On 27.05.2016 14:13, Petr Spacek wrote:
On 25.5.2016 12:30, Martin Basti wrote:

On 04.05.2016 10:43, Petr Spacek wrote:
Hello,

DNS: Warn if forwarding policy conflicts with automatic empty zones

Forwarding policy "first" or "none" may conflicts with some automatic empty
zones. Queries for zones specified by RFC 6303 will ignore
forwarding and recursion and always result in NXDOMAIN answers.

This is not detected and warned about. Global forwarding is equivalent
to forward zone ".".

Example:
Forward zone 1.10.in-addr.arpa with policy "first"
will not forward anything because BIND will automatically prefer
automatic empty zone "10.in-addr.arpa." which is authoritative.

https://fedorahosted.org/freeipa/ticket/5710


This is last patch in the series so the ticket can be closed when all relevant
patches are pushed.




You forgot to update tests

_____________________________________________________________________
test_dns.test_command[0087: dnsconfig_mod: Update global DNS settings]
______________________________________________________________________

self = <ipatests.test_xmlrpc.test_dns_plugin.test_dns object at
0x7fcef3ef2510>, index = 87
declarative_test_definition = {'command': ('dnsconfig_mod', [],
{'idnsforwarders': ['172.16.31.80'], 'version': '2.166'}), 'desc': 'Update
global DN...arders': ['172.16.31.80']}, 'summary': None, 'value': None},
'nice': '0087: dnsconfig_mod: Update global DNS settings'}

     def test_command(self, index, declarative_test_definition):
         """Run an individual test

             The arguments are provided by the pytest plugin.
             """
         if callable(declarative_test_definition):
             declarative_test_definition(self)
         else:
           self.check(**declarative_test_definition)
test_xmlrpc/xmlrpc_test.py:313:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
test_xmlrpc/xmlrpc_test.py:325: in check
     self.check_output(nice, cmd, args, options, expected, extra_check)
test_xmlrpc/xmlrpc_test.py:368: in check_output
     assert_deepequal(expected, got, nice)
util.py:361: in assert_deepequal
     assert_deepequal(e_sub, g_sub, doc, stack + (key,))
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

expected = [{'code': 13006, 'message': <function <lambda> at 0x7fcef426c758>,
'name': 'DNSServerValidationWarning', 'type': 'warning'}]
got = [{'code': 13021, 'message': "Forwarding policy conflicts with some
automatic empty zones. Queries for zones specified ...': The DNS operation
timed out after 10.0008428097 seconds.", 'name': 'DNSServerValidationWarning',
'type': 'warning'}]
doc = '0087: dnsconfig_mod: Update global DNS settings', stack = ('messages',)

     def assert_deepequal(expected, got, doc='', stack=tuple()):
         """
         Recursively check for type and equality.

         If a value in expected is callable then it will used as a callback to
         test for equality on the got value. The callback is passed the got
         value and returns True if equal, False otherwise.

         If the tests fails, it will raise an ``AssertionError`` with detailed
         information, including the path to the offending value.  For example:

         >>> expected = [u'Hello', dict(world=u'how are you?')]
         >>> got = [u'Hello', dict(world='how are you?')]
         >>> expected == got
         True
         >>> assert_deepequal(expected, got, doc='Testing my nested data')
         Traceback (most recent call last):
           ...
         AssertionError: assert_deepequal: type(expected) is not type(got).
           Testing my nested data
           type(expected) = <type 'unicode'>
           type(got) = <type 'str'>
           expected = u'how are you?'
           got = 'how are you?'
           path = (0, 'world')

         Note that lists and tuples are considered equivalent, and the order of
         their elements does not matter.
         """
         if isinstance(expected, tuple):
             expected = list(expected)
         if isinstance(got, tuple):
             got = list(got)
         if isinstance(expected, DN):
             if isinstance(got, six.string_types):
                 got = DN(got)
         if not (isinstance(expected, Fuzzy) or callable(expected) or
type(expected) is type(got)):
             raise AssertionError(
                 TYPE % (doc, type(expected), type(got), expected, got, stack)
             )
         if isinstance(expected, (list, tuple)):
             if len(expected) != len(got):
                 raise AssertionError(
                   LEN % (doc, len(expected), len(got), expected, got, stack)
                 )
E               AssertionError: assert_deepequal: list length mismatch.
E                 0087: dnsconfig_mod: Update global DNS settings
E                 len(expected) = 1
E                 len(got) = 2
E                 expected = [{u'message': <function <lambda> at
0x7fcef426c758>, u'code': 13006, u'type': u'warning', u'name':
u'DNSServerValidationWarning'}]
E                 got = [{u'message': u"Forwarding policy conflicts with some
automatic empty zones. Queries for zones specified by RFC 6303 will ignore
forwarding and recursion and always result in NXDOMAIN answers. To override
this behavior use forward policy 'only'.", u'code': 13021, u'type':
u'warning', u'name': u'DNSForwardPolicyConflictWithEmptyZone'}, {u'message':
u"DNS server 172.16.31.80: query '. SOA': The DNS operation timed out after
10.0008428097 seconds.", u'code': 13006, u'type': u'warning', u'name':
u'DNSServerValidationWarning'}]
E                 path = (u'messages',)

util.py:332: AssertionError
Fixed patch is attached. It depends on newest patches 113-132.

ACK

master:
* da71e7e9de233bc0e40a90adb2db6d0944a1356a DNS: Warn if forwarding policy conflicts with automatic empty zones

ipa-4-3:
* 8cbecdbc8dc022005beec3a9fe19aabd91041bbf DNS: Warn if forwarding policy conflicts with automatic empty zones

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to