On 09/16/2014 10:30 AM, Martin Basti wrote: > On 16/09/14 10:29, Petr Spacek wrote: >> On 16.9.2014 10:09, Martin Kosek wrote: >>> On 09/16/2014 09:57 AM, Martin Basti wrote: >>>> On 16/09/14 09:32, Martin Basti wrote: >>>>> On 15/09/14 20:31, Martin Kosek wrote: >>>>>> On 09/15/2014 05:16 PM, Martin Basti wrote: >>>>>>> On 15/09/14 17:10, Petr Spacek wrote: >>>>>>>> On 12.9.2014 15:19, Martin Basti wrote: >>>>>>>>> On 03/09/14 12:45, Martin Basti wrote: >>>>>>>>>> On 03/09/14 12:27, Martin Kosek wrote: >>>>>>>>>>> On 09/02/2014 05:46 PM, Petr Spacek wrote: >>>>>>>>>>>> On 25.8.2014 14:52, Martin Basti wrote: >>>>>>>>>>>>> Patches attached. >>>>>>>>>>>>> >>>>>>>>>>>>> Ticket: https://fedorahosted.org/freeipa/ticket/4149 >>>>>>>>>>>>> >>>>>>>>>>>>> There is a bug in bind-dyndb-ldap (or worse in dirsrv), which >>>>>>>>>>>>> cause the >>>>>>>>>>>>> named >>>>>>>>>>>>> service is stopped after deleting zone. >>>>>>>>>>>>> Bug ticket: https://fedorahosted.org/bind-dyndb-ldap/ticket/138 >>>>>>>>>>>> Functional ACK, it works for me. It can be pushed if Python gurus >>>>>>>>>>>> are >>>>>>>>>>>> okay >>>>>>>>>>>> with >>>>>>>>>>>> the code. >>>>>>>>>>> Is it safe to commit the change given that bind-dyndb-ldap still >>>>>>>>>>> crash >>>>>>>>>>> when >>>>>>>>>>> "." >>>>>>>>>>> is removed? Wouldn't it break our CI tests? >>>>>>>>>>> >>>>>>>>>>> Maybe we should wait until fixed bind-dydnb-ldap is released. >>>>>>>>>>> Hopefully it >>>>>>>>>>> would be soon. >>>>>>>>>>> >>>>>>>>>>> Martin >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> Freeipa-devel mailing list >>>>>>>>>>> [email protected] >>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>>>>>>> It will broke tests, don't push it until bind-dyndb-ldap is fixed. >>>>>>>>>> Currently I'm testing bind-dyndb-ldap related patch. >>>>>>>>>> >>>>>>>>> Added patches 120 and 121, which are required by DNS to work >>>>>>>>> correctly. >>>>>>>>> Patches 120 and 121 add all DNS replicas to zone apex as NS, >>>>>>>>> --name-server >>>>>>>>> option doesn't add NS record, only changes the SOA MNAME attribute >>>>>>>>> >>>>>>>>> Original and new patches attached. >>>>>>>> >>>>>>>> NACK, unfortunately it doesn't work for me: >>>>>>>> # ipa dnszone-add tri.test. --name-server=ns.test. >>>>>>>> Administrator e-mail address [hostmaster.tri.test.]: >>>>>>>> ipa: WARNING: '--name-server' is used only for setting up the SOA MNAME >>>>>>>> record. >>>>>>>> To edit NS record(s) in zone apex, use command 'dnsrecord-mod [zone] @ >>>>>>>> --ns-rec=nameserver'. >>>>>>>> Zone name: tri.test. >>>>>>>> Active zone: TRUE >>>>>>>> Authoritative nameserver: ns.test. >>>>>>>> Administrator e-mail address: hostmaster.tri.test. >>>>>>>> SOA serial: 1410793406 >>>>>>>> SOA refresh: 3600 >>>>>>>> SOA retry: 900 >>>>>>>> SOA expire: 1209600 >>>>>>>> SOA minimum: 3600 >>>>>>>> BIND update policy: grant IPA.EXAMPLE krb5-self * A; grant >>>>>>>> IPA.EXAMPLE >>>>>>>> krb5-self * AAAA; grant IPA.EXAMPLE krb5-self * SSHFP; >>>>>>>> Dynamic update: FALSE >>>>>>>> Allow query: any; >>>>>>>> Allow transfer: none; >>>>>>>> >>>>>>>> [root@vm-035 rpms]# ipa dnszone-show tri.test. --all --raw >>>>>>>> dn: idnsname=tri.test.,cn=dns,dc=ipa,dc=example >>>>>>>> idnsname: