[Freeipa-devel] [PATCHES 0117, 0135-0149] DNSSEC support

Simo Sorce ssorce at redhat.com
Tue Oct 21 13:15:42 UTC 2014 

On Tue, 21 Oct 2014 10:50:37 +0300
Alexander Bokovoy <abokovoy at redhat.com> wrote:

> On Tue, 21 Oct 2014, Martin Kosek wrote:
> >On 10/21/2014 08:50 AM, Jan Cholasta wrote:
> >> Dne 21.10.2014 v 08:45 Alexander Bokovoy napsal(a):
> >>> On Tue, 21 Oct 2014, Jan Cholasta wrote:
> >>>> Dne 20.10.2014 v 23:40 Martin Basti napsal(a):
> >>>>> On 20/10/14 18:28, Jan Cholasta wrote:
> >>>>>> Hi,
> >>>>>>
> >>>>>> Dne 20.10.2014 v 17:37 Petr Spacek napsal(a):
> >>>>>>> On 20.10.2014 17:21, Martin Basti wrote:
> >>>>>>>> Hello! Hold your hats, DNSSEC patches are here.
> >>>>>>>>
> >>>>>>>> Martin^2, Petr^2
> >>>>>>>
> >>>>>>> For testing you will need following package:
> >>>>>>> http://koji.fedoraproject.org/koji/taskinfo?taskID=7915293
> >>>>>>>
> >>>>>>> From me, functional self-ACK :-)
> >>>>>>>
> >>>>>>
> >>>>>> Patch 117:
> >>>>>>
> >>>>>> 1)
> >>>>>>
> >>>>>> As we discussed off-line, this code is wrong and a ticket
> >>>>>> should be opened to fix it to properly handle service files
> >>>>>> conflicting with the mask command:
> >>>>>>
> >>>>>> +        if instance_name != "":
> >>>>>> +            srv_tgt =
> >>>>>> os.path.join(paths.ETC_SYSTEMD_SYSTEM_DIR, instance_name)
> >>>>>> +            # remove instance file or link before masking
> >>>>>> +            if os.path.islink(srv_tgt):
> >>>>>> +                os.unlink(srv_tgt)
> >>>>>>
> >>>>>>
> >>>>>> Patch 137:
> >>>>>>
> >>>>>> 1)
> >>>>>>
> >>>>>> There are some whitespace errors:
> >>>>>>
> >>>>>> Applying: DNSSEC: add ipapk11helper module
> >>>>>> /home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:95:
> >>>>>> trailing whitespace.
> >>>>>> *
> >>>>>> /home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:100:
> >>>>>> trailing whitespace.
> >>>>>> *
> >>>>>> /home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:105:
> >>>>>> trailing whitespace.
> >>>>>> *
> >>>>>> /home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:203:
> >>>>>> trailing whitespace.
> >>>>>> *
> >>>>>> /home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:208:
> >>>>>> trailing whitespace.
> >>>>>> *
> >>>>>> warning: squelched 3 whitespace errors
> >>>>>> warning: 8 lines add whitespace errors.
> >>>>>>
> >>>>>>
> >>>>>> Patch 138:
> >>>>>>
> >>>>>> 1)
> >>>>>>
> >>>>>> There is a whitespace error:
> >>>>>>
> >>>>>> Applying: DNSSEC: DNS key synchronization daemon
> >>>>>> /home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:54:
> >>>>>> new blank line at EOF.
> >>>>>> +
> >>>>>> warning: 1 line adds whitespace errors.
> >>>>>>
> >>>>>>
> >>>>>> Patch 140:
> >>>>>>
> >>>>>> 1)
> >>>>>>
> >>>>>> Unless there is a dnssec_keys ipalib plugins, I don't think
> >>>>>> there should be container_dnssec_keys. Use "DN(('cn', 'keys'),
> >>>>>> ('cn', 'sec'), api.env.container_dns, ...)" instead of
> >>>>>> "DN(api.env.container_dnssec_keys, ...)".
> >>>>>>
> >>>>>>
> >>>>>> 2)
> >>>>>>
> >>>>>> The masking method definitions in PlatformService should be
> >>>>>> moved to patch 117.
> >>>>>>
> >>>>>>
> >>>>>> 3)
> >>>>>>
> >>>>>> The changes in dnskeysyncinstance.py, odsexportedinstance.py
> >>>>>> and opendnssecinstance.py should be moved to patches 138 and
> >>>>>> 139.
> >>>>>>
> >>>>>>
> >>>>>> Patch 147:
> >>>>>>
> >>>>>> 1)
> >>>>>>
> >>>>>> There are some whitespace errors:
> >>>>>>
