[Freeipa-devel] [PATCHES 0117, 0135-0149] DNSSEC support

Jan Cholasta jcholast at redhat.com
Tue Oct 21 06:33:33 UTC 2014 

Dne 20.10.2014 v 23:40 Martin Basti napsal(a):
> On 20/10/14 18:28, Jan Cholasta wrote:
>> Hi,
>>
>> Dne 20.10.2014 v 17:37 Petr Spacek napsal(a):
>>> On 20.10.2014 17:21, Martin Basti wrote:
>>>> Hello! Hold your hats, DNSSEC patches are here.
>>>>
>>>> Martin^2, Petr^2
>>>
>>> For testing you will need following package:
>>> http://koji.fedoraproject.org/koji/taskinfo?taskID=7915293
>>>
>>>  From me, functional self-ACK :-)
>>>
>>
>> Patch 117:
>>
>> 1)
>>
>> As we discussed off-line, this code is wrong and a ticket should be
>> opened to fix it to properly handle service files conflicting with the
>> mask command:
>>
>> +        if instance_name != "":
>> +            srv_tgt = os.path.join(paths.ETC_SYSTEMD_SYSTEM_DIR,
>> instance_name)
>> +            # remove instance file or link before masking
>> +            if os.path.islink(srv_tgt):
>> +                os.unlink(srv_tgt)
>>
>>
>> Patch 137:
>>
>> 1)
>>
>> There are some whitespace errors:
>>
>> Applying: DNSSEC: add ipapk11helper module
>> /home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:95:
>> trailing whitespace.
>>  *
>> /home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:100:
>> trailing whitespace.
>>  *
>> /home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:105:
>> trailing whitespace.
>>  *
>> /home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:203:
>> trailing whitespace.
>>  *
>> /home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:208:
>> trailing whitespace.
>>  *
>> warning: squelched 3 whitespace errors
>> warning: 8 lines add whitespace errors.
>>
>>
>> Patch 138:
>>
>> 1)
>>
>> There is a whitespace error:
>>
>> Applying: DNSSEC: DNS key synchronization daemon
>> /home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:54: new
>> blank line at EOF.
>> +
>> warning: 1 line adds whitespace errors.
>>
>>
>> Patch 140:
>>
>> 1)
>>
>> Unless there is a dnssec_keys ipalib plugins, I don't think there
>> should be container_dnssec_keys. Use "DN(('cn', 'keys'), ('cn',
>> 'sec'), api.env.container_dns, ...)" instead of
>> "DN(api.env.container_dnssec_keys, ...)".
>>
>>
>> 2)
>>
>> The masking method definitions in PlatformService should be moved to
>> patch 117.
>>
>>
>> 3)
>>
>> The changes in dnskeysyncinstance.py, odsexportedinstance.py and
>> opendnssecinstance.py should be moved to patches 138 and 139.
>>
>>
>> Patch 147:
>>
>> 1)
>>
>> There are some whitespace errors:
>>
>> Applying: DNSSEC: add ipa dnssec daemons
>> /home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:135:
>> trailing whitespace.
>>     # synchronize metadata about master keys in LDAP
>> /home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:1228:
>> trailing whitespace.
>>
>> /home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:1291:
>> trailing whitespace.
>>
>> /home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:873: new
>> blank line at EOF.
>> +
>> /home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:1126: new
>> blank line at EOF.
>> +
>> warning: squelched 1 whitespace error
>> warning: 6 lines add whitespace errors.
>>
>>
>> Honza
>>
> Whitespaces fixed,
>   mask, and dnssec_container issues move to 4.1.1 please.

mask ACK, container NACK - I don't think we want to introduce a new 
configuration option and deprecate it right away and it's a change in 
just 3 lines of code.

>
> But we have schema conflict:
>
> [20/Oct/2014:04:48:40 -0400] dse_read_one_file - The entry cn=schema in
> file /etc/dirsrv/slapd-IPA-EXAMPLE/schema/71idviews.ldif (lineno: 1) is
> invalid, error code 20 (Type or value exists) - object class
> ipaOverrideTarget: The name does not match the OID
> "2.16.840.1.113730.3.8.12.34". Another object class is already using the
> name or OID.
>
> git grep -n "2.16.840.1.113730.3.8.12.34"
> install/share/60basev3.ldif:79:objectClasses:
> (2.16.840.1.113730.3.8.12.34 NAME 'ipaSecretKeyRefObject' DESC 'Indirect
> storage for encoded key material' SUP top AUXILIARY MUST (
> ipaSecretKeyRef ) X-...
>
> install/share/71idviews.ldif:8:objectClasses:
> (2.16.840.1.113730.3.8.12.34 NAME 'ipaOverrideTarget' SUP top STRUCTURAL
> MUST ( ipaAnchorUUID ) X-ORIGIN 'IPA v4' )
>
> Updated patches atached.
> "2.16.840.1.113730.3.8.12.35" is not used, I change it in patch mbasti-0150

NACK on patch 150, 2.16.840.1.113730.3.8.12.34 was reserved for 
ipaSecretKeyRefObject, there is no reserved OID for ipaOverrideTarget, 
so it's ipaOverrideTarget which should be fixed.

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list