[Freeipa-devel] [PATCHES 0114-0115, 0120-0121] DNS: allow to add root zone '.'

Martin Kosek mkosek at redhat.com
Tue Sep 16 08:09:07 UTC 2014 

On 09/16/2014 09:57 AM, Martin Basti wrote:
> On 16/09/14 09:32, Martin Basti wrote:
>> On 15/09/14 20:31, Martin Kosek wrote:
>>> On 09/15/2014 05:16 PM, Martin Basti wrote:
>>>> On 15/09/14 17:10, Petr Spacek wrote:
>>>>> On 12.9.2014 15:19, Martin Basti wrote:
>>>>>> On 03/09/14 12:45, Martin Basti wrote:
>>>>>>> On 03/09/14 12:27, Martin Kosek wrote:
>>>>>>>> On 09/02/2014 05:46 PM, Petr Spacek wrote:
>>>>>>>>> On 25.8.2014 14:52, Martin Basti wrote:
>>>>>>>>>> Patches attached.
>>>>>>>>>>
>>>>>>>>>> Ticket: https://fedorahosted.org/freeipa/ticket/4149
>>>>>>>>>>
>>>>>>>>>> There is a bug in bind-dyndb-ldap (or worse in dirsrv), which cause the
>>>>>>>>>> named
>>>>>>>>>> service is stopped after deleting zone.
>>>>>>>>>> Bug ticket: https://fedorahosted.org/bind-dyndb-ldap/ticket/138
>>>>>>>>> Functional ACK, it works for me. It can be pushed if Python gurus are
>>>>>>>>> okay
>>>>>>>>> with
>>>>>>>>> the code.
>>>>>>>> Is it safe to commit the change given that bind-dyndb-ldap still crash
>>>>>>>> when
>>>>>>>> "."
>>>>>>>> is removed? Wouldn't it break our CI tests?
>>>>>>>>
>>>>>>>> Maybe we should wait until fixed bind-dydnb-ldap is released. Hopefully it
>>>>>>>> would be soon.
>>>>>>>>
>>>>>>>> Martin
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Freeipa-devel mailing list
>>>>>>>> Freeipa-devel at redhat.com
>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>>>>> It will broke tests, don't push it until bind-dyndb-ldap is fixed.
>>>>>>> Currently I'm testing bind-dyndb-ldap related patch.
>>>>>>>
>>>>>> Added patches 120 and 121, which are required by DNS to work correctly.
>>>>>> Patches 120 and 121 add all DNS replicas to zone apex as NS, --name-server
>>>>>> option doesn't add NS record, only changes the SOA MNAME attribute
>>>>>>
>>>>>> Original and new patches attached.
>>>>>
>>>>> NACK, unfortunately it doesn't work for me:
>>>>> # ipa dnszone-add tri.test. --name-server=ns.test.
>>>>> Administrator e-mail address [hostmaster.tri.test.]:
>>>>> ipa: WARNING: '--name-server' is used only for setting up the SOA MNAME
>>>>> record.
>>>>> To edit NS record(s) in zone apex, use command 'dnsrecord-mod [zone] @
>>>>> --ns-rec=nameserver'.
>>>>>   Zone name: tri.test.
>>>>>   Active zone: TRUE
>>>>>   Authoritative nameserver: ns.test.
>>>>>   Administrator e-mail address: hostmaster.tri.test.
>>>>>   SOA serial: 1410793406
>>>>>   SOA refresh: 3600
>>>>>   SOA retry: 900
>>>>>   SOA expire: 1209600
>>>>>   SOA minimum: 3600
>>>>>   BIND update policy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE
>>>>> krb5-self * AAAA; grant IPA.EXAMPLE krb5-self * SSHFP;
>>>>>   Dynamic update: FALSE
>>>>>   Allow query: any;
>>>>>   Allow transfer: none;
>>>>>
>>>>> [root at vm-035 rpms]# ipa dnszone-show tri.test. --all --raw
>>>>>   dn: idnsname=tri.test.,cn=dns,dc=ipa,dc=example
>>>>>   idnsname: tri.test.
>>>>>   idnszoneactive: TRUE
>>>>>   idnssoamname: ns.test.
>>>>>   idnssoarname: hostmaster.tri.test.
>>>>>   idnssoaserial: 1410793408
>>>>>   idnssoarefresh: 3600
>>>>>   idnssoaretry: 900
>>>>>   idnssoaexpire: 1209600
>>>>>   idnssoaminimum: 3600
>>>>>   idnsallowquery: any;
>>>>>   idnsallowtransfer: none;
>>>>>   idnsAllowDynUpdate: FALSE
>>>>>   idnsUpdatePolicy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE
>>>>> krb5-self * AAAA; grant IPA.EXAMPLE krb5-self * SSHFP;
>>>>>   nsrecord: vm-035.idm.lab.eng.brq.redhat.com.
>>>>>   objectClass: idnszone
>>>>>   objectClass: top
>>>>>   objectClass: idnsrecord
>>>>>
>>>>> [root at vm-035 rpms]# ipa dnsrecord-mod @ tri.test. --ns-rec=$(hostname).
>>>>> ipa: ERROR: tri.test.: DNS resource record not found
>>>>>
>>>> NACKing NACK
>>>> ipa dnsrecord-mod @ tri.test. --ns-rec=$(hostname).
>>>> you switched order zone and record, it should be
>>>> ipa dnsrecord-mod tri.test. @ --ns-rec=$(hostname).
>>>>
>>>
>>> BTW, since we are so nicely breaking the dnszone-add interface, can we also
>>> get rid of always asking for "Administrator e-mail address"?
>>>
>>> >> # ipa dnszone-add tri.test. --name-server=ns.test.
>>> >> Administrator e-mail address [hostmaster.tri.test.]:
>>> ...
>>>
>>> Is there any risk in filling that with default as any other attribute? IMO
>>> it would simplify adding zones for one more redundant step. CCing Rob in
>>> case he knows some historical reasons why this is requested every time.
>>>
>>> Martin
>> There is no risk, because ipa-replica-prepare do that with default values

Then let us do this, as we are already simplifying the dnszone-add command.

> However, this will not work with root zone ".",  and I'm not sure how often an
> admin email is used. I think whois is better utility to get contact email.
> 
> Also RIPE-203 [1] recommends to use 'hostmaster' alias.
> 
> [1] http://www.ripe.net/ripe/docs/ripe-203

DNS zone "." is quite an exception, you are not adding that zone every day. So
I would not keep asking for admin mail just for this one. You can add a
interactive prompt callback to ask in this case and otherwise just use the
default - up to you.

As for the mail alias, this can be an RFE.

Martin

More information about the Freeipa-devel mailing list