On 16.9.2014 10:36, Martin Kosek wrote:
On 09/16/2014 10:30 AM, Martin Basti wrote:
On 16/09/14 10:29, Petr Spacek wrote:
On 16.9.2014 10:09, Martin Kosek wrote:
On 09/16/2014 09:57 AM, Martin Basti wrote:
On 16/09/14 09:32, Martin Basti wrote:
On 15/09/14 20:31, Martin Kosek wrote:
On 09/15/2014 05:16 PM, Martin Basti wrote:
On 15/09/14 17:10, Petr Spacek wrote:
On 12.9.2014 15:19, Martin Basti wrote:
On 03/09/14 12:45, Martin Basti wrote:
On 03/09/14 12:27, Martin Kosek wrote:
On 09/02/2014 05:46 PM, Petr Spacek wrote:
On 25.8.2014 14:52, Martin Basti wrote:
Patches attached.
Ticket: https://fedorahosted.org/freeipa/ticket/4149
There is a bug in bind-dyndb-ldap (or worse in dirsrv), which
cause the
named
service is stopped after deleting zone.
Bug ticket: https://fedorahosted.org/bind-dyndb-ldap/ticket/138
Functional ACK, it works for me. It can be pushed if Python gurus are
okay
with
the code.
Is it safe to commit the change given that bind-dyndb-ldap still crash
when
"."
is removed? Wouldn't it break our CI tests?
Maybe we should wait until fixed bind-dydnb-ldap is released.
Hopefully it
would be soon.
Martin
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
It will broke tests, don't push it until bind-dyndb-ldap is fixed.
Currently I'm testing bind-dyndb-ldap related patch.
Added patches 120 and 121, which are required by DNS to work correctly.
Patches 120 and 121 add all DNS replicas to zone apex as NS,
--name-server
option doesn't add NS record, only changes the SOA MNAME attribute
Original and new patches attached.
NACK, unfortunately it doesn't work for me:
# ipa dnszone-add tri.test. --name-server=ns.test.
Administrator e-mail address [hostmaster.tri.test.]:
ipa: WARNING: '--name-server' is used only for setting up the SOA MNAME
record.
To edit NS record(s) in zone apex, use command 'dnsrecord-mod [zone] @
--ns-rec=nameserver'.
Zone name: tri.test.
Active zone: TRUE
Authoritative nameserver: ns.test.
Administrator e-mail address: hostmaster.tri.test.
SOA serial: 1410793406
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
BIND update policy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE
krb5-self * AAAA; grant IPA.EXAMPLE krb5-self * SSHFP;
Dynamic update: FALSE
Allow query: any;
Allow transfer: none;
[root@vm-035 rpms]# ipa dnszone-show tri.test. --all --raw
dn: idnsname=tri.test.,cn=dns,dc=ipa,dc=example
idnsname: tri.test.
idnszoneactive: TRUE
idnssoamname: ns.test.
idnssoarname: hostmaster.tri.test.
idnssoaserial: 1410793408
idnssoarefresh: 3600
idnssoaretry: 900
idnssoaexpire: 1209600
idnssoaminimum: 3600
idnsallowquery: any;
idnsallowtransfer: none;
idnsAllowDynUpdate: FALSE
idnsUpdatePolicy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE
krb5-self * AAAA; grant IPA.EXAMPLE krb5-self * SSHFP;
nsrecord: vm-035.idm.lab.eng.brq.redhat.com.
objectClass: idnszone
objectClass: top
objectClass: idnsrecord
[root@vm-035 rpms]# ipa dnsrecord-mod @ tri.test. --ns-rec=$(hostname).
ipa: ERROR: tri.test.: DNS resource record not found
NACKing NACK
ipa dnsrecord-mod @ tri.test. --ns-rec=$(hostname).
you switched order zone and record, it should be
ipa dnsrecord-mod tri.test. @ --ns-rec=$(hostname).
BTW, since we are so nicely breaking the dnszone-add interface, can we also
get rid of always asking for "Administrator e-mail address"?
# ipa dnszone-add tri.test. --name-server=ns.test.
Administrator e-mail address [hostmaster.tri.test.]:
...
Is there any risk in filling that with default as any other attribute? IMO
it would simplify adding zones for one more redundant step. CCing Rob in
case he knows some historical reasons why this is requested every time.
Martin
There is no risk, because ipa-replica-prepare do that with default values
Then let us do this, as we are already simplifying the dnszone-add command.
However, this will not work with root zone ".", and I'm not sure how often an
admin email is used. I think whois is better utility to get contact email.
Also RIPE-203 [1] recommends to use 'hostmaster' alias.
[1] http://www.ripe.net/ripe/docs/ripe-203
This will likely generate tons of invalid e-mail addresses which is somehow
unfortunate.
Please keep in mind that:
1) E-mail hostmaster@ipa.domain.example. will be useful only if
ipa.domain.example. has MX record or at least A/AAAA record (which is usually
not the case for domains).
2) WHOIS is not useful for internal domains which is the main deployment
scenario for IPA, right?
DNS zone "." is quite an exception, you are not adding that zone every day. So
I would not keep asking for admin mail just for this one. You can add a
interactive prompt callback to ask in this case and otherwise just use the
default - up to you.
As for the mail alias, this can be an RFE.
It would be nice to have some IPA-global default like 'DNS administrator
e-mail address' and to use this value for all DNS zones by default.
+1
Please file an RFE for this part (requires schema update, doc update, ...). For
https://fedorahosted.org/freeipa/ticket/4542
now I would stick just with using the defaults without asking (like in other
commands). I think it involves just setting autofill to True.
--
Petr^2 Spacek
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
