We have a use case for letting the FreeIPA named instances handle public DNS for some zones, but we don't want them to allow anyone to use it as a recursive resolver (DOS attacks and such).
I tested simply changing 'any' to 'none' for the allow-recursion setting in /etc/named.conf and that worked as expected - the next step being to actually set it like we have our existing non-IPA servers configured to allow only internal/known public subnets to perform recrusion, which I expect will work as well (using a named ACL instead of none/any).
Is there a nice UI way (or command line) to change the allow-recursion setting in way that is more in line with the usual management of settings for FreeIPA, and would ensure it wouldn't get overwritten at some point by FreeIPA? Is that even a concern, or should we expect that /etc/named.conf is going to be safe from changes due to anything like adding/removing replicas and so on (looks like that may all be in LDAP)?