tri.test. >>>>>>>> idnszoneactive: TRUE >>>>>>>> idnssoamname: ns.test. >>>>>>>> idnssoarname: hostmaster.tri.test. >>>>>>>> idnssoaserial: 1410793408 >>>>>>>> idnssoarefresh: 3600 >>>>>>>> idnssoaretry: 900 >>>>>>>> idnssoaexpire: 1209600 >>>>>>>> idnssoaminimum: 3600 >>>>>>>> idnsallowquery: any; >>>>>>>> idnsallowtransfer: none; >>>>>>>> idnsAllowDynUpdate: FALSE >>>>>>>> idnsUpdatePolicy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE >>>>>>>> krb5-self * AAAA; grant IPA.EXAMPLE krb5-self * SSHFP; >>>>>>>> nsrecord: vm-035.idm.lab.eng.brq.redhat.com. >>>>>>>> objectClass: idnszone >>>>>>>> objectClass: top >>>>>>>> objectClass: idnsrecord >>>>>>>> >>>>>>>> [root@vm-035 rpms]# ipa dnsrecord-mod @ tri.test. --ns-rec=$(hostname). >>>>>>>> ipa: ERROR: tri.test.: DNS resource record not found >>>>>>>> >>>>>>> NACKing NACK >>>>>>> ipa dnsrecord-mod @ tri.test. --ns-rec=$(hostname). >>>>>>> you switched order zone and record, it should be >>>>>>> ipa dnsrecord-mod tri.test. @ --ns-rec=$(hostname). >>>>>>> >>>>>> >>>>>> BTW, since we are so nicely breaking the dnszone-add interface, can we >>>>>> also >>>>>> get rid of always asking for "Administrator e-mail address"? >>>>>> >>>>>>>> # ipa dnszone-add tri.test. --name-server=ns.test. >>>>>>>> Administrator e-mail address [hostmaster.tri.test.]: >>>>>> ... >>>>>> >>>>>> Is there any risk in filling that with default as any other attribute? >>>>>> IMO >>>>>> it would simplify adding zones for one more redundant step. CCing Rob in >>>>>> case he knows some historical reasons why this is requested every time. >>>>>> >>>>>> Martin >>>>> There is no risk, because ipa-replica-prepare do that with default values >>> >>> Then let us do this, as we are already simplifying the dnszone-add command. >>> >>>> However, this will not work with root zone ".", and I'm not sure how >>>> often an >>>> admin email is used. I think whois is better utility to get contact email. >>>> >>>> Also RIPE-203 [1] recommends to use 'hostmaster' alias. >>>> >>>> [1] http://www.ripe.net/ripe/docs/ripe-203 >> >> This will likely generate tons of invalid e-mail addresses which is somehow >> unfortunate. >> >> Please keep in mind that: >> 1) E-mail [email protected]. will be useful only if >> ipa.domain.example. has MX record or at least A/AAAA record (which is usually >> not the case for domains). >> >> 2) WHOIS is not useful for internal domains which is the main deployment >> scenario for IPA, right? >> >>> DNS zone "." is quite an exception, you are not adding that zone every day. >>> So >>> I would not keep asking for admin mail just for this one. You can add a >>> interactive prompt callback to ask in this case and otherwise just use the >>> default - up to you. >>> >>> As for the mail alias, this can be an RFE. >> >> It would be nice to have some IPA-global default like 'DNS administrator >> e-mail address' and to use this value for all DNS zones by default. >> > +1
Please file an RFE for this part (requires schema update, doc update, ...). For now I would stick just with using the defaults without asking (like in other commands). I think it involves just setting autofill to True. Martin _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
