Hello, it's release time!
Bump NVR to 5.0 and update README and NEWS to describe DNSSEC support and changes in forwarding semantics.
-- Petr^2 Spacek
From d093af67072e44ce65be04c7267c4dbaa6cadf08 Mon Sep 17 00:00:00 2001 From: Petr Spacek <pspa...@redhat.com> Date: Tue, 24 Jun 2014 16:14:28 +0200 Subject: [PATCH] Update README and NEWS: DNSSEC and changes in forwarding semantics. https://fedorahosted.org/bind-dyndb-ldap/ticket/56 https://fedorahosted.org/bind-dyndb-ldap/ticket/99 Signed-off-by: Petr Spacek <pspa...@redhat.com> --- NEWS | 14 ++++++++ README | 121 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++------- 2 files changed, 122 insertions(+), 13 deletions(-) diff --git a/NEWS b/NEWS index edfe8d71298843d1e9380a49baa49d86a52a8481..970ab7781d4775a499bded3c0299a759f4630f74 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,17 @@ +5.0 +==== +[1] Support for DNSSEC in-line signing was added. Now any LDAP zone can be + signed with keys provided by user. + +[2] DNSKEY, RRSIG, NSEC and NSEC3 records are automatically managed + by BIND+bind-dyndb-ldap. Respective attributes in LDAP are ignored. + +[3] Forwarder semantic was changed to match BIND's semantic: + - idnsZone object always represent master zone + - idnsForwardZone object (new) always represent forward zone + +[4] Master root zone can be stored in LDAP. + 4.4 ==== [1] Error handling for zone loading was fixed. diff --git a/README b/README index b2c3653ef3ae653e4454ec43e341a220a4968e8f..4e3082b3b6fd6d7f8abcdb9f4c0803569eb0f896 100644 --- a/README +++ b/README @@ -10,16 +10,17 @@ for your version here: Hopefully, the patch will once be included in the official BIND release. -Because of bug in dns_db_unregister() in older BIND versions, BIND >= 9.7.0a1 -is required. +BIND >= 9.9.0 is required. 2. Features =========== + * support for dynamic updates * SASL authentication * SyncRepl (RFC 4533) for run-time synchronization with LDAP server * read-query performance nearly same as with plain BIND * AXFR and IXFR zone transfers are supported +* DNSSEC in-line signing is supported, including dynamic updates 3. Installation @@ -51,9 +52,11 @@ This will install the file ldap.so into the <libdir>/bind/ directory. You can find the complete LDAP schema in the documentation directory. An example zone ldif is available in the doc directory. -4.1 Zone (idnsZone) attributes ------------------------------- +4.1 Master zone (idnsZone) +-------------------------- +Object class idnsZone is equivalent to type "master" statement in named.conf. +Attributes: * idnsAllowDynUpdate Allow dynamic update of records in this zone. If attribute doesn't exist, value "dyn_update" from plugin configuration will be used. @@ -94,24 +97,46 @@ example zone ldif is available in the doc directory. i.e. effectively disables forwarding and ignores idnsForwarders attribute. - Value "none" disables forwarding for given zone and ignores - global forwarders. Zone with forward policy "none" is considered - as type "master", not "forward". Values "first" and "only" are relevant in conjunction with a valid idnsForwarders attribute. Their meaning is same as in BIND9. * idnsForwarders - Defines multiple IP addresses to which queries will be forwarded and - effectively creates "forward" zones. + Defines multiple IP addresses to which recursive queries will be + forwarded. This is equivalent to "forwarders" statement in "master" + zone configuration. + + I.e. local BIND replies authoritatively to queries when possible + (including authoritative NXDOMAIN answers) so forwarding affects only + queries made by BIND to answer recursive queries which cannot be + answered locally. Please see + https://lists.isc.org/pipermail/bind-users/2006-January/060810.html + https://lists.isc.org/pipermail/bind-users/2011-March/083244.html + It is multi-value attribute: Each IP address (and optional port) has to be in own value. BIND9 syntax for "forwarders" is required. Optional port can be specified by adding " port <number>" after IP address. IPv4 and IPv6 addresses are supported. Examples: "1.2.3.4" or "1.2.3.4 port 553" or "A::B" or "A::B port 553" - Zones with idnsForwarders attribute specified and forward policy other - than "none" are considered as "forward" zones. All records in LDAP - belonging to those zones are ignored and all queries are forwarded. +* idnsName + Absolute name of DNS zone. It is recommended to use names with trailing + period, e.g. "example.com." + +* idnsSecInlineSigning (default FALSE) + DNSSEC in-line signing configuration. Value TRUE is equivalent to + following zone configuration in named.conf (default BIND values): + + auto-dnssec maintain; + sig-validity-interval 