Re: [Freeipa-devel] [PATCHES 0114-0115, 0120-0121] DNS: allow to add root zone '.'
On 16.9.2014 10:36, Martin Kosek wrote: On 09/16/2014 10:30 AM, Martin Basti wrote: On 16/09/14 10:29, Petr Spacek wrote: On 16.9.2014 10:09, Martin Kosek wrote: On 09/16/2014 09:57 AM, Martin Basti wrote: On 16/09/14 09:32, Martin Basti wrote: On 15/09/14 20:31, Martin Kosek wrote: On 09/15/2014 05:16 PM, Martin Basti wrote: On 15/09/14 17:10, Petr Spacek wrote: On 12.9.2014 15:19, Martin Basti wrote: On 03/09/14 12:45, Martin Basti wrote: On 03/09/14 12:27, Martin Kosek wrote: On 09/02/2014 05:46 PM, Petr Spacek wrote: On 25.8.2014 14:52, Martin Basti wrote: Patches attached. Ticket: https://fedorahosted.org/freeipa/ticket/4149 There is a bug in bind-dyndb-ldap (or worse in dirsrv), which cause the named service is stopped after deleting zone. Bug ticket: https://fedorahosted.org/bind-dyndb-ldap/ticket/138 Functional ACK, it works for me. It can be pushed if Python gurus are okay with the code. Is it safe to commit the change given that bind-dyndb-ldap still crash when "." is removed? Wouldn't it break our CI tests? Maybe we should wait until fixed bind-dydnb-ldap is released. Hopefully it would be soon. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel It will broke tests, don't push it until bind-dyndb-ldap is fixed. Currently I'm testing bind-dyndb-ldap related patch. Added patches 120 and 121, which are required by DNS to work correctly. Patches 120 and 121 add all DNS replicas to zone apex as NS, --name-server option doesn't add NS record, only changes the SOA MNAME attribute Original and new patches attached. NACK, unfortunately it doesn't work for me: # ipa dnszone-add tri.test. --name-server=ns.test. Administrator e-mail address [hostmaster.tri.test.]: ipa: WARNING: '--name-server' is used only for setting up the SOA MNAME record. To edit NS record(s) in zone apex, use command 'dnsrecord-mod [zone] @ --ns-rec=nameserver'. Zone name: tri.test. Active zone: TRUE Authoritative nameserver: ns.test. Administrator e-mail address: hostmaster.tri.test. SOA serial: 1410793406 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE krb5-self * ; grant IPA.EXAMPLE krb5-self * SSHFP; Dynamic update: FALSE Allow query: any; Allow transfer: none; [root@vm-035 rpms]# ipa dnszone-show tri.test. --all --raw dn: idnsname=tri.test.,cn=dns,dc=ipa,dc=example idnsname: tri.test. idnszoneactive: TRUE idnssoamname: ns.test. idnssoarname: hostmaster.tri.test. idnssoaserial: 1410793408 idnssoarefresh: 3600 idnssoaretry: 900 idnssoaexpire: 1209600 idnssoaminimum: 3600 idnsallowquery: any; idnsallowtransfer: none; idnsAllowDynUpdate: FALSE idnsUpdatePolicy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE krb5-self * ; grant IPA.EXAMPLE krb5-self * SSHFP; nsrecord: vm-035.idm.lab.eng.brq.redhat.com. objectClass: idnszone objectClass: top objectClass: idnsrecord [root@vm-035 rpms]# ipa dnsrecord-mod @ tri.test. --ns-rec=$(hostname). ipa: ERROR: tri.test.: DNS resource record not found NACKing NACK ipa dnsrecord-mod @ tri.test. --ns-rec=$(hostname). you switched order zone and record, it should be ipa dnsrecord-mod tri.test. @ --ns-rec=$(hostname). BTW, since we are so nicely breaking the dnszone-add interface, can we also get rid of always asking for "Administrator e-mail address"? # ipa dnszone-add tri.test. --name-server=ns.test. Administrator e-mail address [hostmaster.tri.test.]: ... Is there any risk in filling that with default as any other attribute? IMO it would simplify adding zones for one more redundant step. CCing Rob in case he knows some historical reasons why this is requested every time. Martin There is no risk, because ipa-replica-prepare do that with default values Then let us do this, as we are already simplifying the dnszone-add command. However, this will not work with root zone ".", and I'm not sure how often an admin email is used. I think whois is better utility to get contact email. Also RIPE-203 [1] recommends to use 'hostmaster' alias. [1] http://www.ripe.net/ripe/docs/ripe-203 This will likely generate tons of invalid e-mail addresses which is somehow unfortunate. Please keep in mind that: 1) E-mail hostmaster@ipa.domain.example. will be useful only if ipa.domain.example. has MX record or at least A/ record (which is usually not the case for domains). 2) WHOIS is not useful for internal domains which is the main deployment scenario for IPA, right? DNS zone "." is quite an exception, you are not adding that zone every day. So I would not keep asking for admin mail just for this one. You can add a interactive prompt callback to ask in this case and otherwise just use the default - up to you. As for the mail alias, th
Re: [Freeipa-devel] [PATCHES 0114-0115, 0120-0121] DNS: allow to add root zone '.'
