[Freeipa-devel] [PATCHES 0114-0115, 0120-0121] DNS: allow to add root zone '.'
Martin Kosek
mkosek at redhat.com
Mon Sep 15 18:31:03 UTC 2014
On 09/15/2014 05:16 PM, Martin Basti wrote:
> On 15/09/14 17:10, Petr Spacek wrote:
>> On 12.9.2014 15:19, Martin Basti wrote:
>>> On 03/09/14 12:45, Martin Basti wrote:
>>>> On 03/09/14 12:27, Martin Kosek wrote:
>>>>> On 09/02/2014 05:46 PM, Petr Spacek wrote:
>>>>>> On 25.8.2014 14:52, Martin Basti wrote:
>>>>>>> Patches attached.
>>>>>>>
>>>>>>> Ticket: https://fedorahosted.org/freeipa/ticket/4149
>>>>>>>
>>>>>>> There is a bug in bind-dyndb-ldap (or worse in dirsrv), which cause the
>>>>>>> named
>>>>>>> service is stopped after deleting zone.
>>>>>>> Bug ticket: https://fedorahosted.org/bind-dyndb-ldap/ticket/138
>>>>>> Functional ACK, it works for me. It can be pushed if Python gurus are okay
>>>>>> with
>>>>>> the code.
>>>>> Is it safe to commit the change given that bind-dyndb-ldap still crash when
>>>>> "."
>>>>> is removed? Wouldn't it break our CI tests?
>>>>>
>>>>> Maybe we should wait until fixed bind-dydnb-ldap is released. Hopefully it
>>>>> would be soon.
>>>>>
>>>>> Martin
>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-devel mailing list
>>>>> Freeipa-devel at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>> It will broke tests, don't push it until bind-dyndb-ldap is fixed.
>>>> Currently I'm testing bind-dyndb-ldap related patch.
>>>>
>>> Added patches 120 and 121, which are required by DNS to work correctly.
>>> Patches 120 and 121 add all DNS replicas to zone apex as NS, --name-server
>>> option doesn't add NS record, only changes the SOA MNAME attribute
>>>
>>> Original and new patches attached.
>>
>> NACK, unfortunately it doesn't work for me:
>> # ipa dnszone-add tri.test. --name-server=ns.test.
>> Administrator e-mail address [hostmaster.tri.test.]:
>> ipa: WARNING: '--name-server' is used only for setting up the SOA MNAME record.
>> To edit NS record(s) in zone apex, use command 'dnsrecord-mod [zone] @
>> --ns-rec=nameserver'.
>> Zone name: tri.test.
>> Active zone: TRUE
>> Authoritative nameserver: ns.test.
>> Administrator e-mail address: hostmaster.tri.test.
>> SOA serial: 1410793406
>> SOA refresh: 3600
>> SOA retry: 900
>> SOA expire: 1209600
>> SOA minimum: 3600
>> BIND update policy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE
>> krb5-self * AAAA; grant IPA.EXAMPLE krb5-self * SSHFP;
>> Dynamic update: FALSE
>> Allow query: any;
>> Allow transfer: none;
>>
>> [root at vm-035 rpms]# ipa dnszone-show tri.test. --all --raw
>> dn: idnsname=tri.test.,cn=dns,dc=ipa,dc=example
>> idnsname: tri.test.
>> idnszoneactive: TRUE
>> idnssoamname: ns.test.
>> idnssoarname: hostmaster.tri.test.
>> idnssoaserial: 1410793408
>> idnssoarefresh: 3600
>> idnssoaretry: 900
>> idnssoaexpire: 1209600
>> idnssoaminimum: 3600
>> idnsallowquery: any;
>> idnsallowtransfer: none;
>> idnsAllowDynUpdate: FALSE
>> idnsUpdatePolicy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE
>> krb5-self * AAAA; grant IPA.EXAMPLE krb5-self * SSHFP;
>> nsrecord: vm-035.idm.lab.eng.brq.redhat.com.
>> objectClass: idnszone
>> objectClass: top
>> objectClass: idnsrecord
>>
>> [root at vm-035 rpms]# ipa dnsrecord-mod @ tri.test. --ns-rec=$(hostname).
>> ipa: ERROR: tri.test.: DNS resource record not found
>>
> NACKing NACK
> ipa dnsrecord-mod @ tri.test. --ns-rec=$(hostname).
> you switched order zone and record, it should be
> ipa dnsrecord-mod tri.test. @ --ns-rec=$(hostname).
>
BTW, since we are so nicely breaking the dnszone-add interface, can we also get
rid of always asking for "Administrator e-mail address"?
>> # ipa dnszone-add tri.test. --name-server=ns.test.
>> Administrator e-mail address [hostmaster.tri.test.]:
...
Is there any risk in filling that with default as any other attribute? IMO it
would simplify adding zones for one more redundant step. CCing Rob in case he
knows some historical reasons why this is requested every time.
Martin
More information about the Freeipa-devel
mailing list