone:
    • dnsforwardzone-add fw-zone
      • Expectation: missing forwarders, ValidationError
    • dnsforwardzone-add fw-zone --forward-policy=only
      • Expectation: missing forwarders, ValidationError
    • dnsforwardzone-add fw-zone --forward-policy=none
      • Expectation: add fw-zone with policy none, no forwarders
    • dnsforwardzone-add fw-zone --forwarder=172.16.15.1
      • Expectation: add fw-zone with policy first, forwarder 172.16.15.1
    • dnsforwardzone-add fw-zone --forwarder=172.16.15.1 --forward-policy=only
      • Expectation: add fw-zone with policy only, forwarder 172.16.15.1
    • Try to add duplicated zone
      • Expectation: DuplicationError
  • Modify forward zone
    • dnsforwardzone-mod fw-zone-without-forwarders --forward-policy=only
      • Expectation: missing forwarders, ValidationError
    • dnsforwardzone-mod fw-zone-without-forwarders --forward-policy=first
      • Expectation: missing forwarders, ValidationError
    • dnsforwardzone-mod fw-zone-policy-none --forwarder={172.16.15.1,172.16.15.2}
      • Expectation: zone policy=none, forwarders: 172.16.15.1, 172.16.15.2
    • dnsforwardzone-mod fw-zone-with-forwarders --forward-policy=first
      • Expectation: zone policy=first, forwarders=<forwarders>
    • dnsforwardzone-mod fw-zone-with-forwarders --forward-policy=only
      • Expectation: zone policy=only, forwarders=<forwarders>
  • Show forward zone
    • dnsforwardzone-show fw-zone
      • Expectation: retrieve zone
  • Find forward zone
    • dnsforwardzone-find <expr>
      • Expectation: show all forward zones matching expression
  • Disable/Enable forward zone
    • dnsforwardzone-enable fw-zone
      • Expectation: fw-zone becomes enabled
    • dnsforwardzone-disable fw-zone
      • Expectation: fw-zone becomes disabled
  • Add/Remove per-zone permission
    • dnsforwardzone-add-permision fw-zone
      • Expectation: create system permission for fw-zone
    • dnsforwardzone-remove-permission fw-zone
      • Expectation: remove system permission for fw-zone
  • Delete forward zone
    • dnszone-del fw-zone
      • Expectation: Zone is removed
  • Mutual exclusion with master zones (*-add)
    • dnszone-add zone-exists-as-forward
      • Expectation: DuplicateError
    • dnsforwardzone-add zone-exists-as-master
      • Expectation: DuplicateError
  • Mutual exclusion with master zones (*-find)
    • dnszone-find
      • Expectation: Lists ONLY master zones
    • dnsforwardzone-find
      • Expectation: LIsts ONLY forward zones
  • Mutual exclusion with master zones (others)
    • dnszone-* forward-zone
      • Expectation: NotFound Error
    • dnsforwardzone-* master-zone
      • Expectation: NotFound Error
  • Prevent dnsrecord-* commands work with forwardzone
    • dnsrecord-* forward-zone
      • Expectation: ValidationError: only master zones can contain records

RFE Author

mbasti