On 09/16/2014 09:57 AM, Martin Basti wrote: > On 16/09/14 09:32, Martin Basti wrote: >> On 15/09/14 20:31, Martin Kosek wrote: >>> On 09/15/2014 05:16 PM, Martin Basti wrote: >>>> On 15/09/14 17:10, Petr Spacek wrote: >>>>> On 12.9.2014 15:19, Martin Basti wrote: >>>>>> On 03/09/14 12:45, Martin Basti wrote: >>>>>>> On 03/09/14 12:27, Martin Kosek wrote: >>>>>>>> On 09/02/2014 05:46 PM, Petr Spacek wrote: >>>>>>>>> On 25.8.2014 14:52, Martin Basti wrote: >>>>>>>>>> Patches attached. >>>>>>>>>> >>>>>>>>>> Ticket: https://fedorahosted.org/freeipa/ticket/4149 >>>>>>>>>> >>>>>>>>>> There is a bug in bind-dyndb-ldap (or worse in dirsrv), which cause >>>>>>>>>> the >>>>>>>>>> named >>>>>>>>>> service is stopped after deleting zone. >>>>>>>>>> Bug ticket: https://fedorahosted.org/bind-dyndb-ldap/ticket/138 >>>>>>>>> Functional ACK, it works for me. It can be pushed if Python gurus are >>>>>>>>> okay >>>>>>>>> with >>>>>>>>> the code. >>>>>>>> Is it safe to commit the change given that bind-dyndb-ldap still crash >>>>>>>> when >>>>>>>> "." >>>>>>>> is removed? Wouldn't it break our CI tests? >>>>>>>> >>>>>>>> Maybe we should wait until fixed bind-dydnb-ldap is released. >>>>>>>> Hopefully it >>>>>>>> would be soon. >>>>>>>> >>>>>>>> Martin >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Freeipa-devel mailing list >>>>>>>> Freeipa-devel@redhat.com >>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>>>> It will broke tests, don't push it until bind-dyndb-ldap is fixed. >>>>>>> Currently I'm testing bind-dyndb-ldap related patch. >>>>>>> >>>>>> Added patches 120 and 121, which are required by DNS to work correctly. >>>>>> Patches 120 and 121 add all DNS replicas to zone apex as NS, >>>>>> --name-server >>>>>> option doesn't add NS record, only changes the SOA MNAME attribute >>>>>> >>>>>> Original and new patches attached. >>>>> >>>>> NACK, unfortunately it doesn't work for me: >>>>> # ipa dnszone-add tri.test. --name-server=ns.test. >>>>> Administrator e-mail address [hostmaster.tri.test.]: >>>>> ipa: WARNING: '--name-server' is used only for setting up the SOA MNAME >>>>> record. >>>>> To edit NS record(s) in zone apex, use command 'dnsrecord-mod [zone] @ >>>>> --ns-rec=nameserver'. >>>>> Zone name: tri.test. >>>>> Active zone: TRUE >>>>> Authoritative nameserver: ns.test. >>>>> Administrator e-mail address: hostmaster.tri.test. >>>>> SOA serial: 1410793406 >>>>> SOA refresh: 3600 >>>>> SOA retry: 900 >>>>> SOA expire: 1209600 >>>>> SOA minimum: 3600 >>>>> BIND update policy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE >>>>> krb5-self * AAAA; grant IPA.EXAMPLE krb5-self * SSHFP; >>>>> Dynamic update: FALSE >>>>> Allow query: any; >>>>> Allow transfer: none; >>>>> >>>>> [root@vm-035 rpms]# ipa dnszone-show tri.test. --all --raw >>>>> dn: idnsname=tri.test.,cn=dns,dc=ipa,dc=example >>>>> idnsname: tri.test. >>>>> idnszoneactive: TRUE >>>>> idnssoamname: ns.test. >>>>> idnssoarname: hostmaster.tri.test. >>>>> idnssoaserial: 1410793408 >>>>> idnssoarefresh: 3600 >>>>> idnssoaretry: 900 >>>>> idnssoaexpire: 1209600 >>>>> idnssoaminimum: 3600 >>>>> idnsallowquery: any; >>>>> idnsallowtransfer: none; >>>>> idnsAllowDynUpdate: FALSE >>>>> idnsUpdatePolicy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE >>>>> krb5-self * AAAA; grant IPA.EXAMPLE krb5-self * SSHFP; >>>>> nsrecord: vm-035.idm.lab.eng.brq.redhat.com. >>>>> objectClass: idnszone >>>>> objectClass: top >>>>> objectClass: idnsrecord >>>>> >>>>> [root@vm-035 rpms]# ipa dnsrecord-mod @ tri.test. --ns-rec=$(hostname). >>>>> ipa: ERROR: tri.test.: DNS resource record not found >>>>> >>>> NACKing NACK >>>> ipa dnsrecord-mod @ tri.test. --ns-rec=$(hostname). >>>> you switched order zone and record, it should be >>>> ipa dnsrecord-mod tri.test. @ --ns-rec=$(hostname). >>>> >>> >>> BTW, since we are so nicely breaking the dnszone-add interface, can we also >>> get rid of always asking for "Administrator e-mail address"? >>> >>> >> # ipa dnszone-add tri.test. --name-server=ns.test. >>> >> Administrator e-mail address [hostmaster.tri.test.]: >>> ... >>> >>> Is there any risk in filling that with default as any other attribute? IMO >>> it would simplify adding zones for one more redundant step. CCing Rob in >>> case he knows some historical reasons why this is requested every time. >>> >>> Martin >> There is no risk, because ipa-replica-prepare do that with default values
Then let us do this, as we are already simplifying the dnszone-add command. > However, this will not work with root zone ".", and I'm not sure how often an > admin email is used. I think whois is better utility to get contact email. > > Also RIPE-203 [1] recommends to use 'hostmaster' alias. > > [1] http://www.ripe.net/ripe/docs/ripe-203 DNS zone "." is quite an exception, you are not adding that zone every day. So I would not keep asking for admin mail just for this one. You can add a interactive prompt callback to ask in this case and otherwise just use the default - up to you. As for the mail alias, this can be an RFE. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel