[Freeipa-devel] [PATCHES 0117, 0135-0149] DNSSEC support

Alexander Bokovoy abokovoy at redhat.com
Tue Oct 21 06:45:01 UTC 2014 

On Tue, 21 Oct 2014, Jan Cholasta wrote:
>Dne 20.10.2014 v 23:40 Martin Basti napsal(a):
>>On 20/10/14 18:28, Jan Cholasta wrote:
>>>Hi,
>>>
>>>Dne 20.10.2014 v 17:37 Petr Spacek napsal(a):
>>>>On 20.10.2014 17:21, Martin Basti wrote:
>>>>>Hello! Hold your hats, DNSSEC patches are here.
>>>>>
>>>>>Martin^2, Petr^2
>>>>
>>>>For testing you will need following package:
>>>>http://koji.fedoraproject.org/koji/taskinfo?taskID=7915293
>>>>
>>>> From me, functional self-ACK :-)
>>>>
>>>
>>>Patch 117:
>>>
>>>1)
>>>
>>>As we discussed off-line, this code is wrong and a ticket should be
>>>opened to fix it to properly handle service files conflicting with the
>>>mask command:
>>>
>>>+        if instance_name != "":
>>>+            srv_tgt = os.path.join(paths.ETC_SYSTEMD_SYSTEM_DIR,
>>>instance_name)
>>>+            # remove instance file or link before masking
>>>+            if os.path.islink(srv_tgt):
>>>+                os.unlink(srv_tgt)
>>>
>>>
>>>Patch 137:
>>>
>>>1)
>>>
>>>There are some whitespace errors:
>>>
>>>Applying: DNSSEC: add ipapk11helper module
>>>/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:95:
>>>trailing whitespace.
>>> *
>>>/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:100:
>>>trailing whitespace.
>>> *
>>>/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:105:
>>>trailing whitespace.
>>> *
>>>/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:203:
>>>trailing whitespace.
>>> *
>>>/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:208:
>>>trailing whitespace.
>>> *
>>>warning: squelched 3 whitespace errors
>>>warning: 8 lines add whitespace errors.
>>>
>>>
>>>Patch 138:
>>>
>>>1)
>>>
>>>There is a whitespace error:
>>>
>>>Applying: DNSSEC: DNS key synchronization daemon
>>>/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:54: new
>>>blank line at EOF.
>>>+
>>>warning: 1 line adds whitespace errors.
>>>
>>>
>>>Patch 140:
>>>
>>>1)
>>>
>>>Unless there is a dnssec_keys ipalib plugins, I don't think there
>>>should be container_dnssec_keys. Use "DN(('cn', 'keys'), ('cn',
>>>'sec'), api.env.container_dns, ...)" instead of
>>>"DN(api.env.container_dnssec_keys, ...)".
>>>
>>>
>>>2)
>>>
>>>The masking method definitions in PlatformService should be moved to
>>>patch 117.
>>>
>>>
>>>3)
>>>
>>>The changes in dnskeysyncinstance.py, odsexportedinstance.py and
>>>opendnssecinstance.py should be moved to patches 138 and 139.
>>>
>>>
>>>Patch 147:
>>>
>>>1)
>>>
>>>There are some whitespace errors:
>>>
>>>Applying: DNSSEC: add ipa dnssec daemons
>>>/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:135:
>>>trailing whitespace.
>>>    # synchronize metadata about master keys in LDAP
>>>/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:1228:
>>>trailing whitespace.
>>>
>>>/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:1291:
>>>trailing whitespace.
>>>
>>>/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:873: new
>>>blank line at EOF.
>>>+
>>>/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:1126: new
>>>blank line at EOF.
>>>+
>>>warning: squelched 1 whitespace error
>>>warning: 6 lines add whitespace errors.
>>>
>>>
>>>Honza
>>>
>>Whitespaces fixed,
>>  mask, and dnssec_container issues move to 4.1.1 please.
>
>mask ACK, container NACK - I don't think we want to introduce a new 
>configuration option and deprecate it right away and it's a change in 
>just 3 lines of code.
>
>>
>>But we have schema conflict:
>>
>>[20/Oct/2014:04:48:40 -0400] dse_read_one_file - The entry cn=schema in
>>file /etc/dirsrv/slapd-IPA-EXAMPLE/schema/71idviews.ldif (lineno: 1) is
>>invalid, error code 20 (Type or value exists) - object class
>>ipaOverrideTarget: The name does not match the OID
>>"2.16.840.1.113730.3.8.12.34". Another object class is already using the
>>name or OID.
>>
>>git grep -n "2.16.840.1.113730.3.8.12.34"
>>install/share/60basev3.ldif:79:objectClasses:
>>(2.16.840.1.113730.3.8.12.34 NAME 'ipaSecretKeyRefObject' DESC 'Indirect
>>storage for encoded key material' SUP top AUXILIARY MUST (
>>ipaSecretKeyRef ) X-...
>>
>>install/share/71idviews.ldif:8:objectClasses:
>>(2.16.840.1.113730.3.8.12.34 NAME 'ipaOverrideTarget' SUP top STRUCTURAL
>>MUST ( ipaAnchorUUID ) X-ORIGIN 'IPA v4' )
>>
>>Updated patches atached.
>>"2.16.840.1.113730.3.8.12.35" is not used, I change it in patch mbasti-0150
>
>NACK on patch 150, 2.16.840.1.113730.3.8.12.34 was reserved for 
>ipaSecretKeyRefObject, there is no reserved OID for ipaOverrideTarget, 
>so it's ipaOverrideTarget which should be fixed.
We were meaning to reserve .34 for ipaOverrideTarget for long time. As
ipaOverrideTarget is already in git, it makes sense to change dnssec
OIDs instead. Yes, we've got to step over each other's toes but that's
life. I've already have slapi-nis 0.54 released which relies on
ipaOverrideTarget definition.
-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list