[Freeipa-devel] [PATCHES 0114-0115, 0120-0121] DNS: allow to add root zone '.'

Martin Basti mbasti at redhat.com
Tue Sep 16 07:32:05 UTC 2014 

On 15/09/14 20:31, Martin Kosek wrote:
> On 09/15/2014 05:16 PM, Martin Basti wrote:
>> On 15/09/14 17:10, Petr Spacek wrote:
>>> On 12.9.2014 15:19, Martin Basti wrote:
>>>> On 03/09/14 12:45, Martin Basti wrote:
>>>>> On 03/09/14 12:27, Martin Kosek wrote:
>>>>>> On 09/02/2014 05:46 PM, Petr Spacek wrote:
>>>>>>> On 25.8.2014 14:52, Martin Basti wrote:
>>>>>>>> Patches attached.
>>>>>>>>
>>>>>>>> Ticket: https://fedorahosted.org/freeipa/ticket/4149
>>>>>>>>
>>>>>>>> There is a bug in bind-dyndb-ldap (or worse in dirsrv), which 
>>>>>>>> cause the
>>>>>>>> named
>>>>>>>> service is stopped after deleting zone.
>>>>>>>> Bug ticket: https://fedorahosted.org/bind-dyndb-ldap/ticket/138
>>>>>>> Functional ACK, it works for me. It can be pushed if Python 
>>>>>>> gurus are okay
>>>>>>> with
>>>>>>> the code.
>>>>>> Is it safe to commit the change given that bind-dyndb-ldap still 
>>>>>> crash when
>>>>>> "."
>>>>>> is removed? Wouldn't it break our CI tests?
>>>>>>
>>>>>> Maybe we should wait until fixed bind-dydnb-ldap is released. 
>>>>>> Hopefully it
>>>>>> would be soon.
>>>>>>
>>>>>> Martin
>>>>>>
>>>>>> _______________________________________________
>>>>>> Freeipa-devel mailing list
>>>>>> Freeipa-devel at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>>> It will broke tests, don't push it until bind-dyndb-ldap is fixed.
>>>>> Currently I'm testing bind-dyndb-ldap related patch.
>>>>>
>>>> Added patches 120 and 121, which are required by DNS to work 
>>>> correctly.
>>>> Patches 120 and 121 add all DNS replicas to zone apex as NS, 
>>>> --name-server
>>>> option doesn't add NS record, only changes the SOA MNAME attribute
>>>>
>>>> Original and new patches attached.
>>>
>>> NACK, unfortunately it doesn't work for me:
>>> # ipa dnszone-add tri.test. --name-server=ns.test.
>>> Administrator e-mail address [hostmaster.tri.test.]:
>>> ipa: WARNING: '--name-server' is used only for setting up the SOA 
>>> MNAME record.
>>> To edit NS record(s) in zone apex, use command 'dnsrecord-mod [zone] @
>>> --ns-rec=nameserver'.
>>>   Zone name: tri.test.
>>>   Active zone: TRUE
>>>   Authoritative nameserver: ns.test.
>>>   Administrator e-mail address: hostmaster.tri.test.
>>>   SOA serial: 1410793406
>>>   SOA refresh: 3600
>>>   SOA retry: 900
>>>   SOA expire: 1209600
>>>   SOA minimum: 3600
>>>   BIND update policy: grant IPA.EXAMPLE krb5-self * A; grant 
>>> IPA.EXAMPLE
>>> krb5-self * AAAA; grant IPA.EXAMPLE krb5-self * SSHFP;
>>>   Dynamic update: FALSE
>>>   Allow query: any;
>>>   Allow transfer: none;
>>>
>>> [root at vm-035 rpms]# ipa dnszone-show tri.test. --all --raw
>>>   dn: idnsname=tri.test.,cn=dns,dc=ipa,dc=example
>>>   idnsname: tri.test.
>>>   idnszoneactive: TRUE
>>>   idnssoamname: ns.test.
>>>   idnssoarname: hostmaster.tri.test.
>>>   idnssoaserial: 1410793408
>>>   idnssoarefresh: 3600
>>>   idnssoaretry: 900
>>>   idnssoaexpire: 1209600
>>>   idnssoaminimum: 3600
>>>   idnsallowquery: any;
>>>   idnsallowtransfer: none;
>>>   idnsAllowDynUpdate: FALSE
>>>   idnsUpdatePolicy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE
>>> krb5-self * AAAA; grant IPA.EXAMPLE krb5-self * SSHFP;
>>>   nsrecord: vm-035.idm.lab.eng.brq.redhat.com.
>>>   objectClass: idnszone
>>>   objectClass: top
>>>   objectClass: idnsrecord
>>>
>>> [root at vm-035 rpms]# ipa dnsrecord-mod @ tri.test. --ns-rec=$(hostname).
>>> ipa: ERROR: tri.test.: DNS resource record not found
>>>
>> NACKing NACK
>> ipa dnsrecord-mod @ tri.test. --ns-rec=$(hostname).
>> you switched order zone and record, it should be
>> ipa dnsrecord-mod tri.test. @ --ns-rec=$(hostname).
>>
>
> BTW, since we are so nicely breaking the dnszone-add interface, can we 
> also get rid of always asking for "Administrator e-mail address"?
>
> >> # ipa dnszone-add tri.test. --name-server=ns.test.
> >> Administrator e-mail address [hostmaster.tri.test.]:
> ...
>
> Is there any risk in filling that with default as any other attribute? 
> IMO it would simplify adding zones for one more redundant step. CCing 
> Rob in case he knows some historical reasons why this is requested 
> every time.
>
> Martin
There is no risk, because ipa-replica-prepare do that with default values

-- 
Martin Basti

More information about the Freeipa-devel mailing list