[Freeipa-devel] [PATCHES 0114-0115, 0120-0121] DNS: allow to add root zone '.'
Martin Kosek
mkosek at redhat.com
Tue Sep 16 08:09:07 UTC 2014
On 09/16/2014 09:57 AM, Martin Basti wrote:
> On 16/09/14 09:32, Martin Basti wrote:
>> On 15/09/14 20:31, Martin Kosek wrote:
>>> On 09/15/2014 05:16 PM, Martin Basti wrote:
>>>> On 15/09/14 17:10, Petr Spacek wrote:
>>>>> On 12.9.2014 15:19, Martin Basti wrote:
>>>>>> On 03/09/14 12:45, Martin Basti wrote:
>>>>>>> On 03/09/14 12:27, Martin Kosek wrote:
>>>>>>>> On 09/02/2014 05:46 PM, Petr Spacek wrote:
>>>>>>>>> On 25.8.2014 14:52, Martin Basti wrote:
>>>>>>>>>> Patches attached.
>>>>>>>>>>
>>>>>>>>>> Ticket: https://fedorahosted.org/freeipa/ticket/4149
>>>>>>>>>>
>>>>>>>>>> There is a bug in bind-dyndb-ldap (or worse in dirsrv), which cause the
>>>>>>>>>> named
>>>>>>>>>> service is stopped after deleting zone.
>>>>>>>>>> Bug ticket: https://fedorahosted.org/bind-dyndb-ldap/ticket/138
>>>>>>>>> Functional ACK, it works for me. It can be pushed if Python gurus are
>>>>>>>>> okay
>>>>>>>>> with
>>>>>>>>> the code.
>>>>>>>> Is it safe to commit the change given that bind-dyndb-ldap still crash
>>>>>>>> when
>>>>>>>> "."
>>>>>>>> is removed? Wouldn't it break our CI tests?
>>>>>>>>
>>>>>>>> Maybe we should wait until fixed bind-dydnb-ldap is released. Hopefully it
>>>>>>>> would be soon.
>>>>>>>>
>>>>>>>> Martin
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Freeipa-devel mailing list
>>>>>>>> Freeipa-devel at redhat.com
>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>>>>> It will broke tests, don't push it until bind-dyndb-ldap is fixed.
>>>>>>> Currently I'm testing bind-dyndb-ldap related patch.
>>>>>>>
>>>>>> Added patches 120 and 121, which are required by DNS to work correctly.
>>>>>> Patches 120 and 121 add all DNS replicas to zone apex as NS, --name-server
>>>>>> option doesn't add NS record, only changes the SOA MNAME attribute
>>>>>>
>>>>>> Original and new patches attached.
>>>>>
>>>>> NACK, unfortunately it doesn't work for me:
>>>>> # ipa dnszone-add tri.test. --name-server=ns.test.
>>>>> Administrator e-mail address [hostmaster.tri.test.]:
>>>>> ipa: WARNING: '--name-server' is used only for setting up the SOA MNAME
>>>>> record.
>>>>> To edit NS record(s) in zone apex, use command 'dnsrecord-mod [zone] @
>>>>> --ns-rec=nameserver'.
>>>>> Zone name: tri.test.
>>>>> Active zone: TRUE
>>>>> Authoritative nameserver: ns.test.
>>>>> Administrator e-mail address: hostmaster.tri.test.
>>>>> SOA serial: 1410793406
>>>>> SOA refresh: 3600
>>>>> SOA retry: 900
>>>>> SOA expire: 1209600
>>>>> SOA minimum: 3600
>>>>> BIND update policy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE
>>>>> krb5-self * AAAA; grant IPA.EXAMPLE krb5-self * SSHFP;
>>>>> Dynamic update: FALSE
>>>>> Allow query: any;
>>>>> Allow transfer: none;
>>>>>
>>>>> [root at vm-035 rpms]# ipa dnszone-show tri.test. --all --raw
>>>>> dn: idnsname=tri.test.,cn=dns,dc=ipa,dc=example
>>>>> idnsname: tri.test.
>>>>> idnszoneactive: TRUE
>>>>> idnssoamname: ns.test.
>>>>> idnssoarname: hostmaster.tri.test.
>>>>> idnssoaserial: 1410793408
>>>>> idnssoarefresh: 3600
>>>>> idnssoaretry: 900
>>>>> idnssoaexpire: 1209600
>>>>> idnssoaminimum: 3600
>>>>> idnsallowquery: any;
>>>>> idnsallowtransfer: none;
>>>>> idnsAllowDynUpdate: FALSE
>>>>> idnsUpdatePolicy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE
>>>>> krb5-self * AAAA; grant IPA.EXAMPLE krb5-self * SSHFP;
>>>>> nsrecord: vm-035.idm.lab.eng.brq.redhat.com.
>>>>> objectClass: idnszone
>>>>> objectClass: top
>>>>> objectClass: idnsrecord
>>>>>
>>>>> [root at vm-035 rpms]# ipa dnsrecord-mod @ tri.test. --ns-rec=$(hostname).
>>>>> ipa: ERROR: tri.test.: DNS resource record not found
>>>>>
>>>> NACKing NACK
>>>> ipa dnsrecord-mod @ tri.test. --ns-rec=$(hostname).
>>>> you switched order zone and record, it should be
>>>> ipa dnsrecord-mod tri.test. @ --ns-rec=$(hostname).
>>>>
>>>
>>> BTW, since we are so nicely breaking the dnszone-add interface, can we also
>>> get rid of always asking for "Administrator e-mail address"?
>>>
>>> >> # ipa dnszone-add tri.test. --name-server=ns.test.
>>> >> Administrator e-mail address [hostmaster.tri.test.]:
>>> ...
>>>
>>> Is there any risk in filling that with default as any other attribute? IMO
>>> it would simplify adding zones for one more redundant step. CCing Rob in
>>> case he knows some historical reasons why this is requested every time.
>>>
>>> Martin
>> There is no risk, because ipa-replica-prepare do that with default values
Then let us do this, as we are already simplifying the dnszone-add command.
> However, this will not work with root zone ".", and I'm not sure how often an
> admin email is used. I think whois is better utility to get contact email.
>
> Also RIPE-203 [1] recommends to use 'hostmaster' alias.
>
> [1] http://www.ripe.net/ripe/docs/ripe-203
DNS zone "." is quite an exception, you are not adding that zone every day. So
I would not keep asking for admin mail just for this one. You can add a
interactive prompt callback to ask in this case and otherwise just use the
default - up to you.
As for the mail alias, this can be an RFE.
Martin
More information about the Freeipa-devel
mailing list