[Freeipa-devel] [PATCHES 0114-0115, 0120-0121, 0123-0125] DNS: allow to add root zone '.'

Martin Basti mbasti at redhat.com
Fri Sep 19 11:25:47 UTC 2014 

On 16/09/14 10:29, Petr Spacek wrote:
> On 16.9.2014 10:09, Martin Kosek wrote:
>> On 09/16/2014 09:57 AM, Martin Basti wrote:
>>> On 16/09/14 09:32, Martin Basti wrote:
>>>> On 15/09/14 20:31, Martin Kosek wrote:
>>>>> On 09/15/2014 05:16 PM, Martin Basti wrote:
>>>>>> On 15/09/14 17:10, Petr Spacek wrote:
>>>>>>> On 12.9.2014 15:19, Martin Basti wrote:
>>>>>>>> On 03/09/14 12:45, Martin Basti wrote:
>>>>>>>>> On 03/09/14 12:27, Martin Kosek wrote:
>>>>>>>>>> On 09/02/2014 05:46 PM, Petr Spacek wrote:
>>>>>>>>>>> On 25.8.2014 14:52, Martin Basti wrote:
>>>>>>>>>>>> Patches attached.
>>>>>>>>>>>>
>>>>>>>>>>>> Ticket: https://fedorahosted.org/freeipa/ticket/4149
>>>>>>>>>>>>
>>>>>>>>>>>> There is a bug in bind-dyndb-ldap (or worse in dirsrv), 
>>>>>>>>>>>> which cause the
>>>>>>>>>>>> named
>>>>>>>>>>>> service is stopped after deleting zone.
>>>>>>>>>>>> Bug ticket: 
>>>>>>>>>>>> https://fedorahosted.org/bind-dyndb-ldap/ticket/138
>>>>>>>>>>> Functional ACK, it works for me. It can be pushed if Python 
>>>>>>>>>>> gurus are
>>>>>>>>>>> okay
>>>>>>>>>>> with
>>>>>>>>>>> the code.
>>>>>>>>>> Is it safe to commit the change given that bind-dyndb-ldap 
>>>>>>>>>> still crash
>>>>>>>>>> when
>>>>>>>>>> "."
>>>>>>>>>> is removed? Wouldn't it break our CI tests?
>>>>>>>>>>
>>>>>>>>>> Maybe we should wait until fixed bind-dydnb-ldap is released. 
>>>>>>>>>> Hopefully it
>>>>>>>>>> would be soon.
>>>>>>>>>>
>>>>>>>>>> Martin
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> Freeipa-devel mailing list
>>>>>>>>>> Freeipa-devel at redhat.com
>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>>>>>>> It will broke tests, don't push it until bind-dyndb-ldap is 
>>>>>>>>> fixed.
>>>>>>>>> Currently I'm testing bind-dyndb-ldap related patch.
>>>>>>>>>
>>>>>>>> Added patches 120 and 121, which are required by DNS to work 
>>>>>>>> correctly.
>>>>>>>> Patches 120 and 121 add all DNS replicas to zone apex as NS, 
>>>>>>>> --name-server
>>>>>>>> option doesn't add NS record, only changes the SOA MNAME attribute
>>>>>>>>
>>>>>>>> Original and new patches attached.
>>>>>>>
>>>>>>> NACK, unfortunately it doesn't work for me:
>>>>>>> # ipa dnszone-add tri.test. --name-server=ns.test.
>>>>>>> Administrator e-mail address [hostmaster.tri.test.]:
>>>>>>> ipa: WARNING: '--name-server' is used only for setting up the 
>>>>>>> SOA MNAME
>>>>>>> record.
>>>>>>> To edit NS record(s) in zone apex, use command 'dnsrecord-mod 
>>>>>>> [zone] @
>>>>>>> --ns-rec=nameserver'.
>>>>>>>    Zone name: tri.test.
>>>>>>>    Active zone: TRUE
>>>>>>>    Authoritative nameserver: ns.test.
>>>>>>>    Administrator e-mail address: hostmaster.tri.test.
>>>>>>>    SOA serial: 1410793406
>>>>>>>    SOA refresh: 3600
>>>>>>>    SOA retry: 900
>>>>>>>    SOA expire: 1209600
>>>>>>>    SOA minimum: 3600
>>>>>>>    BIND update policy: grant IPA.EXAMPLE krb5-self * A; grant 
>>>>>>> IPA.EXAMPLE
>>>>>>> krb5-self * AAAA; grant IPA.EXAMPLE krb5-self * SSHFP;
>>>>>>>    Dynamic update: FALSE
>>>>>>>    Allow query: any;
>>>>>>>    Allow transfer: none;
>>>>>>>
>>>>>>> [root at vm-035 rpms]# ipa dnszone-show tri.test. --all --raw
>>>>>>>    dn: idnsname=tri.test.,cn=dns,dc=ipa,dc=example
>>>>>>>    idnsname: tri.test.
>>>>>>>    idnszoneactive: TRUE
>>>>>>>    idnssoamname: ns.test.
>>>>>>>    idnssoarname: hostmaster.tri.test.
>>>>>>>    idnssoaserial: 1410793408
>>>>>>>    idnssoarefresh: 3600
>>>>>>>    idnssoaretry: 900
>>>>>>>    idnssoaexpire: 1209600
>>>>>>>    idnssoaminimum: 3600
>>>>>>>    idnsallowquery: any;
>>>>>>>    idnsallowtransfer: none;
>>>>>>>    idnsAllowDynUpdate: FALSE
>>>>>>>    idnsUpdatePolicy: grant IPA.EXAMPLE krb5-self * A; grant 
>>>>>>> IPA.EXAMPLE
>>>>>>> krb5-self * AAAA; grant IPA.EXAMPLE krb5-self * SSHFP;
>>>>>>>    nsrecord: vm-035.idm.lab.eng.brq.redhat.com.
>>>>>>>    objectClass: idnszone
>>>>>>>    objectClass: top
>>>>>>>    objectClass: idnsrecord
>>>>>>>
>>>>>>> [root at vm-035 rpms]# ipa dnsrecord-mod @ tri.test. 
>>>>>>> --ns-rec=$(hostname).
>>>>>>> ipa: ERROR: tri.test.: DNS resource record not found
>>>>>>>
>>>>>> NACKing NACK
>>>>>> ipa dnsrecord-mod @ tri.test. --ns-rec=$(hostname).
>>>>>> you switched order zone and record, it should be
>>>>>> ipa dnsrecord-mod tri.test. @ --ns-rec=$(hostname).
>>>>>>
>>>>>
>>>>> BTW, since we are so nicely breaking the dnszone-add interface, 
>>>>> can we also
>>>>> get rid of always asking for "Administrator e-mail address"?
>>>>>
>>>>>>> # ipa dnszone-add tri.test. --name-server=ns.test.
>>>>>>> Administrator e-mail address [hostmaster.tri.test.]:
>>>>> ...
>>>>>
>>>>> Is there any risk in filling that with default as any other 
>>>>> attribute? IMO
>>>>> it would simplify adding zones for one more redundant step. CCing 
>>>>> Rob in
>>>>> case he knows some historical reasons why this is requested every 
>>>>> time.
>>>>>
>>>>> Martin
>>>> There is no risk, because ipa-replica-prepare do that with default 
>>>> values
>>
>> Then let us do this, as we are already simplifying the dnszone-add 
>> command.
>>
>>> However, this will not work with root zone ".",  and I'm not sure 
>>> how often an
>>> admin email is used. I think whois is better utility to get contact 
>>> email.
>>>
>>> Also RIPE-203 [1] recommends to use 'hostmaster' alias.
>>>
>>> [1] http://www.ripe.net/ripe/docs/ripe-203
>
> This will likely generate tons of invalid e-mail addresses which is 
> somehow unfortunate.
>
> Please keep in mind that:
> 1) E-mail hostmaster at ipa.domain.example. will be useful only if 
> ipa.domain.example. has MX record or at least A/AAAA record (which is 
> usually not the case for domains).
>
> 2) WHOIS is not useful for internal domains which is the main 
> deployment scenario for IPA, right?
>
>> DNS zone "." is quite an exception, you are not adding that zone 
>> every day. So
>> I would not keep asking for admin mail just for this one. You can add a
>> interactive prompt callback to ask in this case and otherwise just 
>> use the
>> default - up to you.
>>
>> As for the mail alias, this can be an RFE.
>
> It would be nice to have some IPA-global default like 'DNS 
> administrator e-mail address' and to use this value for all DNS zones 
> by default.
>

