[Freeipa-devel] [WIP] DNSSEC check for DNS forwarders
Petr Spacek
pspacek at redhat.com
Thu Oct 9 10:45:00 UTC 2014
I have accidentally sent the e-mail twice. Please reply to thread with
additional [PATCH] keyword in subject and let this thread to die.
On 9.10.2014 10:50, Petr Spacek wrote:
> Hello,
>
> bad things will happen (i.e. external DNS resolution will not work) if
> configured DNS forwarders are not standard compliant, i.e. EDNS or DNSSEC
> support is not enabled.
>
> For this reason I'm proposing to add explicit check to IPA installer and
> possibly even to dnsconfig-mod/dnszone-mod commands so forwarders are be
> tested before putting them in effect.
>
> This check should detect failures soon and prevent surprises where IPA
> installs itself but DNS resolution doesn't work for some domains etc.
>
>
> Instructions for attached patch/script:
> # ./dnssec_test.py 127.127.127.127
> -> Will (likely) time-out, print a warning and return None
> - This should be a reason to abort installation because forwarder doesn't work
> at all.
>
> # ./dnssec_test.py 10.1.2.3
> - Result depends on your local resolver.
> - In RH's network it will print a scary warning message and return False
> because internal forwarder doesn't support DNSSEC.
> - Should be a reason to abort installation. (This could be overridden by
> --force switch but then "dnssec-validation" option in /etc/named.conf has to
> be set to "no" otherwise IPA DNS will not work properly.)
> (I would rather force people to flip the switch in named.conf on forwarder so
> this could be a hidden option.)
>
> # ./dnssec_test.py 199.7.83.42
> -> Should return True - forwarder works and DNSSEC is supported
> - Installation should continue.
>
> Please voice your concerns ASAP.
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list