2592000; # 30 days + # re-sign interval will be 648000 seconds = 7.5 days + sig-signing-signatures 10; + sig-signing-nodes 10; + sig-signing-type 65534; + update-check-ksk yes; + dnssec-loadkeys-interval 60; # minutes + key-directory "<plugin-instance-dir>/<zone-name>/keys"; + + There is no way to change those values at this moment. * idnsSOAserial SOA serial number. It is automatically incremented after each change @@ -130,6 +155,41 @@ example zone ldif is available in the doc directory. masters aren't synchronized. It will cause problems with zone transfers from multiple masters to single slave. +* nSEC3PARAMRecord + NSEC3PARAM resource record definition according to RFC5155. + Zone without NSEC3PARAM RR will use NSEC by default. + + +4.2 Forward zone (idnsForwardZone) +---------------------------------- +Object class idnsForwardZone is equivalent to type "forward" statement +in named.conf. + +Attributes: +* idnsForwarders + Defines multiple IP addresses to which all queries for sub-tree of DNS + will be forwarded. This is equivalent to "forwarders" statement in + "forward" zone configuration. + + It is multi-value attribute: Each IP address (and optional port) has to + be in own value. BIND9 syntax for "forwarders" is required. + Optional port can be specified by adding " port <number>" after IP + address. IPv4 and IPv6 addresses are supported. + Examples: "1.2.3.4" or "1.2.3.4 port 553" or "A::B" or "A::B port 553" + +* idnsForwardPolicy (default "first") + Specifies BIND9 zone forward policy. Proprietary value "none" + is equivalent to "forwarders {};" in BIND configuration, + i.e. effectively disables forwarding and ignores idnsForwarders + attribute. + + Values "first" and "only" are relevant in conjunction with a valid + idnsForwarders attribute. Their meaning is same as in BIND9. + +* idnsName + Absolute name of DNS zone. It is recommended to use names with trailing + period, e.g. "example.com." + 5. Configuration ================ @@ -308,7 +368,42 @@ sync_ptr = idnsAllowSyncPTR Forward policy option cannot be set without setting forwarders at the same time. -6. License +6. DNSSEC support +================= + +In-line signing support in this plugin allows to use this BIND feature +for zones in LDAP. + +Signatures are automatically generated by plugin during zone loading +and signatures are never written back to LDAP. DNSKEY, RRSIG, NSEC and NSEC3 +records in LDAP are ignored because they are automatically managed by BIND. + +NSEC3 can be enabled by writting NSEC3PARAM RR to particular zone object +in LDAP. + +Dynamic updates made to in-line signed zones are written back to LDAP as usual +and respective signatures are automatically re-generated as necessary. + +Key management has to be handled by user, i.e. user has to +generate/delete keys and configure key timestamps as appropriate. + +Key directory for particular DNS zone is automatically configured to value: +<plugin-instance-dir>/<zone-name>/keys + +<plugin-instance-dir> is described in section 5.1.3 of this file. +<zone-name> is textual representation of zone name without trailing period. + +Example: +* BIND directory: "/var/named" +* bind-dyndb-ldap directory: "dyndb-ldap" +* LDAP instance name: "ipa" +* DNS zone: "example.com." +* Resulting keys directory: "/var/named/dyndb-ldap/ipa/example.com/keys" + +Make sure that keys directory and files is readable by user used for BIND. + + +7. License ========== This package is licensed under the GNU General Public License, version 2 -- 1.9.3
From c12f72dd3edf34c943a108f90c9fd0dac82a716b Mon Sep 17 00:00:00 2001 From: Petr Spacek <pspa...@redhat.com> Date: Tue, 24 Jun 2014 17:05:39 +0200 Subject: [PATCH] Bump NVR to 5.0. Signed-off-by: Petr Spacek <pspa...@redhat.com> --- configure.ac | 2 +- contrib/bind-dyndb-ldap.spec | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/configure.ac b/configure.ac index 3febad84fb51ec24b4d4c141db80379452085695..9e33116e7a39f9a622cb95a8373135b211e31c42 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ AC_PREREQ([2.59]) -AC_INIT([bind-dyndb-ldap], [4.4], [freeipa-devel@redhat.com]) +AC_INIT([bind-dyndb-ldap], [5.0], [freeipa-devel@redhat.com]) AM_INIT_AUTOMAKE([-Wall foreign dist-bzip2]) diff --git a/contrib/bind-dyndb-ldap.spec b/contrib/bind-dyndb-ldap.spec index f501b71672fe6569c3f65ecaee3c0ccb7593cb6e..f634e5759710c65897c74510ee1821e89ef99eb4 100644 --- a/contrib/bind-dyndb-ldap.spec +++ b/contrib/bind-dyndb-ldap.spec @@ -1,7 +1,7 @@ %define VERSION %{version} Name: bind-dyndb-ldap -Version: 4.4 +Version: 5.0 Release: 0%{?dist} Summary: LDAP back-end plug-in for BIND -- 1.9.3
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel