V4/Forward zones
Contents
Overview
Forward zones allow to configure the name server to use forwarding only for a particular zone.
In older versions of IPA, to allow forwarding per zone, was required to create master zone with forward statement together with unnecessary records. Current implementation allows separate forward and master zones in FreeIPA DNS to follow BIND design and achieve consistent behavior.
Use Cases
Forwarding queries per a zone
Generally using global forwarders is all or nothing solution. Using forward zones give more control to admin, which zones and how should be forwarded.
Forwarding policy in forward and master zones
Forwarding follows BIND design, here is short overview in table bellow, for more information please read BIND manual.
IPA forward-policy | behavior |
---|---|
none |
|
first (or <empty> as default) |
|
only |
|
Avoid an ineffective forward zone
Be careful using following set of zones, where a master zone exists for a forward zone.
$ ipa dnszone-add example.com. $ ipa dnsforwardzone-add fw.example.com. --forwarder 192.0.2.1
In this case, forwarding will not work, because zone example.com. is authoritative, and server return NXDOMAIN answer. To make forward zone effective, you need delegate this forward domain using NS record to different name server.
To add proper NS record use following command:
$ ipa dnsrecord-add example.com. fw --ns-rec=<nameserver>
Design
No changes for master zones required ('idnsZone' objectclass).
Forward zone will use own objectclass 'idnsForwardZone'. (see below).
objectClass ( 2.16.840.1.113730.3.8.6.3 NAME 'idnsForwardZone' DESC 'Forward Zone class' SUP top STRUCTURAL MUST ( idnsName $ idnsZoneActive ) MAY ( idnsForwarders $ idnsForwardPolicy ) )
The idnsName, idnsZoneActive, idnsForwarders, idnsForwardPolicy are the same attributes as the 'idnsZone' objectclass uses.
Both types are stored in LDAP, under idnsname=$DOMAIN,cn=dns,$SUFFIX
Only one zone type can be stored under the same name. (To add forward zone with same name you must remove master zone and vice versa)
Forward zones are enabled by default.
Forward Policy
forward-policy = {first, only, none}
, default: first
- none - disable forwarding, forwarders are not required
- only - forward queries to forwarders (require to specify forwarders)
- first - forward queries, if unanswered try to answer the query (require to specify forwarders)
IPA | Bind |
---|---|
none |
zone "fwd.test." in { type forward; forwarders { }; }; |
first (or <empty> as default) |
zone "fwd.test." in { type forward; forwarders { <forwarders> }; }; |
only |
zone "fwd.test." in { type forward; forward only; forwarders { <forwarders> }; }; |
New IPA commands
dnsforwardzone-add
, to add a new forward zonednsforwardzone-mod
, to modify a forward zonednsforwardzone-show
, to show a forward zonednsforwardzone-find
, to find a forward zone(s)dnsforwardzone-del
, to delete a forward zone(s)dnsforwardzone-enable
, to enable a forward zone(s)dnsforwardzone-disable
, to disable a forward zone(s)dnsforwardzone-add-permission
, to add the permission for per forward zone access delegationdnsforwardzone-remove-permission
, to remove the permission for per forward zone access delegation
Feature Management
UI
A new page Network Services/DNS/DNS Forward Zones in WebUI. This page handle all required operations: show current list of forward zones, add a new forward zone, delete a forward zone, display a forward zone, allows to modify forwarders and forward policy per a forward zone, disable/enable a forward zone.
Forward zone consists of a name, forwarders, forwarding policy, and enabled/disabled status
CLI
dnsforwardzone-*
Args --forwarder
, --forward-policy
, --name-from-ip
have same behavior as they have in dnszone-* commands.
Forward zone name has same restrictions as in the master zone (dnszone-*).
dnsforwardzone-add
will add a new forward zone. Is required to specify at least one forwarder if forward-policy is not 'none'.
dnsforwardzone-add
zone.test.--forwarder=
172.16.0.1--forwarder=
172.16.0.2--forward-policy
=first Zone name: zone.test. Zone forwarders: 172.16.0.1, 172.16.0.2 Forward policy: first
dnsforwardzone-mod
will modify a forward zone. Is required to specify at least one forwarder if forward-policy is not 'none'. Modifications can be performed in several ways.
dnsforwardzone-mod
zone.test.--forwarder=
172.16.0.3 Zone name: zone.test. Zone forwarders: 172.16.0.3 Forward policy: first
dnsforwardzone-mod
zone.test.--forward-policy=
only Zone name: zone.test. Zone forwarders: 172.16.0.3 Forward policy: only
dnsforwardzone-show
will show specified forward zone
dnsforwardzone-show
zone.test.
