Well, I've tested this and so far no weirdness has occurred when adding a
replica or making various changes via the web UI, as far as I can tell
nothing rewrites the named.conf after the replica has been set up.
Changed "allow-recursion { any; }" to "allow-recursion { internal; }",
and
added the following ACL:
acl "internal" {
10.0.0.0/8;
localhost;
localnets;
};
Also figured out that I can change the faked mname in the web UI at Network
Services > DNS > DNS Servers > (select a server) > SOA mname override. This
of course changes the mname for zones that only resolve internally to (most
of them) but it doesn't matter because the external name I set will be
accessible internally too, and everything nominally uses the internal IPs
of the replicas for name resolution anyways. I added externally resolvable
names for the replicas to the public zone, changed the NS records to those,
and set the fake mname accordingly for each server. Presto! Public zone
served from FreeIPA without public recusion, on same server that handles
internal zones with recursion, and so far no changes I've made in the web
UI have rewritten my zones to undo any of this (which apparently used to be
a problem?)
Still would be nice if I could set this up via the UI and thus have the ACL
automatically configured on every replica, but it's no big deal, since once
I set it in named.conf IPA doesn't appear to change it.
On Tue, Nov 27, 2018 at 10:26 PM Jonathan Vaughn <jonathan(a)creatuity.com>
wrote:
We have a use case for letting the FreeIPA named instances handle
public
DNS for some zones, but we don't want them to allow anyone to use it as a
recursive resolver (DOS attacks and such).
I tested simply changing 'any' to 'none' for the allow-recursion setting
in /etc/named.conf and that worked as expected - the next step being to
actually set it like we have our existing non-IPA servers configured to
allow only internal/known public subnets to perform recrusion, which I
expect will work as well (using a named ACL instead of none/any).
Is there a nice UI way (or command line) to change the allow-recursion
setting in way that is more in line with the usual management of settings
for FreeIPA, and would ensure it wouldn't get overwritten at some point by
FreeIPA? Is that even a concern, or should we expect that /etc/named.conf
is going to be safe from changes due to anything like adding/removing
replicas and so on (looks like that may all be in LDAP)?