> >>>>>> Applying: DNSSEC: add ipa dnssec daemons
> >>>>>> /home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:135:
> >>>>>> trailing whitespace.
> >>>>>>    # synchronize metadata about master keys in LDAP
> >>>>>> /home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:1228:
> >>>>>> trailing whitespace.
> >>>>>>
> >>>>>> /home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:1291:
> >>>>>> trailing whitespace.
> >>>>>>
> >>>>>> /home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:873:
> >>>>>> new blank line at EOF.
> >>>>>> +
> >>>>>> /home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:1126:
> >>>>>> new blank line at EOF.
> >>>>>> +
> >>>>>> warning: squelched 1 whitespace error
> >>>>>> warning: 6 lines add whitespace errors.
> >>>>>>
> >>>>>>
> >>>>>> Honza
> >>>>>>
> >>>>> Whitespaces fixed,
> >>>>>  mask, and dnssec_container issues move to 4.1.1 please.
> >>>>
> >>>> mask ACK, container NACK - I don't think we want to introduce a
> >>>> new configuration option and deprecate it right away and it's a
> >>>> change in just 3 lines of code.
> >>>>
> >>>>>
> >>>>> But we have schema conflict:
> >>>>>
> >>>>> [20/Oct/2014:04:48:40 -0400] dse_read_one_file - The entry
> >>>>> cn=schema in
> >>>>> file /etc/dirsrv/slapd-IPA-EXAMPLE/schema/71idviews.ldif
> >>>>> (lineno: 1) is invalid, error code 20 (Type or value exists) -
> >>>>> object class ipaOverrideTarget: The name does not match the OID
> >>>>> "2.16.840.1.113730.3.8.12.34". Another object class is already
> >>>>> using the name or OID.
> >>>>>
> >>>>> git grep -n "2.16.840.1.113730.3.8.12.34"
> >>>>> install/share/60basev3.ldif:79:objectClasses:
> >>>>> (2.16.840.1.113730.3.8.12.34 NAME 'ipaSecretKeyRefObject' DESC
> >>>>> 'Indirect storage for encoded key material' SUP top AUXILIARY
> >>>>> MUST ( ipaSecretKeyRef ) X-...
> >>>>>
> >>>>> install/share/71idviews.ldif:8:objectClasses:
> >>>>> (2.16.840.1.113730.3.8.12.34 NAME 'ipaOverrideTarget' SUP top
> >>>>> STRUCTURAL MUST ( ipaAnchorUUID ) X-ORIGIN 'IPA v4' )
> >>>>>
> >>>>> Updated patches atached.
> >>>>> "2.16.840.1.113730.3.8.12.35" is not used, I change it in patch
> >>>>> mbasti-0150
> >>>>
> >>>> NACK on patch 150, 2.16.840.1.113730.3.8.12.34 was reserved for
> >>>> ipaSecretKeyRefObject, there is no reserved OID for
> >>>> ipaOverrideTarget, so it's ipaOverrideTarget which should be
> >>>> fixed.
> >>> We were meaning to reserve .34 for ipaOverrideTarget for long
> >>> time. As ipaOverrideTarget is already in git, it makes sense to
> >>> change dnssec OIDs instead. Yes, we've got to step over each
> >>> other's toes but that's life. I've already have slapi-nis 0.54
> >>> released which relies on ipaOverrideTarget definition.
> >>
> >> That's unreleased code and it surely does not rely on it's OID,
> >> does it?
> >>
> >> It's *your* mess and *you* should clean it up. That's life.
> >
> >If the code was released, I would give +1 for Alexander as we really
> >cannot changed *released* OIDs.
> >
> >But this is not the case so I think that fixing the OID that was not
> >properly registered is a good practice.
> I did push a one-liner to master and ipa-4-1 that changes OID to .35.
> 
> You will need to do full reinstall if you had ipa-4-1 or git master
> installed with the previous change.

If it a test server just stop DS, and manually edit the schema file to
correct the OID :)

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list