On 09/16/2014 10:30 AM, Martin Basti wrote: > On 16/09/14 10:29, Petr Spacek wrote: >> On 16.9.2014 10:09, Martin Kosek wrote: >>> On 09/16/2014 09:57 AM, Martin Basti wrote: On 16/09/14 09:32, Martin Basti wrote: > On 15/09/14 20:31, Martin Kosek wrote: >> On 09/15/2014 05:16 PM, Martin Basti wrote: >>> On 15/09/14 17:10, Petr Spacek wrote: On 12.9.2014 15:19, Martin Basti wrote: > On 03/09/14 12:45, Martin Basti wrote: >> On 03/09/14 12:27, Martin Kosek wrote: >>> On 09/02/2014 05:46 PM, Petr Spacek wrote: On 25.8.2014 14:52, Martin Basti wrote: > Patches attached. > > Ticket: https://fedorahosted.org/freeipa/ticket/4149 > > There is a bug in bind-dyndb-ldap (or worse in dirsrv), which > cause the > named > service is stopped after deleting zone. > Bug ticket: https://fedorahosted.org/bind-dyndb-ldap/ticket/138 Functional ACK, it works for me. It can be pushed if Python gurus are okay with the code. >>> Is it safe to commit the change given that bind-dyndb-ldap still >>> crash >>> when >>> "." >>> is removed? Wouldn't it break our CI tests? >>> >>> Maybe we should wait until fixed bind-dydnb-ldap is released. >>> Hopefully it >>> would be soon. >>> >>> Martin >>> >>> ___ >>> Freeipa-devel mailing list >>> Freeipa-devel@redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> It will broke tests, don't push it until bind-dyndb-ldap is fixed. >> Currently I'm testing bind-dyndb-ldap related patch. >> > Added patches 120 and 121, which are required by DNS to work > correctly. > Patches 120 and 121 add all DNS replicas to zone apex as NS, > --name-server > option doesn't add NS record, only changes the SOA MNAME attribute > > Original and new patches attached. NACK, unfortunately it doesn't work for me: # ipa dnszone-add tri.test. --name-server=ns.test. Administrator e-mail address [hostmaster.tri.test.]: ipa: WARNING: '--name-server' is used only for setting up the SOA MNAME record. To edit NS record(s) in zone apex, use command 'dnsrecord-mod [zone] @ --ns-rec=nameserver'. Zone name: tri.test. Active zone: TRUE Authoritative nameserver: ns.test. Administrator e-mail address: hostmaster.tri.test. SOA serial: 1410793406 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE krb5-self * ; grant IPA.EXAMPLE krb5-self * SSHFP; Dynamic update: FALSE Allow query: any; Allow transfer: none; [root@vm-035 rpms]# ipa dnszone-show tri.test. --all --raw dn: idnsname=tri.test.,cn=dns,dc=ipa,dc=example idnsname: tri.test. idnszoneactive: TRUE idnssoamname: ns.test. idnssoarname: hostmaster.tri.test. idnssoaserial: 1410793408 idnssoarefresh: 3600 idnssoaretry: 900 idnssoaexpire: 1209600 idnssoaminimum: 3600 idnsallowquery: any; idnsallowtransfer: none; idnsAllowDynUpdate: FALSE idnsUpdatePolicy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE krb5-self * ; grant IPA.EXAMPLE krb5-self * SSHFP; nsrecord: vm-035.idm.lab.eng.brq.redhat.com. objectClass: idnszone objectClass: top objectClass: idnsrecord [root@vm-035 rpms]# ipa dnsrecord-mod @ tri.test. --ns-rec=$(hostname). ipa: ERROR: tri.test.: DNS resource record not found >>> NACKing NACK >>> ipa dnsrecord-mod @ tri.test. --ns-rec=$(hostname). >>> you switched order zone and record, it should be >>> ipa dnsrecord-mod tri.test. @ --ns-rec=$(hostname). >>> >> >> BTW, since we are so nicely breaking the dnszone-add interface, can we >> also >> get rid of always asking for "Administrator e-mail address"? >> # ipa dnszone-add tri.test. --name-server=ns.test. Administrator e-mail address [hostmaster.tri.test.]: >> ... >> >> Is there any risk in filling that with default as any other attribute? >> IMO >> it would simplify adding zones for one more redundant step. CCing Rob in >> case he knows some historical reasons why this is requested every time. >> >> Martin > There is no r
Re: [Freeipa-devel] [PATCHES 0114-0115, 0120-0121] DNS: allow to add root zone '.'
On 16/09/14 10:29, Petr Spacek wrote: On 16.9.2014 10:09, Martin Kosek wrote: On 09/16/2014 09:57 AM, Martin Basti wrote: On 16/09/14 09:32, Martin Basti wrote: On 15/09/14 20:31, Martin Kosek wrote: On 09/15/2014 05:16 PM, Martin Basti wrote: On 15/09/14 17:10, Petr Spacek wrote: On 12.9.2014 15:19, Martin Basti wrote: On 03/09/14 12:45, Martin Basti wrote: On 03/09/14 12:27, Martin Kosek wrote: On 09/02/2014 05:46 PM, Petr Spacek wrote: On 25.8.2014 14:52, Martin Basti wrote: Patches attached. Ticket: https://fedorahosted.org/freeipa/ticket/4149 There is a bug in bind-dyndb-ldap (or worse in dirsrv), which cause the named service is stopped after deleting zone. Bug ticket: https://fedorahosted.org/bind-dyndb-ldap/ticket/138 Functional ACK, it works for me. It can be pushed if Python gurus are okay with the code. Is it safe to commit the change given that bind-dyndb-ldap still crash when "." is removed? Wouldn't it break our CI tests? Maybe we should wait until fixed bind-dydnb-ldap is released. Hopefully it would be soon. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel It will broke tests, don't push it until bind-dyndb-ldap is fixed. Currently I'm testing bind-dyndb-ldap related patch. Added patches 120 and 121, which are required by DNS to work correctly. Patches 120 and 121 add all DNS replicas to zone apex as NS, --name-server option doesn't add NS record, only changes the SOA MNAME attribute Original and new patches attached. NACK, unfortunately it doesn't work for me: # ipa dnszone-add tri.test. --name-server=ns.test. Administrator e-mail address [hostmaster.tri.test.]: ipa: WARNING: '--name-server' is used only for setting up the SOA MNAME record. To edit NS record(s) in zone apex, use command 'dnsrecord-mod [zone] @ --ns-rec=nameserver'. Zone name: tri.test. Active zone: TRUE Authoritative nameserver: ns.test. Administrator e-mail address: hostmaster.tri.test. SOA serial: 1410793406 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE krb5-self * ; grant IPA.EXAMPLE