[Freeipa-devel] [PATCHES 0114-0115, 0120-0121] DNS: allow to add root zone '.'

Martin Basti mbasti at redhat.com
Mon Sep 15 15:16:21 UTC 2014 

On 15/09/14 17:10, Petr Spacek wrote:
> On 12.9.2014 15:19, Martin Basti wrote:
>> On 03/09/14 12:45, Martin Basti wrote:
>>> On 03/09/14 12:27, Martin Kosek wrote:
>>>> On 09/02/2014 05:46 PM, Petr Spacek wrote:
>>>>> On 25.8.2014 14:52, Martin Basti wrote:
>>>>>> Patches attached.
>>>>>>
>>>>>> Ticket: https://fedorahosted.org/freeipa/ticket/4149
>>>>>>
>>>>>> There is a bug in bind-dyndb-ldap (or worse in dirsrv), which 
>>>>>> cause the
>>>>>> named
>>>>>> service is stopped after deleting zone.
>>>>>> Bug ticket: https://fedorahosted.org/bind-dyndb-ldap/ticket/138
>>>>> Functional ACK, it works for me. It can be pushed if Python gurus 
>>>>> are okay
>>>>> with
>>>>> the code.
>>>> Is it safe to commit the change given that bind-dyndb-ldap still 
>>>> crash when
>>>> "."
>>>> is removed? Wouldn't it break our CI tests?
>>>>
>>>> Maybe we should wait until fixed bind-dydnb-ldap is released. 
>>>> Hopefully it
>>>> would be soon.
>>>>
>>>> Martin
>>>>
>>>> _______________________________________________
>>>> Freeipa-devel mailing list
>>>> Freeipa-devel at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>> It will broke tests, don't push it until bind-dyndb-ldap is fixed.
>>> Currently I'm testing bind-dyndb-ldap related patch.
>>>
>> Added patches 120 and 121, which are required by DNS to work correctly.
>> Patches 120 and 121 add all DNS replicas to zone apex as NS, 
>> --name-server
>> option doesn't add NS record, only changes the SOA MNAME attribute
>>
>> Original and new patches attached.
>
> NACK, unfortunately it doesn't work for me:
> # ipa dnszone-add tri.test. --name-server=ns.test.
> Administrator e-mail address [hostmaster.tri.test.]:
> ipa: WARNING: '--name-server' is used only for setting up the SOA 
> MNAME record.
> To edit NS record(s) in zone apex, use command 'dnsrecord-mod [zone] @ 
> --ns-rec=nameserver'.
>   Zone name: tri.test.
>   Active zone: TRUE
>   Authoritative nameserver: ns.test.
>   Administrator e-mail address: hostmaster.tri.test.
>   SOA serial: 1410793406
>   SOA refresh: 3600
>   SOA retry: 900
>   SOA expire: 1209600
>   SOA minimum: 3600
>   BIND update policy: grant IPA.EXAMPLE krb5-self * A; grant 
> IPA.EXAMPLE krb5-self * AAAA; grant IPA.EXAMPLE krb5-self * SSHFP;
>   Dynamic update: FALSE
>   Allow query: any;
>   Allow transfer: none;
>
> [root at vm-035 rpms]# ipa dnszone-show tri.test. --all --raw
>   dn: idnsname=tri.test.,cn=dns,dc=ipa,dc=example
>   idnsname: tri.test.
>   idnszoneactive: TRUE
>   idnssoamname: ns.test.
>   idnssoarname: hostmaster.tri.test.
>   idnssoaserial: 1410793408
>   idnssoarefresh: 3600
>   idnssoaretry: 900
>   idnssoaexpire: 1209600
>   idnssoaminimum: 3600
>   idnsallowquery: any;
>   idnsallowtransfer: none;
>   idnsAllowDynUpdate: FALSE
>   idnsUpdatePolicy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE 
> krb5-self * AAAA; grant IPA.EXAMPLE krb5-self * SSHFP;
>   nsrecord: vm-035.idm.lab.eng.brq.redhat.com.
>   objectClass: idnszone
>   objectClass: top
>   objectClass: idnsrecord
>
> [root at vm-035 rpms]# ipa dnsrecord-mod @ tri.test. --ns-rec=$(hostname).
> ipa: ERROR: tri.test.: DNS resource record not found
>
NACKing NACK
ipa dnsrecord-mod @ tri.test. --ns-rec=$(hostname).
you switched order zone and record, it should be
ipa dnsrecord-mod tri.test. @ --ns-rec=$(hostname).

-- 
Martin Basti

More information about the Freeipa-devel mailing list