On Mon, 2014-06-30 at 12:49 +0200, Martin Basti wrote:
> Patch attached.
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

Updated patch attached 
-- 
Martin^2 Basti
>From 1f2dd2c86b49aa1d66915505564eb3f3cbd0ceae Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Mon, 30 Jun 2014 12:32:31 +0200
Subject: [PATCH] Add DNSSEC experimental support warning message

Ticket: https://fedorahosted.org/freeipa/ticket/4408
---
 ipalib/plugins/dns.py | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index b693bb9c3ce091fa26ed14d27213b84ef61f8f0c..ecae67c1369f641fb2a5594dff7c43929fd9339f 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -274,6 +274,25 @@ You may want to use forward zones (dnsforwardzone-*) instead. For more details r
 """
 )
 
+dnssec_experimental_true_warning = _(
+"""DNSSEC support is experimental.
+You have to manually generate DNSSEC signing keys and distribute them
+to all IPA DNS servers. Run:
+cd "/var/named/dyndb-ldap/ipa/%(zone)s/keys"
+dnssec-keygen -3 -b 2048 -f KSK "%(zone)s"
+dnssec-keygen -3 -b 2048 "%(zone)s"
+# please distribute all keys in this directory to all IPA DNS servers
+chown named: *
+rndc sign "%(zone)s"
+"""
+)
+
+dnssec_experimental_false_warning = _(
+"""DNSSEC support is experimental.
+If you encounter any problems please report them and restart 'named' service
+on affected IPA server.
+"""
+)
 
 def _rname_validator(ugettext, zonemgr):
     try:
@@ -2220,6 +2239,20 @@ class dnszone(DNSZoneBase):
                                  messages.PublicMessage(type='warning',
                                  message=forwarders_warning))
 
+    def _warning_dnssec_experimental(self, result, *keys, **options):
+        # add warning when user use option --dnssec
+        if 'idnssecinlinesigning' in options:
+            if options['idnssecinlinesigning'] is True:
+                msg = dnssec_experimental_true_warning % {
+                    'zone': keys[-1].relativize(DNSName.root),
+                }
+                messages.add_message(options['version'], result,
+                                 messages.PublicMessage(type='warning',
+                                 message=msg))
+            else:
+                messages.add_message(options['version'], result,
+                                 messages.PublicMessage(type='warning',
+                                 message=dnssec_experimental_false_warning))
 
 
 @register()
@@ -2311,6 +2344,7 @@ class dnszone_add(DNSZoneBase_add):
     def execute(self, *keys, **options):
         result = super(dnszone_add, self).execute(*keys, **options)
         self.obj._warning_forwarding(result, **options)
+        self.obj._warning_dnssec_experimental(result, *keys, **options)
         return result
 
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
@@ -2393,6 +2427,7 @@ class dnszone_mod(DNSZoneBase_mod):
     def execute(self, *keys, **options):
         result = super(dnszone_mod, self).execute(*keys, **options)
         self.obj._warning_forwarding(result, **options)
+        self.obj._warning_dnssec_experimental(result, *keys, **options)
         return result
 
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
-- 
1.8.3.1

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to