krb5-self * SSHFP; Dynamic update: FALSE Allow query: any; Allow transfer: none; [root@vm-035 rpms]# ipa dnszone-show tri.test. --all --raw dn: idnsname=tri.test.,cn=dns,dc=ipa,dc=example idnsname: tri.test. idnszoneactive: TRUE idnssoamname: ns.test. idnssoarname: hostmaster.tri.test. idnssoaserial: 1410793408 idnssoarefresh: 3600 idnssoaretry: 900 idnssoaexpire: 1209600 idnssoaminimum: 3600 idnsallowquery: any; idnsallowtransfer: none; idnsAllowDynUpdate: FALSE idnsUpdatePolicy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE krb5-self * ; grant IPA.EXAMPLE krb5-self * SSHFP; nsrecord: vm-035.idm.lab.eng.brq.redhat.com. objectClass: idnszone objectClass: top objectClass: idnsrecord [root@vm-035 rpms]# ipa dnsrecord-mod @ tri.test. --ns-rec=$(hostname). ipa: ERROR: tri.test.: DNS resource record not found NACKing NACK ipa dnsrecord-mod @ tri.test. --ns-rec=$(hostname). you switched order zone and record, it should be ipa dnsrecord-mod tri.test. @ --ns-rec=$(hostname). BTW, since we are so nicely breaking the dnszone-add interface, can we also get rid of always asking for "Administrator e-mail address"? # ipa dnszone-add tri.test. --name-server=ns.test. Administrator e-mail address [hostmaster.tri.test.]: ... Is there any risk in filling that with default as any other attribute? IMO it would simplify adding zones for one more redundant step. CCing Rob in case he knows some historical reasons why this is requested every time. Martin There is no risk, because ipa-replica-prepare do that with default values Then let us do this, as we are already simplifying the dnszone-add command. However, this will not work with root zone ".", and I'm not sure how often an admin email is used. I think whois is better utility to get contact email. Also RIPE-203 [1] recommends to use 'hostmaster' alias. [1] http://www.ripe.net/ripe/docs/ripe-203 This will likely generate tons of invalid e-mail addresses which is somehow unfortunate. Please keep in mind that: 1) E-mail hostmaster@ipa.domain.example. will be useful only if ipa.domain.example. has MX record or at least A/ record (which is usually not the case for domains). 2) WHOIS is not useful for internal domains which is the main deployment scenario for IPA, right? DNS zone "." is quite an exception, you are not adding that zone every day. So I would not keep asking for admin mail just for this one. You can add a interactive prompt callback to ask in this case and otherwise just use the default - up to you. As for the mail alias, this can be an RFE. It would be nice to have some IPA-global default like 'DN
Re: [Freeipa-devel] [PATCHES 0114-0115, 0120-0121] DNS: allow to add root zone '.'
On 16.9.2014 10:09, Martin Kosek wrote: On 09/16/2014 09:57 AM, Martin Basti wrote: On 16/09/14 09:32, Martin Basti wrote: On 15/09/14 20:31, Martin Kosek wrote: On 09/15/2014 05:16 PM, Martin Basti wrote: On 15/09/14 17:10, Petr Spacek wrote: On 12.9.2014 15:19, Martin Basti wrote: On 03/09/14 12:45, Martin Basti wrote: On 03/09/14 12:27, Martin Kosek wrote: On 09/02/2014 05:46 PM, Petr Spacek wrote: On 25.8.2014 14:52, Martin Basti wrote: Patches attached. Ticket: https://fedorahosted.org/freeipa/ticket/4149 There is a bug in bind-dyndb-ldap (or worse in dirsrv), which cause the named service is stopped after deleting zone. Bug ticket: https://fedorahosted.org/bind-dyndb-ldap/ticket/138 Functional ACK, it works for me. It can be pushed if Python gurus are okay with the code. Is it safe to commit the change given that bind-dyndb-ldap still crash when "." is removed? Wouldn't it break our CI tests? Maybe we should wait until fixed bind-dydnb-ldap is released. Hopefully it would be soon. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel It will broke tests, don't push it until bind-dyndb-ldap is fixed. Currently I'm testing bind-dyndb-ldap related patch. Added patches 120 and 121, which are required by DNS to work correctly. Patches 120 and 121 add all DNS replicas to zone apex as NS, --name-server option doesn't add NS record, only changes the SOA MNAME attribute Original and new patches attached. NACK, unfortunately it doesn't work for me: # ipa dnszone-add tri.test. --name-server=ns.test. Administrator e-mail address [hostmaster.tri.test.]: ipa: WARNING: '--name-server' is used only for setting up the SOA MNAME record. To edit NS record(s) in zone apex, use command 'dnsrecord-mod [zone] @ --ns-rec=nameserver'. Zone name: tri.test. Active zone: TRUE Authoritative nameserver: ns.test. Administrator e-mail address: hostmaster.tri.test. SOA serial: 1410793406 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE krb5-self * ; grant IPA.EXAMPLE krb5-self * SSHFP; Dynamic update: FALSE Allow query: any; Allow transfer: none; [root@vm-035 rpms]# ipa dnszone-show tri.test. --all --raw dn: idnsname=tri.test.,cn=dns,dc=ipa,dc=example idnsname: tri.test. idnszoneactive: TRUE idnssoamname: ns.test. idnssoarname: hostmaster.tri.test. idnssoaserial: 1410793408 idnssoarefresh: 3600 idnssoaretry: 900 idnssoaexpire: 1209600 idnssoaminimum: 3600 idnsallowquery: any; idnsallowtransfer: none; idnsAllowDynUpdate: FALSE idnsUpdatePolicy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE krb5-self * ; grant IPA.EXAMPLE krb5-self * SSHFP; nsrecord: vm-035.idm.lab.eng.brq.redhat.com. objectClass: idnszone objectClass: top objectClass: idnsrecord [root@vm-035 rpms]# ipa dnsrecord-mod @ tri.test. --ns-rec=$(hostname). ipa: ERROR: tri.test.: DNS resource record not found NACKing NACK ipa dnsrecord-mod @ tri.test. --ns-rec=$(hostname). you switched order zone and record, it should be ipa dnsrecord-mod tri.test. @ --ns-rec=$(hostname). BTW, since we are so nicely breaking the dnszone-add interface, can we also get rid of always asking for "Administrator e-mail address"? # ipa dnszone-add tri.test. --name-server=ns.test. Administrator e-mail address [hostmaster.tri.test.]: ... Is