[Freeipa-devel] [PATCH] [WIP] DNSSEC support - preview
Martin Kosek
mkosek at redhat.com
Thu Oct 16 18:39:05 UTC 2014
On 10/16/2014 08:01 PM, Petr Spacek wrote:
....
>> 1)
>>
>> I'm not sure if failing on DNSSEC-disabled forwarders by default is a good
>> idea. Perhaps there could be some auto-detection code? Something along the
>> lines of:
>>
>> if forwarders_support_dnssec:
>> if not options.no_dnssec_validation:
>> enable_dnssec_in_ipa()
>> else:
>> print "WARNING: DNSSEC will not be enabled"
>
> We have discussed this with Martin
... Martin Basti/Martin2... Given there are more Martins in the team, you
should be more specific :-)
> and the intent is to tell people that their
> infrastructure is broken and has to be fixed - sooner is better.
>
> There is an option --no-dnssec-validation for people who like broken
> infrastructure.
Broken infrastructure is rather strong word for the situation when just DNSSEC
is not configured (it may work for the customer otherwise). "Infrastructure
does not follow most up to date standards" may be more precise.
From my POV, this may be too strict. People may already use ipa-server-install
in their scripts and it suddenly requiring new option may be seen as breakage.
So maybe it would be better to just print big fat warning including [yes|no]
question to continue during ipa-server-install and just print warning in
unattended mode (and disable DNSEC validation)
We can always be more strict in next release. CCing Simo and Rob in case they
have different opinions.
Martin
More information about the Freeipa-devel
mailing list