On 16/09/14 10:29, Petr Spacek wrote:
On 16.9.2014 10:09, Martin Kosek wrote:
On 09/16/2014 09:57 AM, Martin Basti wrote:
On 16/09/14 09:32, Martin Basti wrote:
On 15/09/14 20:31, Martin Kosek wrote:
On 09/15/2014 05:16 PM, Martin Basti wrote:
On 15/09/14 17:10, Petr Spacek wrote:
On 12.9.2014 15:19, Martin Basti wrote:
On 03/09/14 12:45, Martin Basti wrote:
On 03/09/14 12:27, Martin Kosek wrote:
On 09/02/2014 05:46 PM, Petr Spacek wrote:
On 25.8.2014 14:52, Martin Basti wrote:
Patches attached.
Ticket: https://fedorahosted.org/freeipa/ticket/4149
There is a bug in bind-dyndb-ldap (or worse in dirsrv),
which cause the
named
service is stopped after deleting zone.
Bug ticket:
https://fedorahosted.org/bind-dyndb-ldap/ticket/138
Functional ACK, it works for me. It can be pushed if Python
gurus are
okay
with
the code.
Is it safe to commit the change given that bind-dyndb-ldap
still crash
when
"."
is removed? Wouldn't it break our CI tests?
Maybe we should wait until fixed bind-dydnb-ldap is released.
Hopefully it
would be soon.
Martin
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
It will broke tests, don't push it until bind-dyndb-ldap is
fixed.
Currently I'm testing bind-dyndb-ldap related patch.
Added patches 120 and 121, which are required by DNS to work
correctly.
Patches 120 and 121 add all DNS replicas to zone apex as NS,
--name-server
option doesn't add NS record, only changes the SOA MNAME attribute
Original and new patches attached.
NACK, unfortunately it doesn't work for me:
# ipa dnszone-add tri.test. --name-server=ns.test.
Administrator e-mail address [hostmaster.tri.test.]:
ipa: WARNING: '--name-server' is used only for setting up the
SOA MNAME
record.
To edit NS record(s) in zone apex, use command 'dnsrecord-mod
[zone] @
--ns-rec=nameserver'.
Zone name: tri.test.
Active zone: TRUE
Authoritative nameserver: ns.test.
Administrator e-mail address: hostmaster.tri.test.
SOA serial: 1410793406
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
BIND update policy: grant IPA.EXAMPLE krb5-self * A; grant
IPA.EXAMPLE
krb5-self * AAAA; grant IPA.EXAMPLE krb5-self * SSHFP;
Dynamic update: FALSE
Allow query: any;
Allow transfer: none;
[root@vm-035 rpms]# ipa dnszone-show tri.test. --all --raw
dn: idnsname=tri.test.,cn=dns,dc=ipa,dc=example
idnsname: tri.test.
idnszoneactive: TRUE
idnssoamname: ns.test.
idnssoarname: hostmaster.tri.test.
idnssoaserial: 1410793408
idnssoarefresh: 3600
idnssoaretry: 900
idnssoaexpire: 1209600
idnssoaminimum: 3600
idnsallowquery: any;
idnsallowtransfer: none;
idnsAllowDynUpdate: FALSE
idnsUpdatePolicy: grant IPA.EXAMPLE krb5-self * A; grant
IPA.EXAMPLE
krb5-self * AAAA; grant IPA.EXAMPLE krb5-self * SSHFP;
nsrecord: vm-035.idm.lab.eng.brq.redhat.com.
objectClass: idnszone
objectClass: top
objectClass: idnsrecord
[root@vm-035 rpms]# ipa dnsrecord-mod @ tri.test.
--ns-rec=$(hostname).
ipa: ERROR: tri.test.: DNS resource record not found
NACKing NACK
ipa dnsrecord-mod @ tri.test. --ns-rec=$(hostname).
you switched order zone and record, it should be
ipa dnsrecord-mod tri.test. @ --ns-rec=$(hostname).
BTW, since we are so nicely breaking the dnszone-add interface,
can we also
get rid of always asking for "Administrator e-mail address"?
# ipa dnszone-add tri.test. --name-server=ns.test.
Administrator e-mail address [hostmaster.tri.test.]:
...
Is there any risk in filling that with default as any other
attribute? IMO
it would simplify adding zones for one more redundant step. CCing
Rob in
case he knows some historical reasons why this is requested every
time.
Martin
There is no risk, because ipa-replica-prepare do that with default
values
Then let us do this, as we are already simplifying the dnszone-add
command.
However, this will not work with root zone ".", and I'm not sure
how often an
admin email is used. I think whois is better utility to get contact
email.
Also RIPE-203 [1] recommends to use 'hostmaster' alias.
[1] http://www.ripe.net/ripe/docs/ripe-203
This will likely generate tons of invalid e-mail addresses which is
somehow unfortunate.
Please keep in mind that:
1) E-mail [email protected]. will be useful only if
ipa.domain.example. has MX record or at least A/AAAA record (which is
usually not the case for domains).
2) WHOIS is not useful for internal domains which is the main
deployment scenario for IPA, right?
DNS zone "." is quite an exception, you are not adding that zone
every day. So
I would not keep asking for admin mail just for this one. You can add a
interactive prompt callback to ask in this case and otherwise just
use the
default - up to you.
As for the mail alias, this can be an RFE.
It would be nice to have some IPA-global default like 'DNS
administrator e-mail address' and to use this value for all DNS zones
by default.
+1
--
Martin Basti
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