there any risk in filling that with default as any other attribute? IMO it would simplify adding zones for one more redundant step. CCing Rob in case he knows some historical reasons why this is requested every time. Martin There is no risk, because ipa-replica-prepare do that with default values Then let us do this, as we are already simplifying the dnszone-add command. However, this will not work with root zone ".", and I'm not sure how often an admin email is used. I think whois is better utility to get contact email. Also RIPE-203 [1] recommends to use 'hostmaster' alias. [1] http://www.ripe.net/ripe/docs/ripe-203 This will likely generate tons of invalid e-mail addresses which is somehow unfortunate. Please keep in mind that: 1) E-mail hostmaster@ipa.domain.example. will be useful only if ipa.domain.example. has MX record or at least A/ record (which is usually not the case for domains). 2) WHOIS is not useful for internal domains which is the main deployment scenario for IPA, right? DNS zone "." is quite an exception, you are not adding that zone every day. So I would not keep asking for admin mail just for this one. You can add a interactive prompt callback to ask in this case and otherwise just use the default - up to you. As for the mail alias, this can be an RFE. It would be nice to have some IPA-global default like 'DNS administrator e-mail address' and to use this value for all DNS zones
Re: [Freeipa-devel] [PATCHES 0114-0115, 0120-0121] DNS: allow to add root zone '.'
On 09/16/2014 09:57 AM, Martin Basti wrote: > On 16/09/14 09:32, Martin Basti wrote: >> On 15/09/14 20:31, Martin Kosek wrote: >>> On 09/15/2014 05:16 PM, Martin Basti wrote: On 15/09/14 17:10, Petr Spacek wrote: > On 12.9.2014 15:19, Martin Basti wrote: >> On 03/09/14 12:45, Martin Basti wrote: >>> On 03/09/14 12:27, Martin Kosek wrote: On 09/02/2014 05:46 PM, Petr Spacek wrote: > On 25.8.2014 14:52, Martin Basti wrote: >> Patches attached. >> >> Ticket: https://fedorahosted.org/freeipa/ticket/4149 >> >> There is a bug in bind-dyndb-ldap (or worse in dirsrv), which cause >> the >> named >> service is stopped after deleting zone. >> Bug ticket: https://fedorahosted.org/bind-dyndb-ldap/ticket/138 > Functional ACK, it works for me. It can be pushed if Python gurus are > okay > with > the code. Is it safe to commit the change given that bind-dyndb-ldap still crash when "." is removed? Wouldn't it break our CI tests? Maybe we should wait until fixed bind-dydnb-ldap is released. Hopefully it would be soon. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel >>> It will broke tests, don't push it until bind-dyndb-ldap is fixed. >>> Currently I'm testing bind-dyndb-ldap related patch. >>> >> Added patches 120 and 121, which are required by DNS to work correctly. >> Patches 120 and 121 add all DNS replicas to zone apex as NS, >> --name-server >> option doesn't add NS record, only changes the SOA MNAME attribute >> >> Original and new patches attached. > > NACK, unfortunately it doesn't work for me: > # ipa dnszone-add tri.test. --name-server=ns.test. > Administrator e-mail address [hostmaster.tri.test.]: > ipa: WARNING: '--name-server' is used only for setting up the SOA MNAME > record. > To edit NS record(s) in zone apex, use command 'dnsrecord-mod [zone] @ > --ns-rec=nameserver'. > Zone name: tri.test. > Active zone: TRUE > Authoritative nameserver: ns.test. > Administrator e-mail address: hostmaster.tri.test. > SOA serial: 1410793406 > SOA refresh: 3600 > SOA retry: 900 > SOA expire: 1209600 > SOA minimum: 3600 > BIND update policy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE > krb5-self * ; grant IPA.EXAMPLE krb5-self * SSHFP; > Dynamic update: FALSE > Allow query: any; > Allow transfer: none; > > [root@vm-035 rpms]# ipa dnszone-show tri.test. --all --raw > dn: idnsname=tri.test.,cn=dns,dc=ipa,dc=example > idnsname: tri.test. > idnszoneactive: TRUE > idnssoamname: ns.test. > idnssoarname: hostmaster.tri.test. > idnssoaserial: 1410793408 > idnssoarefresh: 3600 > idnssoaretry: 900 > idnssoaexpire: 1209600 > idnssoaminimum: 3600 > idnsallowquery: any; > idnsallowtransfer: none; > idnsAllowDynUpdate: FALSE > idnsUpdatePolicy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE > krb5-self * ; grant IPA.EXAMPLE krb5-self * SSHFP; > nsrecord: vm-035.idm.lab.eng.brq.redhat.com. > objectClass: idnszone > objectClass: top > objectClass: idnsrecord > > [root@vm-035 rpms]# ipa dnsrecord-mod @ tri.test. --ns-rec=$(hostname). > ipa: ERROR: tri.test.: DNS resource record not found > NACKing NACK ipa dnsrecord-mod @ tri.test. --ns-rec=$(hostname). you switched order zone and record, it should be ipa dnsrecord-mod tri.test. @ --ns-rec=$(hostname). >>> >>> BTW, since we are so nicely breaking the dnszone-add interface, can we also >>> get rid of always asking for "Administrator e-mail address"? >>> >>> >> # ipa dnszone-add tri.test. --name-server=ns.test. >>> >> Administrator e-mail address [hostmaster.tri.test.]: >>> ... >>> >>> Is there any risk in filling that with default as any other attribute? IMO >>> it would simplify adding zones for one more redundant step. CCing Rob in >>> case he knows some historical reasons why this is requested every time. >>> >>> Martin >> There is no risk, because ipa-replica-prepare do that with default values Then let us do this, as we are already simplifying the dnszone-add command. > However, this will not work with root zone ".", and I'm not sure how often an > admin email is used. I think whois is better utility to get contact email. > > Also RIPE-203 [1] recommends to use 'hostmaster' alias. > > [1] http://www.ripe.net/ripe/docs/ripe-203 DNS zone "." is quite an exception, you are not adding that zone every day. So I would not keep asking for admin mail just for this one. You can add a
Re: [Freeipa-devel] [PATCHES 0114-0115, 0120-0121] DNS: allow to add root zone '.'
