[Freeipa-devel] [PATCHES 0117, 0135-0149] DNSSEC support
Martin Kosek
mkosek at redhat.com
Tue Oct 21 07:27:29 UTC 2014
On 10/21/2014 08:50 AM, Jan Cholasta wrote:
> Dne 21.10.2014 v 08:45 Alexander Bokovoy napsal(a):
>> On Tue, 21 Oct 2014, Jan Cholasta wrote:
>>> Dne 20.10.2014 v 23:40 Martin Basti napsal(a):
>>>> On 20/10/14 18:28, Jan Cholasta wrote:
>>>>> Hi,
>>>>>
>>>>> Dne 20.10.2014 v 17:37 Petr Spacek napsal(a):
>>>>>> On 20.10.2014 17:21, Martin Basti wrote:
>>>>>>> Hello! Hold your hats, DNSSEC patches are here.
>>>>>>>
>>>>>>> Martin^2, Petr^2
>>>>>>
>>>>>> For testing you will need following package:
>>>>>> http://koji.fedoraproject.org/koji/taskinfo?taskID=7915293
>>>>>>
>>>>>> From me, functional self-ACK :-)
>>>>>>
>>>>>
>>>>> Patch 117:
>>>>>
>>>>> 1)
>>>>>
>>>>> As we discussed off-line, this code is wrong and a ticket should be
>>>>> opened to fix it to properly handle service files conflicting with the
>>>>> mask command:
>>>>>
>>>>> + if instance_name != "":
>>>>> + srv_tgt = os.path.join(paths.ETC_SYSTEMD_SYSTEM_DIR,
>>>>> instance_name)
>>>>> + # remove instance file or link before masking
>>>>> + if os.path.islink(srv_tgt):
>>>>> + os.unlink(srv_tgt)
>>>>>
>>>>>
>>>>> Patch 137:
>>>>>
>>>>> 1)
>>>>>
>>>>> There are some whitespace errors:
>>>>>
>>>>> Applying: DNSSEC: add ipapk11helper module
>>>>> /home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:95:
>>>>> trailing whitespace.
>>>>> *
>>>>> /home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:100:
>>>>> trailing whitespace.
>>>>> *
>>>>> /home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:105:
>>>>> trailing whitespace.
>>>>> *
>>>>> /home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:203:
>>>>> trailing whitespace.
>>>>> *
>>>>> /home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:208:
>>>>> trailing whitespace.
>>>>> *
>>>>> warning: squelched 3 whitespace errors
>>>>> warning: 8 lines add whitespace errors.
>>>>>
>>>>>
>>>>> Patch 138:
>>>>>
>>>>> 1)
>>>>>
>>>>> There is a whitespace error:
>>>>>
>>>>> Applying: DNSSEC: DNS key synchronization daemon
>>>>> /home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:54: new
>>>>> blank line at EOF.
>>>>> +
>>>>> warning: 1 line adds whitespace errors.
>>>>>
>>>>>
>>>>> Patch 140:
>>>>>
>>>>> 1)
>>>>>
>>>>> Unless there is a dnssec_keys ipalib plugins, I don't think there
>>>>> should be container_dnssec_keys. Use "DN(('cn', 'keys'), ('cn',
>>>>> 'sec'), api.env.container_dns, ...)" instead of
>>>>> "DN(api.env.container_dnssec_keys, ...)".
>>>>>
>>>>>
>>>>> 2)
>>>>>
>>>>> The masking method definitions in PlatformService should be moved to
>>>>> patch 117.
>>>>>
>>>>>
>>>>> 3)
>>>>>
>>>>> The changes in dnskeysyncinstance.py, odsexportedinstance.py and
>>>>> opendnssecinstance.py should be moved to patches 138 and 139.
>>>>>
>>>>>
>>>>> Patch 147:
>>>>>
>>>>> 1)
>>>>>
>>>>> There are some whitespace errors:
>>>>>
>>>>> Applying: DNSSEC: add ipa dnssec daemons
>>>>> /home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:135:
>>>>> trailing whitespace.
>>>>> # synchronize metadata about master keys in LDAP
>>>>> /home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:1228:
>>>>> trailing whitespace.
>>>>>
>>>>> /home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:1291:
>>>>> trailing whitespace.
>>>>>
>>>>> /home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:873: new
>>>>> blank line at EOF.
>>>>> +
>>>>> /home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:1126: new
>>>>> blank line at EOF.
>>>>> +
>>>>> warning: squelched 1 whitespace error
>>>>> warning: 6 lines add whitespace errors.
>>>>>
>>>>>
>>>>> Honza
>>>>>
>>>> Whitespaces fixed,
>>>> mask, and dnssec_container issues move to 4.1.1 please.
>>>
>>> mask ACK, container NACK - I don't think we want to introduce a new
>>> configuration option and deprecate it right away and it's a change in
>>> just 3 lines of code.
>>>
>>>>
>>>> But we have schema conflict:
>>>>
>>>> [20/Oct/2014:04:48:40 -0400] dse_read_one_file - The entry cn=schema in
>>>> file /etc/dirsrv/slapd-IPA-EXAMPLE/schema/71idviews.ldif (lineno: 1) is
>>>> invalid, error code 20 (Type or value exists) - object class
>>>> ipaOverrideTarget: The name does not match the OID
>>>> "2.16.840.1.113730.3.8.12.34". Another object class is already using the
>>>> name or OID.
>>>>
>>>> git grep -n "2.16.840.1.113730.3.8.12.34"
>>>> install/share/60basev3.ldif:79:objectClasses:
>>>> (2.16.840.1.113730.3.8.12.34 NAME 'ipaSecretKeyRefObject' DESC 'Indirect
>>>> storage for encoded key material' SUP top AUXILIARY MUST (
>>>> ipaSecretKeyRef ) X-...
>>>>
>>>> install/share/71idviews.ldif:8:objectClasses:
>>>> (2.16.840.1.113730.3.8.12.34 NAME 'ipaOverrideTarget' SUP top STRUCTURAL
>>>> MUST ( ipaAnchorUUID ) X-ORIGIN 'IPA v4' )
>>>>
>>>> Updated patches atached.
>>>> "2.16.840.1.113730.3.8.12.35" is not used, I change it in patch
>>>> mbasti-0150
>>>
>>> NACK on patch 150, 2.16.840.1.113730.3.8.12.34 was reserved for
>>> ipaSecretKeyRefObject, there is no reserved OID for ipaOverrideTarget,
>>> so it's ipaOverrideTarget which should be fixed.
>> We were meaning to reserve .34 for ipaOverrideTarget for long time. As
>> ipaOverrideTarget is already in git, it makes sense to change dnssec
>> OIDs instead. Yes, we've got to step over each other's toes but that's
>> life. I've already have slapi-nis 0.54 released which relies on
>> ipaOverrideTarget definition.
>
> That's unreleased code and it surely does not rely on it's OID, does it?
>
> It's *your* mess and *you* should clean it up. That's life.
If the code was released, I would give +1 for Alexander as we really cannot
changed *released* OIDs.
But this is not the case so I think that fixing the OID that was not properly
registered is a good practice.
Martin
More information about the Freeipa-devel
mailing list