Zone name: zone.test.
Zone forwarders: 172.16.0.5
Forward policy: first
dnsforwardzone-find
will find specified forward zone
dnsforwardzone-find
zone.test.
Zone name: zone.test.
Zone forwarders: 172.16.0.3
Forward policy: first
----------------------------
Number of entries returned 1
----------------------------
dnsforwardzone-del
will delete specified forward zone(s)
dnsforwardzone-del
zone.test.
----------------------------
Deleted forward DNS zone "zone.test."
----------------------------
dnsforwardzone-enable
will enable specified forward zone(s) NOTE: Forward zones are enabled by default.
dnsforwardzone-enable
zone.test.
----------------------------
Enabled forward DNS zone "zone.test."
----------------------------
dnsforwardzone-disable
will disable specified forward zone(s)
dnsforwardzone-disable
zone.test.
----------------------------
Disabled forward DNS zone "zone.test."
----------------------------
dnsforwardzone-add-permission
will add system permission
dnsforwardzone-add-permission
zone.test.
---------------------------------------------------------
Added system permission "Manage DNS zone zone.test."
---------------------------------------------------------
Manage DNS zone zone.test.
dnsforwardzone-remove-permission
will remove system permission
dnsforwardzone-remove-permission
zone.test.
---------------------------------------------------------
Removed system permission "Manage DNS zone zone.test."
---------------------------------------------------------
Manage DNS zone zone.test.
Updates and Upgrades
- idnsForwardZone objectclass is already supported by bind-dyndb-ldap >= 3.5. This covers also RHEL/CentOS >= 7.0 so upgrades involving only RHEL 7.x machines are seamless.
![]() | This article or section needs clarification.
|
- Unfortunatelly, we did not realize that interaction with RHEL/CentOS < 7.0 && RHEL/CentOS >= 7.1 in the same topology will not be seamless. (See bug 1175318.)
- RHEL 7.1 ships bind-dyndb-ldap >= 6.0 which relies on new object semantics which is not supported by bind-dyndb-ldap 2.3 shipped with RHEL 6.6. As a result, forward zones will stop working on old replicas as soon as RHEL 7.1 upgrade procedure is executed.
- Solution is to patch bind-dyndb-ldap in RHEL 6.6.z and add support for idnsForwardZone object class to it (see bug 1176129). It will allow RHEL 6.6.z+ replicas to continue to work after RHEL 7.1+ is joined to the topology.
- Assumption is that from a moment of upgrade to RHEL 7.1+ on all forward zones are managed from RHEL 7.1+ replicas (so the data are stored in the new format).
- add idnsForwardZone objectclass to LDAP schema
- All zones with configured forwarders and forward-policy not equal to none, will be moved to idnsForwardZone objectclass, and idnsZone class will be removed. First, the zones will be exported to LDIF as backup in /var/lib/ipa/backup/ directory, named as dns-forward-zones-backup-%Y-%m-%d-%H-%M-%S.ldif
forward-policy | none | first | only | <empty> |
---|---|---|---|---|
forwarders | master | forward | forward | forward |
no forwarders | master | master | master | master |
- Transformation to forward zones, is executed only once, by one replica only, and only if ipa version is lower than 4.0. This is ensured by detection: if 'idnsforwardzone' objectclass is presented in schema before schema upgrade, then no transformation is required, else transform master zone to forward zone using rules above.
How to Test
Basic configuration
- install IPA server with DNS, do not set up forwarders
- Set up an external DNS server (IP: 192.0.2.200)
- Configure zone example.test. on external DNS server
- Add A record host.example.test. IN A 192.0.2.111 into zone example.test. on external DNS server
Test a forward zone with forwarding only policy
- use the basic configuration above
- test zone example.test using dig: $ dig @<IPA server> A host.example.test.
- expected result: NXDOMAIN
- add forward zone on IPA server: $ ipa dnsforwardzone-add example.test. --forward-policy=only --forwarder=192.0.2.200
- test zone example.test using dig: $ dig @<IPA server> A host.example.test.
