I have accidentally sent the e-mail twice. Please reply to thread with additional [PATCH] keyword in subject and let this thread to die.

On 9.10.2014 10:50, Petr Spacek wrote:

bad things will happen (i.e. external DNS resolution will not work) if
configured DNS forwarders are not standard compliant, i.e. EDNS or DNSSEC
support is not enabled.

For this reason I'm proposing to add explicit check to IPA installer and
possibly even to dnsconfig-mod/dnszone-mod commands so forwarders are be
tested before putting them in effect.

This check should detect failures soon and prevent surprises where IPA
installs itself but DNS resolution doesn't work for some domains etc.

Instructions for attached patch/script:
# ./dnssec_test.py
-> Will (likely) time-out, print a warning and return None
- This should be a reason to abort installation because forwarder doesn't work
at all.

# ./dnssec_test.py
- Result depends on your local resolver.
- In RH's network it will print a scary warning message and return False
because internal forwarder doesn't support DNSSEC.
- Should be a reason to abort installation. (This could be overridden by
--force switch but then "dnssec-validation" option in /etc/named.conf has to
be set to "no" otherwise IPA DNS will not work properly.)
(I would rather force people to flip the switch in named.conf on forwarder so
this could be a hidden option.)

# ./dnssec_test.py
-> Should return True - forwarder works and DNSSEC is supported
- Installation should continue.

Please voice your concerns ASAP.

Petr^2 Spacek

Freeipa-devel mailing list

Reply via email to