On 16/09/14 09:32, Martin Basti wrote: On 15/09/14 20:31, Martin Kosek wrote: On 09/15/2014 05:16 PM, Martin Basti wrote: On 15/09/14 17:10, Petr Spacek wrote: On 12.9.2014 15:19, Martin Basti wrote: On 03/09/14 12:45, Martin Basti wrote: On 03/09/14 12:27, Martin Kosek wrote: On 09/02/2014 05:46 PM, Petr Spacek wrote: On 25.8.2014 14:52, Martin Basti wrote: Patches attached. Ticket: https://fedorahosted.org/freeipa/ticket/4149 There is a bug in bind-dyndb-ldap (or worse in dirsrv), which cause the named service is stopped after deleting zone. Bug ticket: https://fedorahosted.org/bind-dyndb-ldap/ticket/138 Functional ACK, it works for me. It can be pushed if Python gurus are okay with the code. Is it safe to commit the change given that bind-dyndb-ldap still crash when "." is removed? Wouldn't it break our CI tests? Maybe we should wait until fixed bind-dydnb-ldap is released. Hopefully it would be soon. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel It will broke tests, don't push it until bind-dyndb-ldap is fixed. Currently I'm testing bind-dyndb-ldap related patch. Added patches 120 and 121, which are required by DNS to work correctly. Patches 120 and 121 add all DNS replicas to zone apex as NS, --name-server option doesn't add NS record, only changes the SOA MNAME attribute Original and new patches attached. NACK, unfortunately it doesn't work for me: # ipa dnszone-add tri.test. --name-server=ns.test. Administrator e-mail address [hostmaster.tri.test.]: ipa: WARNING: '--name-server' is used only for setting up the SOA MNAME record. To edit NS record(s) in zone apex, use command 'dnsrecord-mod [zone] @ --ns-rec=nameserver'. Zone name: tri.test. Active zone: TRUE Authoritative nameserver: ns.test. Administrator e-mail address: hostmaster.tri.test. SOA serial: 1410793406 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE krb5-self * ; grant IPA.EXAMPLE krb5-self * SSHFP; Dynamic update: FALSE Allow query: any; Allow transfer: none; [root@vm-035 rpms]# ipa dnszone-show tri.test. --all --raw dn: idnsname=tri.test.,cn=dns,dc=ipa,dc=example idnsname: tri.test. idnszoneactive: TRUE idnssoamname: ns.test. idnssoarname: hostmaster.tri.test. idnssoaserial: 1410793408 idnssoarefresh: 3600 idnssoaretry: 900 idnssoaexpire: 1209600 idnssoaminimum: 3600 idnsallowquery: any; idnsallowtransfer: none; idnsAllowDynUpdate: FALSE idnsUpdatePolicy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE krb5-self * ; grant IPA.EXAMPLE krb5-self * SSHFP; nsrecord: vm-035.idm.lab.eng.brq.redhat.com. objectClass: idnszone objectClass: top objectClass: idnsrecord [root@vm-035 rpms]# ipa dnsrecord-mod @ tri.test. --ns-rec=$(hostname). ipa: ERROR: tri.test.: DNS resource record not found NACKing NACK ipa dnsrecord-mod @ tri.test. --ns-rec=$(hostname). you switched order zone and record, it should be ipa dnsrecord-mod tri.test. @ --ns-rec=$(hostname). BTW, since we are so nicely breaking the dnszone-add interface, can we also get rid of always asking for "Administrator e-mail address"? >> # ipa dnszone-add tri.test. --name-server=ns.test. >> Administrator e-mail address [hostmaster.tri.test.]: ... Is there any risk in filling that with default as any other attribute? IMO it would simplify adding zones for one more redundant step. CCing Rob in case he knows some historical reasons why this is requested every time. Martin There is no risk, because ipa-replica-prepare do that with default values However, this will not work with root zone ".", and I'm not sure how often an admin email is used. I think whois is better utility to get contact email. Also RIPE-203 [1] recommends to use 'hostmaster' alias. [1] http://www.ripe.net/ripe/docs/ripe-203 -- Martin Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0114-0115, 0120-0121] DNS: allow to add root zone '.'
