[Freeipa-devel] [PATCH 0110] DNS: Warn if forwarding policy conflicts with automatic empty zone
Martin Basti
mbasti at redhat.com
Mon May 30 18:39:33 UTC 2016
On 27.05.2016 14:13, Petr Spacek wrote:
> On 25.5.2016 12:30, Martin Basti wrote:
>>
>> On 04.05.2016 10:43, Petr Spacek wrote:
>>> Hello,
>>>
>>> DNS: Warn if forwarding policy conflicts with automatic empty zones
>>>
>>> Forwarding policy "first" or "none" may conflicts with some automatic empty
>>> zones. Queries for zones specified by RFC 6303 will ignore
>>> forwarding and recursion and always result in NXDOMAIN answers.
>>>
>>> This is not detected and warned about. Global forwarding is equivalent
>>> to forward zone ".".
>>>
>>> Example:
>>> Forward zone 1.10.in-addr.arpa with policy "first"
>>> will not forward anything because BIND will automatically prefer
>>> automatic empty zone "10.in-addr.arpa." which is authoritative.
>>>
>>> https://fedorahosted.org/freeipa/ticket/5710
>>>
>>>
>>> This is last patch in the series so the ticket can be closed when all relevant
>>> patches are pushed.
>>>
>>>
>>>
>>
>> You forgot to update tests
>>
>> _____________________________________________________________________
>> test_dns.test_command[0087: dnsconfig_mod: Update global DNS settings]
>> ______________________________________________________________________
>>
>> self = <ipatests.test_xmlrpc.test_dns_plugin.test_dns object at
>> 0x7fcef3ef2510>, index = 87
>> declarative_test_definition = {'command': ('dnsconfig_mod', [],
>> {'idnsforwarders': ['172.16.31.80'], 'version': '2.166'}), 'desc': 'Update
>> global DN...arders': ['172.16.31.80']}, 'summary': None, 'value': None},
>> 'nice': '0087: dnsconfig_mod: Update global DNS settings'}
>>
>> def test_command(self, index, declarative_test_definition):
>> """Run an individual test
>>
>> The arguments are provided by the pytest plugin.
>> """
>> if callable(declarative_test_definition):
>> declarative_test_definition(self)
>> else:
>>> self.check(**declarative_test_definition)
>> test_xmlrpc/xmlrpc_test.py:313:
>> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
>> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
>> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
>> test_xmlrpc/xmlrpc_test.py:325: in check
>> self.check_output(nice, cmd, args, options, expected, extra_check)
>> test_xmlrpc/xmlrpc_test.py:368: in check_output
>> assert_deepequal(expected, got, nice)
>> util.py:361: in assert_deepequal
>> assert_deepequal(e_sub, g_sub, doc, stack + (key,))
>> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
>> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
>> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
>>
>> expected = [{'code': 13006, 'message': <function <lambda> at 0x7fcef426c758>,
>> 'name': 'DNSServerValidationWarning', 'type': 'warning'}]
>> got = [{'code': 13021, 'message': "Forwarding policy conflicts with some
>> automatic empty zones. Queries for zones specified ...': The DNS operation
>> timed out after 10.0008428097 seconds.", 'name': 'DNSServerValidationWarning',
>> 'type': 'warning'}]
>> doc = '0087: dnsconfig_mod: Update global DNS settings', stack = ('messages',)
>>
>> def assert_deepequal(expected, got, doc='', stack=tuple()):
>> """
>> Recursively check for type and equality.
>>
>> If a value in expected is callable then it will used as a callback to
>> test for equality on the got value. The callback is passed the got
>> value and returns True if equal, False otherwise.
>>
>> If the tests fails, it will raise an ``AssertionError`` with detailed
>> information, including the path to the offending value. For example:
>>
>> >>> expected = [u'Hello', dict(world=u'how are you?')]
>> >>> got = [u'Hello', dict(world='how are you?')]
>> >>> expected == got
>> True
>> >>> assert_deepequal(expected, got, doc='Testing my nested data')
>> Traceback (most recent call last):
>> ...
>> AssertionError: assert_deepequal: type(expected) is not type(got).
>> Testing my nested data
>> type(expected) = <type 'unicode'>
>> type(got) = <type 'str'>
>> expected = u'how are you?'
>> got = 'how are you?'
>> path = (0, 'world')
>>
>> Note that lists and tuples are considered equivalent, and the order of
>> their elements does not matter.
>> """
>> if isinstance(expected, tuple):
>> expected = list(expected)
>> if isinstance(got, tuple):
>> got = list(got)
>> if isinstance(expected, DN):
>> if isinstance(got, six.string_types):
>> got = DN(got)
>> if not (isinstance(expected, Fuzzy) or callable(expected) or
>> type(expected) is type(got)):
>> raise AssertionError(
>> TYPE % (doc, type(expected), type(got), expected, got, stack)
>> )
>> if isinstance(expected, (list, tuple)):
>> if len(expected) != len(got):
>> raise AssertionError(
>>> LEN % (doc, len(expected), len(got), expected, got, stack)
>> )
>> E AssertionError: assert_deepequal: list length mismatch.
>> E 0087: dnsconfig_mod: Update global DNS settings
>> E len(expected) = 1
>> E len(got) = 2
>> E expected = [{u'message': <function <lambda> at
>> 0x7fcef426c758>, u'code': 13006, u'type': u'warning', u'name':
>> u'DNSServerValidationWarning'}]
>> E got = [{u'message': u"Forwarding policy conflicts with some
>> automatic empty zones. Queries for zones specified by RFC 6303 will ignore
>> forwarding and recursion and always result in NXDOMAIN answers. To override
>> this behavior use forward policy 'only'.", u'code': 13021, u'type':
>> u'warning', u'name': u'DNSForwardPolicyConflictWithEmptyZone'}, {u'message':
>> u"DNS server 172.16.31.80: query '. SOA': The DNS operation timed out after
>> 10.0008428097 seconds.", u'code': 13006, u'type': u'warning', u'name':
>> u'DNSServerValidationWarning'}]
>> E path = (u'messages',)
>>
>> util.py:332: AssertionError
> Fixed patch is attached. It depends on newest patches 113-132.
>
ACK
master:
* da71e7e9de233bc0e40a90adb2db6d0944a1356a DNS: Warn if forwarding
policy conflicts with automatic empty zones
ipa-4-3:
* 8cbecdbc8dc022005beec3a9fe19aabd91041bbf DNS: Warn if forwarding
policy conflicts with automatic empty zones
More information about the Freeipa-devel
mailing list