- expected result: host.example.test. IN A 192.0.2.111 record in the answer, AUTHORITY SECTION is pointing to external DNS server
Test a forward zone with forwarding none policy
- use the basic configuration above
- test zone example.test using dig: $ dig @<IPA server> A host.example.test.
- expected result: NXDOMAIN
- add global forwarder (external DNS server): ipa dnsconfig-mod --forwarder=192.168.2.200
- test zone example.test using dig: $ dig @<IPA server> A host.example.test.
- expected result: host.example.test. IN A 192.0.2.111 record in the answer, AUTHORITY SECTION is pointing to external DNS server
- add forward zone with none policy: $ ipa dnsforward-zone example.test. --forward-policy=none
- test zone example.test using dig: $ dig @<IPA server> A host.example.test.
- expected result: NXDOMAIN
Test Plan
Unit tests
- Create forward zone:
- dnsforwardzone-add fw-zone
- Expectation: missing forwarders, ValidationError
- dnsforwardzone-add fw-zone --forward-policy=only
- Expectation: missing forwarders, ValidationError
- dnsforwardzone-add fw-zone --forward-policy=none
- Expectation: add fw-zone with policy none, no forwarders
- dnsforwardzone-add fw-zone --forwarder=172.16.15.1
- Expectation: add fw-zone with policy first, forwarder 172.16.15.1
- dnsforwardzone-add fw-zone --forwarder=172.16.15.1 --forward-policy=only
- Expectation: add fw-zone with policy only, forwarder 172.16.15.1
- Try to add duplicated zone
- Expectation: DuplicationError
- dnsforwardzone-add fw-zone
- Modify forward zone
- dnsforwardzone-mod fw-zone-without-forwarders --forward-policy=only
- Expectation: missing forwarders, ValidationError
- dnsforwardzone-mod fw-zone-without-forwarders --forward-policy=first
- Expectation: missing forwarders, ValidationError
- dnsforwardzone-mod fw-zone-policy-none --forwarder={172.16.15.1,172.16.15.2}
- Expectation: zone policy=none, forwarders: 172.16.15.1, 172.16.15.2
- dnsforwardzone-mod fw-zone-with-forwarders --forward-policy=first
- Expectation: zone policy=first, forwarders=<forwarders>
- dnsforwardzone-mod fw-zone-with-forwarders --forward-policy=only
- Expectation: zone policy=only, forwarders=<forwarders>
- dnsforwardzone-mod fw-zone-without-forwarders --forward-policy=only
- Show forward zone
- dnsforwardzone-show fw-zone
- Expectation: retrieve zone
- dnsforwardzone-show fw-zone
- Find forward zone
- dnsforwardzone-find <expr>
- Expectation: show all forward zones matching expression
- dnsforwardzone-find <expr>
- Disable/Enable forward zone
- dnsforwardzone-enable fw-zone
- Expectation: fw-zone becomes enabled
- dnsforwardzone-disable fw-zone
- Expectation: fw-zone becomes disabled
- dnsforwardzone-enable fw-zone
- Add/Remove per-zone permission
- dnsforwardzone-add-permision fw-zone
- Expectation: create system permission for fw-zone
- dnsforwardzone-remove-permission fw-zone
- Expectation: remove system permission for fw-zone
- dnsforwardzone-add-permision fw-zone
- Delete forward zone
- dnszone-del fw-zone
- Expectation: Zone is removed
- dnszone-del fw-zone
- Mutual exclusion with master zones (*-add)
- dnszone-add zone-exists-as-forward
- Expectation: DuplicateError
- dnsforwardzone-add zone-exists-as-master
- Expectation: DuplicateError
- dnszone-add zone-exists-as-forward
- Mutual exclusion with master zones (*-find)
- dnszone-find
- Expectation: Lists ONLY master zones
- dnsforwardzone-find
- Expectation: LIsts ONLY forward zones
- dnszone-find
- Mutual exclusion with master zones (others)
- dnszone-* forward-zone
- Expectation: NotFound Error
- dnsforwardzone-* master-zone
- Expectation: NotFound Error
- dnszone-* forward-zone
- Prevent dnsrecord-* commands work with forwardzone
- dnsrecord-* forward-zone
- Expectation: ValidationError: only master zones can contain records
- dnsrecord-* forward-zone