On 15/09/14 20:31, Martin Kosek wrote: On 09/15/2014 05:16 PM, Martin Basti wrote: On 15/09/14 17:10, Petr Spacek wrote: On 12.9.2014 15:19, Martin Basti wrote: On 03/09/14 12:45, Martin Basti wrote: On 03/09/14 12:27, Martin Kosek wrote: On 09/02/2014 05:46 PM, Petr Spacek wrote: On 25.8.2014 14:52, Martin Basti wrote: Patches attached. Ticket: https://fedorahosted.org/freeipa/ticket/4149 There is a bug in bind-dyndb-ldap (or worse in dirsrv), which cause the named service is stopped after deleting zone. Bug ticket: https://fedorahosted.org/bind-dyndb-ldap/ticket/138 Functional ACK, it works for me. It can be pushed if Python gurus are okay with the code. Is it safe to commit the change given that bind-dyndb-ldap still crash when "." is removed? Wouldn't it break our CI tests? Maybe we should wait until fixed bind-dydnb-ldap is released. Hopefully it would be soon. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel It will broke tests, don't push it until bind-dyndb-ldap is fixed. Currently I'm testing bind-dyndb-ldap related patch. Added patches 120 and 121, which are required by DNS to work correctly. Patches 120 and 121 add all DNS replicas to zone apex as NS, --name-server option doesn't add NS record, only changes the SOA MNAME attribute Original and new patches attached. NACK, unfortunately it doesn't work for me: # ipa dnszone-add tri.test. --name-server=ns.test. Administrator e-mail address [hostmaster.tri.test.]: ipa: WARNING: '--name-server' is used only for setting up the SOA MNAME record. To edit NS record(s) in zone apex, use command 'dnsrecord-mod [zone] @ --ns-rec=nameserver'. Zone name: tri.test. Active zone: TRUE Authoritative nameserver: ns.test. Administrator e-mail address: hostmaster.tri.test. SOA serial: 1410793406 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE krb5-self * ; grant IPA.EXAMPLE krb5-self * SSHFP; Dynamic update: FALSE Allow query: any; Allow transfer: none; [root@vm-035 rpms]# ipa dnszone-show tri.test. --all --raw dn: idnsname=tri.test.,cn=dns,dc=ipa,dc=example idnsname: tri.test. idnszoneactive: TRUE idnssoamname: ns.test. idnssoarname: hostmaster.tri.test. idnssoaserial: 1410793408 idnssoarefresh: 3600 idnssoaretry: 900 idnssoaexpire: 1209600 idnssoaminimum: 3600 idnsallowquery: any; idnsallowtransfer: none; idnsAllowDynUpdate: FALSE idnsUpdatePolicy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE krb5-self * ; grant IPA.EXAMPLE krb5-self * SSHFP; nsrecord: vm-035.idm.lab.eng.brq.redhat.com. objectClass: idnszone objectClass: top objectClass: idnsrecord [root@vm-035 rpms]# ipa dnsrecord-mod @ tri.test. --ns-rec=$(hostname). ipa: ERROR: tri.test.: DNS resource record not found NACKing NACK ipa dnsrecord-mod @ tri.test. --ns-rec=$(hostname). you switched order zone and record, it should be ipa dnsrecord-mod tri.test. @ --ns-rec=$(hostname). BTW, since we are so nicely breaking the dnszone-add interface, can we also get rid of always asking for "Administrator e-mail address"? >> # ipa dnszone-add tri.test. --name-server=ns.test. >> Administrator e-mail address [hostmaster.tri.test.]: ... Is there any risk in filling that with default as any other attribute? IMO it would simplify adding zones for one more redundant step. CCing Rob in case he knows some historical reasons why this is requested every time. Martin There is no risk, because ipa-replica-prepare do that with default values -- Martin Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0114-0115, 0120-0121] DNS: allow to add root zone '.'
On 09/15/2014 05:16 PM, Martin Basti wrote: On 15/09/14 17:10, Petr Spacek wrote: On 12.9.2014 15:19, Martin Basti wrote: On 03/09/14 12:45, Martin Basti wrote: On 03/09/14 12:27, Martin Kosek wrote: On 09/02/2014 05:46 PM, Petr Spacek wrote: On 25.8.2014 14:52, Martin Basti wrote: Patches attached. Ticket: https://fedorahosted.org/freeipa/ticket/4149 There is a bug in bind-dyndb-ldap (or worse in dirsrv), which cause the named service is stopped after deleting zone. Bug ticket: https://fedorahosted.org/bind-dyndb-ldap/ticket/138 Functional ACK, it works for me. It can be pushed if Python gurus are okay with the code. Is it safe to commit the change given that bind-dyndb-ldap still crash when "." is removed? Wouldn't it break our CI tests? Maybe we should wait until fixed bind-dydnb-ldap is released. Hopefully it would be soon. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel It will broke tests, don't push it until bind-dyndb-ldap is fixed. Currently I'm testing bind-dyndb-ldap related patch. Added patches 120 and 121, which are required by DNS to work correctly. Patches 120 and 121 add all DNS replicas to zone apex as NS, --name-server option doesn't add NS record, only changes the SOA MNAME attribute Original and new patches attached. NACK, unfortunately it doesn't work for me: # ipa dnszone-add tri.test. --name-server=ns.test. Administrator e-mail address [hostmaster.tri.test.]: ipa: WARNING: '--name-server' is used only for setting up the SOA MNAME record. To edit NS record(s) in zone apex, use command 'dnsrecord-mod [zone] @ --ns-rec=nameserver'. Zone name: tri.test. Active zone: TRUE Authoritative nameserver: ns.test. Administrator e-mail address: hostmaster.tri.test. SOA serial: 1410793406 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE krb5-self * ; grant IPA.EXAMPLE krb5-self * SSHFP; Dynamic update: FALSE Allow query: any; Allow transfer: none; [root@vm-035 rpms]# ipa dnszone-show tri.test. --all --raw dn: idnsname=tri.test.,cn=dns,dc=ipa,dc=example idnsname: tri.test. idnszoneactive: TRUE idnssoamname: ns.test. idnssoarname: hostmaster.tri.test. idnssoaserial: 1410793408 idnssoarefresh: 3600 idnssoaretry: 900 idnssoaexpire: 1209600 idnssoaminimum: 3600 idnsallowquery: any; idnsallowtransfer: none; idnsAllowDynUpdate: FALSE idnsUpdatePolicy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE krb5-self * ; grant IPA.EXAMPLE krb5-self * SSHFP; nsrecord: vm-035.idm.lab.eng.brq.redhat.com. objectClass: idnszone objectClass: top objectClass: idnsrecord [root@vm-035 rpms]# ipa dnsrecord-mod @ tri.test. --ns-rec=$(hostname). ipa: ERROR: tri.test.: DNS resource record not found NACKing NACK ipa dnsrecord-mod @ tri.test. --ns-rec=$(hostname). you switched order zone and record, it should be ipa dnsrecord-mod tri.test. @ --ns-rec=$(hostname). BTW, since we are so nicely breaking the dnszone-add interface, can we also get rid of always asking for "Administrator e-mail address"? >> # ipa dnszone-add tri.test. --name-server=ns.test. >> Administrator e-mail address [hostmaster.tri.test.]: ... Is there any risk in filling that with default as any other attribute? IMO it would simplify adding zones for one more redundant step. CCing Rob in case he knows some historical reasons why this is requested every time. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0114-0115, 0120-0121] DNS: allow to add root zone '.'
