[Freeipa-devel] [PATCHES 0114-0115, 0120-0121] DNS: allow to add root zone '.'

Martin Basti mbasti at redhat.com
Tue Sep 16 07:57:49 UTC 2014 

On 16/09/14 09:32, Martin Basti wrote:
> On 15/09/14 20:31, Martin Kosek wrote:
>> On 09/15/2014 05:16 PM, Martin Basti wrote:
>>> On 15/09/14 17:10, Petr Spacek wrote:
>>>> On 12.9.2014 15:19, Martin Basti wrote:
>>>>> On 03/09/14 12:45, Martin Basti wrote:
>>>>>> On 03/09/14 12:27, Martin Kosek wrote:
>>>>>>> On 09/02/2014 05:46 PM, Petr Spacek wrote:
>>>>>>>> On 25.8.2014 14:52, Martin Basti wrote:
>>>>>>>>> Patches attached.
>>>>>>>>>
>>>>>>>>> Ticket: https://fedorahosted.org/freeipa/ticket/4149
>>>>>>>>>
>>>>>>>>> There is a bug in bind-dyndb-ldap (or worse in dirsrv), which 
>>>>>>>>> cause the
>>>>>>>>> named
>>>>>>>>> service is stopped after deleting zone.
>>>>>>>>> Bug ticket: https://fedorahosted.org/bind-dyndb-ldap/ticket/138
>>>>>>>> Functional ACK, it works for me. It can be pushed if Python 
>>>>>>>> gurus are okay
>>>>>>>> with
>>>>>>>> the code.
>>>>>>> Is it safe to commit the change given that bind-dyndb-ldap still 
>>>>>>> crash when
>>>>>>> "."
>>>>>>> is removed? Wouldn't it break our CI tests?
>>>>>>>
>>>>>>> Maybe we should wait until fixed bind-dydnb-ldap is released. 
>>>>>>> Hopefully it
>>>>>>> would be soon.
>>>>>>>
>>>>>>> Martin
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Freeipa-devel mailing list
>>>>>>> Freeipa-devel at redhat.com
>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>>>> It will broke tests, don't push it until bind-dyndb-ldap is fixed.
>>>>>> Currently I'm testing bind-dyndb-ldap related patch.
>>>>>>
>>>>> Added patches 120 and 121, which are required by DNS to work 
>>>>> correctly.
>>>>> Patches 120 and 121 add all DNS replicas to zone apex as NS, 
>>>>> --name-server
>>>>> option doesn't add NS record, only changes the SOA MNAME attribute
>>>>>
>>>>> Original and new patches attached.
>>>>
>>>> NACK, unfortunately it doesn't work for me:
>>>> # ipa dnszone-add tri.test. --name-server=ns.test.
>>>> Administrator e-mail address [hostmaster.tri.test.]:
>>>> ipa: WARNING: '--name-server' is used only for setting up the SOA 
>>>> MNAME record.
>>>> To edit NS record(s) in zone apex, use command 'dnsrecord-mod [zone] @
>>>> --ns-rec=nameserver'.
>>>>   Zone name: tri.test.
>>>>   Active zone: TRUE
>>>>   Authoritative nameserver: ns.test.
>>>>   Administrator e-mail address: hostmaster.tri.test.
>>>>   SOA serial: 1410793406
>>>>   SOA refresh: 3600
>>>>   SOA retry: 900
>>>>   SOA expire: 1209600
>>>>   SOA minimum: 3600
>>>>   BIND update policy: grant IPA.EXAMPLE krb5-self * A; grant 
>>>> IPA.EXAMPLE
>>>> krb5-self * AAAA; grant IPA.EXAMPLE krb5-self * SSHFP;
>>>>   Dynamic update: FALSE
>>>>   Allow query: any;
>>>>   Allow transfer: none;
>>>>
>>>> [root at vm-035 rpms]# ipa dnszone-show tri.test. --all --raw
>>>>   dn: idnsname=tri.test.,cn=dns,dc=ipa,dc=example
>>>>   idnsname: tri.test.
>>>>   idnszoneactive: TRUE
>>>>   idnssoamname: ns.test.
>>>>   idnssoarname: hostmaster.tri.test.
>>>>   idnssoaserial: 1410793408
>>>>   idnssoarefresh: 3600
>>>>   idnssoaretry: 900
>>>>   idnssoaexpire: 1209600
>>>>   idnssoaminimum: 3600
>>>>   idnsallowquery: any;
>>>>   idnsallowtransfer: none;
>>>>   idnsAllowDynUpdate: FALSE
>>>>   idnsUpdatePolicy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE
>>>> krb5-self * AAAA; grant IPA.EXAMPLE krb5-self * SSHFP;
>>>>   nsrecord: vm-035.idm.lab.eng.brq.redhat.com.
>>>>   objectClass: idnszone
>>>>   objectClass: top
>>>>   objectClass: idnsrecord
>>>>
>>>> [root at vm-035 rpms]# ipa dnsrecord-mod @ tri.test. 
>>>> --ns-rec=$(hostname).
>>>> ipa: ERROR: tri.test.: DNS resource record not found
>>>>
>>> NACKing NACK
>>> ipa dnsrecord-mod @ tri.test. --ns-rec=$(hostname).
>>> you switched order zone and record, it should be
>>> ipa dnsrecord-mod tri.test. @ --ns-rec=$(hostname).
>>>
>>
>> BTW, since we are so nicely breaking the dnszone-add interface, can 
>> we also get rid of always asking for "Administrator e-mail address"?
>>
>> >> # ipa dnszone-add tri.test. --name-server=ns.test.
>> >> Administrator e-mail address [hostmaster.tri.test.]:
>> ...
>>
>> Is there any risk in filling that with default as any other 
>> attribute? IMO it would simplify adding zones for one more redundant 
>> step. CCing Rob in case he knows some historical reasons why this is 
>> requested every time.
>>
>> Martin
> There is no risk, because ipa-replica-prepare do that with default values
>
However, this will not work with root zone ".",  and I'm not sure how 
often an admin email is used. I think whois is better utility to get 
contact email.

Also RIPE-203 [1] recommends to use 'hostmaster' alias.

[1] http://www.ripe.net/ripe/docs/ripe-203

-- 
Martin Basti

More information about the Freeipa-devel mailing list