On Sat, 2011-11-12 at 15:55 +0100, Sigbjorn Lie wrote: > Hi, > > I notice that when sssd is configured to update DNS, it's only updating > the DNS forward zone, it's not updating the DNS reverse zone. And I > cannot find any option for enabling updating of the reverse dns zone. > > Have I missed something? Or is updating the reverse zone not supported?
It is not supported at this time. While we have a way to determine if your host has any right to update the machine A/AAAA name because we can check if the host authenticated using a key of type host/<A-name>@REALM we have no way to validate that a host has any right to update a PTR record. Allowing a host to change any PTR record in any reverse zone would be very disruptive as a compromised host could change PTR records for important servers. We are trying to make sure (patches, configurations) that reverse resolution is disabled for kerberos and canonicalization does not use it by default as it is unreliable in any case. HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
