[Freeipa-devel] [PATCH 0300] DNSSEC: fix forwardzone forwarders check

Mon, 24 Aug 2015 06:40:04 -0700 

https://fedorahosted.org/freeipa/ticket/5179

patch attached

From 8497a0fc42560853810ccb7476ed27e1f037b3c2 Mon Sep 17 00:00:00 2001
From: Martin Basti <[email protected]>
Date: Mon, 24 Aug 2015 12:53:30 +0200
Subject: [PATCH] DNSSEC: fix forward zone forwarders checks

https://fedorahosted.org/freeipa/ticket/5179
---
 ipalib/util.py | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/ipalib/util.py b/ipalib/util.py
index 7baec85d6a660db5c217b212890a99897bb26401..0d5f85040bf5bfba4fef7186f255497967976c17 100644
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -691,20 +691,21 @@ def validate_dnssec_zone_forwarder_step2(ipa_ip_addr, fwzone, log=None,
         ans_cd = _resolve_record(fwzone, rtype, nameserver_ip=ipa_ip_addr,
                                  edns0=True, dnssec=True, flag_cd=True,
                                  timeout=timeout)
-    except DNSException as e:
-        _log_response(log, e)
-
-    try:
-        ans_do = _resolve_record(fwzone, rtype, nameserver_ip=ipa_ip_addr,
-                                 edns0=True, dnssec=True, timeout=timeout)
     except NXDOMAIN as e:
         # sometimes CD flag is ignored and NXDomain is returned
         _log_response(log, e)
         raise DNSSECValidationError(owner=fwzone, rtype=rtype, ip=ipa_ip_addr)
     except DNSException as e:
         _log_response(log, e)
-        raise UnresolvableRecordError(owner=fwzone, rtype=rtype, ip=ipa_ip_addr,
-                                      error=e)
+        raise UnresolvableRecordError(owner=fwzone, rtype=rtype,
+                                      ip=ipa_ip_addr, error=e)
+
+    try:
+        ans_do = _resolve_record(fwzone, rtype, nameserver_ip=ipa_ip_addr,
+                                 edns0=True, dnssec=True, timeout=timeout)
+    except DNSException as e:
+        _log_response(log, e)
+        raise DNSSECValidationError(owner=fwzone, rtype=rtype, ip=ipa_ip_addr)
     else:
         if (ans_do.canonical_name == ans_cd.canonical_name
             and ans_do.rrset == ans_cd.rrset):
-- 
2.4.3


-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to