On 10/09/2014 10:50 AM, Petr Spacek wrote: > Hello, > > bad things will happen (i.e. external DNS resolution will not work) if > configured DNS forwarders are not standard compliant, i.e. EDNS or DNSSEC > support is not enabled. > > For this reason I'm proposing to add explicit check to IPA installer and > possibly even to dnsconfig-mod/dnszone-mod commands so forwarders are be > tested > before putting them in effect. > > This check should detect failures soon and prevent surprises where IPA > installs > itself but DNS resolution doesn't work for some domains etc. > > > Instructions for attached patch/script: > # ./dnssec_test.py 127.127.127.127 > -> Will (likely) time-out, print a warning and return None > - This should be a reason to abort installation because forwarder doesn't work > at all. > > # ./dnssec_test.py 10.1.2.3 > - Result depends on your local resolver. > - In RH's network it will print a scary warning message and return False > because > internal forwarder doesn't support DNSSEC. > - Should be a reason to abort installation. (This could be overridden by > --force > switch but then "dnssec-validation" option in /etc/named.conf has to be set to > "no" otherwise IPA DNS will not work properly.) > (I would rather force people to flip the switch in named.conf on forwarder so > this could be a hidden option.) > > # ./dnssec_test.py 199.7.83.42 > -> Should return True - forwarder works and DNSSEC is supported > - Installation should continue. > > Please voice your concerns ASAP. >
I must confirm that if using DNSSEC, it is essential to probe the forwarder for proper DNSSEC support before using it. If the forwarder is not able to provide all the necessary information, the validation will not work. This is basically the same we are already doing on the client side where dnssec-trigger tries to determine if network-provided DNS forwarders are DNSSEC enabled before configuring unbound server. Therefore I agree with the idea, however it is up to IPA developers how they end up implementing the probing. Regards, -- Tomas Hozza Software Engineer - EMEA ENG Developer Experience PGP: 1D9F3C2D Red Hat Inc. http://cz.redhat.com _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