Updated patches attached.
Design page: 
http://www.freeipa.org/page/V4/DNS:_Automatic_Zone_NS/SOA_Record_Maintenance

-- 
Martin Basti

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbasti-0114.2-Fix-DNS-plugin-to-allow-to-add-root-zone.patch
Type: text/x-patch
Size: 4904 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140919/2332fdc0/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbasti-0115.2-DNS-test-allow-.-as-zone-name.patch
Type: text/x-patch
Size: 4529 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140919/2332fdc0/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbasti-0120.2-Deprecation-of-name-server-and-ip-address-option-in-.patch
Type: text/x-patch
Size: 12536 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140919/2332fdc0/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbasti-0121.2-Add-correct-NS-records-during-installation.patch
Type: text/x-patch
Size: 9987 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140919/2332fdc0/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbasti-0123.2-DNS-autofill-admin-email.patch
Type: text/x-patch
Size: 4778 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140919/2332fdc0/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbasti-0124.2-WebUI-DNS-Remove-ip-address-admin-email-options.patch
Type: text/x-patch
Size: 3281 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140919/2332fdc0/attachment-0005.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbasti-0125.2-DNS-tests-tests-update-to-due-to-change-in-options.patch
Type: text/x-patch
Size: 61976 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140919/2332fdc0/attachment-0006.bin>

More information about the Freeipa-devel mailing list