On 15/09/14 17:10, Petr Spacek wrote: On 12.9.2014 15:19, Martin Basti wrote: On 03/09/14 12:45, Martin Basti wrote: On 03/09/14 12:27, Martin Kosek wrote: On 09/02/2014 05:46 PM, Petr Spacek wrote: On 25.8.2014 14:52, Martin Basti wrote: Patches attached. Ticket: https://fedorahosted.org/freeipa/ticket/4149 There is a bug in bind-dyndb-ldap (or worse in dirsrv), which cause the named service is stopped after deleting zone. Bug ticket: https://fedorahosted.org/bind-dyndb-ldap/ticket/138 Functional ACK, it works for me. It can be pushed if Python gurus are okay with the code. Is it safe to commit the change given that bind-dyndb-ldap still crash when "." is removed? Wouldn't it break our CI tests? Maybe we should wait until fixed bind-dydnb-ldap is released. Hopefully it would be soon. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel It will broke tests, don't push it until bind-dyndb-ldap is fixed. Currently I'm testing bind-dyndb-ldap related patch. Added patches 120 and 121, which are required by DNS to work correctly. Patches 120 and 121 add all DNS replicas to zone apex as NS, --name-server option doesn't add NS record, only changes the SOA MNAME attribute Original and new patches attached. NACK, unfortunately it doesn't work for me: # ipa dnszone-add tri.test. --name-server=ns.test. Administrator e-mail address [hostmaster.tri.test.]: ipa: WARNING: '--name-server' is used only for setting up the SOA MNAME record. To edit NS record(s) in zone apex, use command 'dnsrecord-mod [zone] @ --ns-rec=nameserver'. Zone name: tri.test. Active zone: TRUE Authoritative nameserver: ns.test. Administrator e-mail address: hostmaster.tri.test. SOA serial: 1410793406 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE krb5-self * ; grant IPA.EXAMPLE krb5-self * SSHFP; Dynamic update: FALSE Allow query: any; Allow transfer: none; [root@vm-035 rpms]# ipa dnszone-show tri.test. --all --raw dn: idnsname=tri.test.,cn=dns,dc=ipa,dc=example idnsname: tri.test. idnszoneactive: TRUE idnssoamname: ns.test. idnssoarname: hostmaster.tri.test. idnssoaserial: 1410793408 idnssoarefresh: 3600 idnssoaretry: 900 idnssoaexpire: 1209600 idnssoaminimum: 3600 idnsallowquery: any; idnsallowtransfer: none; idnsAllowDynUpdate: FALSE idnsUpdatePolicy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE krb5-self * ; grant IPA.EXAMPLE krb5-self * SSHFP; nsrecord: vm-035.idm.lab.eng.brq.redhat.com. objectClass: idnszone objectClass: top objectClass: idnsrecord [root@vm-035 rpms]# ipa dnsrecord-mod @ tri.test. --ns-rec=$(hostname). ipa: ERROR: tri.test.: DNS resource record not found NACKing NACK ipa dnsrecord-mod @ tri.test. --ns-rec=$(hostname). you switched order zone and record, it should be ipa dnsrecord-mod tri.test. @ --ns-rec=$(hostname). -- Martin Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0114-0115, 0120-0121] DNS: allow to add root zone '.'
On 12.9.2014 15:19, Martin Basti wrote: On 03/09/14 12:45, Martin Basti wrote: On 03/09/14 12:27, Martin Kosek wrote: On 09/02/2014 05:46 PM, Petr Spacek wrote: On 25.8.2014 14:52, Martin Basti wrote: Patches attached. Ticket: https://fedorahosted.org/freeipa/ticket/4149 There is a bug in bind-dyndb-ldap (or worse in dirsrv), which cause the named service is stopped after deleting zone. Bug ticket: https://fedorahosted.org/bind-dyndb-ldap/ticket/138 Functional ACK, it works for me. It can be pushed if Python gurus are okay with the code. Is it safe to commit the change given that bind-dyndb-ldap still crash when "." is removed? Wouldn't it break our CI tests? Maybe we should wait until fixed bind-dydnb-ldap is released. Hopefully it would be soon. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel It will broke tests, don't push it until bind-dyndb-ldap is fixed. Currently I'm testing bind-dyndb-ldap related patch. Added patches 120 and 121, which are required by DNS to work correctly. Patches 120 and 121 add all DNS replicas to zone apex as NS, --name-server option doesn't add NS record, only changes the SOA MNAME attribute Original and new patches attached. NACK, unfortunately it doesn't work for me: # ipa dnszone-add tri.test. --name-server=ns.test. Administrator e-mail address [hostmaster.tri.test.]: ipa: WARNING: '--name-server' is used only for setting up the SOA MNAME record. To edit NS record(s) in zone apex, use command 'dnsrecord-mod [zone] @ --ns-rec=nameserver'. Zone name: tri.test. Active zone: TRUE Authoritative nameserver: ns.test. Administrator e-mail address: hostmaster.tri.test. SOA serial: 1410793406 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE krb5-self * ; grant IPA.EXAMPLE krb5-self * SSHFP; Dynamic update: FALSE Allow query: any; Allow transfer: none; [root@vm-035 rpms]# ipa dnszone-show tri.test. --all --raw dn: idnsname=tri.test.,cn=dns,dc=ipa,dc=example idnsname: tri.test. idnszoneactive: TRUE idnssoamname: ns.test. idnssoarname: hostmaster.tri.test. idnssoaserial: 1410793408 idnssoarefresh: 3600 idnssoaretry: 900 idnssoaexpire: 1209600 idnssoaminimum: 3600 idnsallowquery: any; idnsallowtransfer: none; idnsAllowDynUpdate: FALSE idnsUpdatePolicy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE krb5-self * ; grant IPA.EXAMPLE krb5-self * SSHFP; nsrecord: vm-035.idm.lab.eng.brq.redhat.com. objectClass: idnszone objectClass: top objectClass: idnsrecord [root@vm-035 rpms]# ipa dnsrecord-mod @ tri.test. --ns-rec=$(hostname). ipa: ERROR: tri.test.: DNS resource record not found -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0114-0115, 0120-0121] DNS: allow to add root zone '.'
On 03/09/14 12:45, Martin Basti wrote: On 03/09/14 12:27, Martin Kosek wrote: On 09/02/2014 05:46 PM, Petr Spacek wrote: On 25.8.2014 14:52, Martin Basti wrote: Patches attached. Ticket: https://fedorahosted.org/freeipa/ticket/4149 There is a bug in bind-dyndb-ldap (or worse in dirsrv), which cause the named service is stopped after deleting zone. Bug ticket: https://fedorahosted.org/bind-dyndb-ldap/ticket/138 Functional ACK, it works for me. It can be pushed if Python gurus are okay with the code. Is it safe to commit the change given that bind-dyndb-ldap still crash when "." is removed? Wouldn't it break our CI tests? Maybe we should wait until fixed bind-dydnb-ldap is released. Hopefully it would be soon. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel It will broke tests, don't push it until bind-dyndb-ldap is fixed. Currently I'm testing bind-dyndb-ldap related patch. Added patches 120 and 121, which are required by DNS to work correctly. Patches 120 and 121 add all DNS replicas to zone apex as NS, --name-server option doesn't add NS record, only changes the SOA MNAME attribute Original and new patches attached. -- Martin Basti From 9ed12420bf52a2d2dab1f8cc4f1f6b1b5f86a801 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Fri, 22 Aug 2014 17:11:22 +0200 Subject: [PATCH 1/2] Fix DNS plugin to allow to add root zone Ticket: https://fedorahosted.org/freeipa/ticket/4149 --- ipalib/plugins/dns.py | 53 ++- 1 file changed, 31 insertions(+), 22 deletions(-) diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index 24b303d8405aa3b4a6e0474e75d0e46e6949860d..9c8d09856a57f12b0ff1a52c8f0277f7abb29cdd 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -1783,17 +1783,21 @@ class DNSZoneBase(LDAPObject): zone = keys[-1] assert isinstance(zone, DNSName) assert zone.is_absolute() -zone = zone.ToASCII() +zone_a = zone.ToASCII() + +# special case when zone is the root zone ('.') +if zone == DNSName.root: +return super(DNSZoneBase, self).get_dn(zone_a, **options) # try first relative name, a new zone has to be added as absolute # otherwise ObjectViolation is raised -zone = zone[:-1] -dn = super(DNSZoneBase, self).get_dn(zone, **options) +zone_a = zone_a[:-1] +dn = super(DNSZoneBase, self).get_dn(zone_a, **options) try: self.backend.get_entry(dn, ['']) except errors.NotFound: -zone = u"%s." % zone -dn = super(DNSZoneBase, self).get_dn(zone, **options) +zone_a = u"%s." % zone_a +dn = super(DNSZoneBase, self).get_dn(zone_a, **options) return dn @@ -1825,6 +1829,8 @@ class DNSZoneBase(LDAPObject): try: api.Command['permission_del'](permission_name, force=True) except errors.NotFound, e: +if zone == DNSName.root: # special case root zone +raise # compatibility, older IPA versions which allows to create zone # without absolute zone name permission_name_rel = self.permission_name( @@ -1988,20 +1994,21 @@ class DNSZoneBase_add_permission(LDAPQuery): permission_name = self.obj.permission_name(keys[-1]) # compatibility with older IPA versions which allows relative zonenames -permission_name_rel = self.obj.permission_name( -keys[-1].relativize(DNSName.root) -) -try: -api.Object['permission'].get_dn_if_exists(permission_name_rel) -except errors.NotFound: -pass -else: -# permission exists without absolute domain name -raise errors.DuplicateEntry( -message=_('permission "%(value)s" already exists') % { -'value': permission_name -} +if keys[-1] != DNSName.root: # special case root zone +permission_name_rel = self.obj.permission_name( +keys[-1].relativize(DNSName.root) ) +try: +api.Object['permission'].get_dn_if_exists(permission_name_rel) +except errors.NotFound: +pass +else: +# permission exists without absolute domain name +raise errors.DuplicateEntry( +message=_('permission "%(value)s" already exists') % { +'value': permission_name +} +) permission = api.Command['permission_add_noaci'](permission_name, ipapermissiontype=u'SYSTEM' @@ -2417,12 +2424,14 @@ class dnszone_add(DNSZoneBase_add): nameserver_ip_address) # Add entry to realmdom