Re: [Freeipa-devel] [PATCHES 0233-0234] DNSSEC: forwarders validation

[Petr Vobornik]

On 06/10/2015 03:25 PM, Martin Basti wrote:

On 04/06/15 17:28, Petr Spacek wrote:

On 3.6.2015 17:14, Martin Basti wrote:

On 03/06/15 14:57, Petr Spacek wrote:

On 18.5.2015 13:48, Martin Basti wrote:

On 15/05/15 18:11, Petr Spacek wrote:

On 7.5.2015 18:12, Martin Basti wrote:

On 07/05/15 12:19, Petr Spacek wrote:

On 7.5.2015 08:59, David Kupka wrote:

On 05/06/2015 03:20 PM, Martin Basti wrote:

On 05/05/15 15:00, Martin Basti wrote:

On 30/04/15 15:37, David Kupka wrote:

On 04/24/2015 02:56 PM, Martin Basti wrote:

Patches attached.





Hi,
thanks for patches.

1. You changed message in DNSServerNotRespondingWarning
class but not
the test in ipatest/test_xmlrpc/test_dns_plugin.py

nitpick. Please spell 'edns' correctly. I've seen several
instances
of 'ends'.


Thank you,

updated patches attached:
* new error messages
* logging to debug log server output if exception was raised
* fixed test
* fixed spelling




Fixed tests (again)

Updated patches attached


The code looks good to me and tests are no longer broken. (I
would prefer
better fix of the tests but given that the priorities are
different now
it can
wait.)

Petr, can you please confirm that the patch set works for you?

Sorry, NACK:

$ ipa dnsforwardzone-add ptr.test. --forwarder=10.34.47.236
Server will check DNS forwarder(s).
This may take some time, please wait ...
ipa: ERROR: an internal error has occurred

# /var/log/httpd/error_log
ipa: ERROR: non-public: AssertionError:
Traceback (most recent call last):
  File
/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line
350, in
wsgi_execute
result = self.Command[name](*args, **options)
  File
/usr/lib/python2.7/site-packages/ipalib/frontend.py, line
443, in
__call__
ret = self.run(*args, **options)
  File
/usr/lib/python2.7/site-packages/ipalib/frontend.py, line 760,
in run
return self.execute(*args, **options)
  File
/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py, line
, in
execute
**options)
  File
/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py, line
4405, in
_warning_if_forwarders_do_not_work
log=self.log)
  File /usr/lib/python2.7/site-packages/ipalib/util.py,
line 715, in
validate_dnssec_zone_forwarder_step2
timeout=timeout)
  File /usr/lib/python2.7/site-packages/ipalib/util.py,
line 610, in
_resolve_record
assert isinstance(nameserver_ip, basestring)
AssertionError
ipa: INFO: [jsonserver_session] admin@IPA.EXAMPLE:
dnsforwardzone_add(DNS
name ptr.test., idnsforwarders=(u'10.34.47.236',), all=False,
raw=False,
version=u'2.116'): AssertionError

This is constantly reproducible in my vm-090.abc. Let me know if
you
want to
take a look.


I'm attaching little response.patch which improves compatibility
with older
python-dns packages. This patch allows IPA to work while error
messages are
simply not as nice as they could be with latest python-dns :-)

check_fwd_msg.patch is a little nitpick, just to make sure everyone
understands the message.

BTW why some messages in check_forwarders() are printed using
'print' and
others using logger? I would prefer to use logger for everything
to make
sure
that logs contain all the information, including warnings.

Thank you for your time!


Thank you, fixed.

I  added missing except block after forwarders validation step2.

I confirm that this works but I just discovered another deficiency.

Setup:
- DNSSEC validation is enabled on IPA server
- forwarders uses fake TLD, e.g. 'test.'
- remote DNS server is responding, supports EDNS0 and so on

$ ipa dnsforwardzone-add ptr.test. --forwarder=10.34.47.236
Server will check DNS forwarder(s).
This may take some time, please wait ...
ipa: WARNING: DNS server 10.34.78.90: query 'ptr.test. SOA': The
DNS query
name does not exist: ptr.test..

Huh? Let's check named log:
forward zone 'ptr.test': loaded
validating ./SOA: got insecure response; parent indicates it
should be
secure

Sometimes I get SERVFAIL from IPA server, too.


Unfortunately this check was the main reason for writing this
patchset so we
need to improve it.

Maybe validate_dnssec_zone_forwarder_step2() could special-case
NXDOMAIN and
print the DNSSEC-validation-failed error, too? The problem is that
it could
trigger some false positives because NXDOMAIN may simply be caused
by a delay
somewhere.

Any ideas?

I add catch block for NXDOMAIN

By the way, this is also weird:

$ ipa dnsforwardzone-add ptr.test. --forwarder=10.34.47.236
Server will check DNS forwarder(s).
This may take some time, please wait ...
ipa: ERROR: DNS forward zone with name ptr.test. already exists

Is it actually doing the check even if the forward zone exists
already? (This
is just nitpick, not a blocker!)


The first part is written by IPA client, it is not response from
server.
It is just written when user use --forwarder option.

Updated patch attached.

NACK, it does not work for me - it explodes when I try to add a
forward zone:

$ ipa 

Re: [Freeipa-devel] [PATCHES 0233-0234] DNSSEC: forwarders validation

[Petr Vobornik]

On 06/11/2015 03:18 PM, Martin Basti wrote:

On 04/06/15 17:28, Petr Spacek wrote:

On 3.6.2015 17:14, Martin Basti wrote:

On 03/06/15 14:57, Petr Spacek wrote:

On 18.5.2015 13:48, Martin Basti wrote:

On 15/05/15 18:11, Petr Spacek wrote:

On 7.5.2015 18:12, Martin Basti wrote:

On 07/05/15 12:19, Petr Spacek wrote:

On 7.5.2015 08:59, David Kupka wrote:

On 05/06/2015 03:20 PM, Martin Basti wrote:

On 05/05/15 15:00, Martin Basti wrote:

On 30/04/15 15:37, David Kupka wrote:

On 04/24/2015 02:56 PM, Martin Basti wrote:

Patches attached.





Hi,
thanks for patches.

1. You changed message in DNSServerNotRespondingWarning
class but not
the test in ipatest/test_xmlrpc/test_dns_plugin.py

nitpick. Please spell 'edns' correctly. I've seen several
instances
of 'ends'.


Thank you,

updated patches attached:
* new error messages
* logging to debug log server output if exception was raised
* fixed test
* fixed spelling




Fixed tests (again)

Updated patches attached


The code looks good to me and tests are no longer broken. (I
would prefer
better fix of the tests but given that the priorities are
different now
it can
wait.)

Petr, can you please confirm that the patch set works for you?

Sorry, NACK:

$ ipa dnsforwardzone-add ptr.test. --forwarder=10.34.47.236
Server will check DNS forwarder(s).
This may take some time, please wait ...
ipa: ERROR: an internal error has occurred

# /var/log/httpd/error_log
ipa: ERROR: non-public: AssertionError:
Traceback (most recent call last):
  File
/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line
350, in
wsgi_execute
result = self.Command[name](*args, **options)
  File
/usr/lib/python2.7/site-packages/ipalib/frontend.py, line
443, in
__call__
ret = self.run(*args, **options)
  File
/usr/lib/python2.7/site-packages/ipalib/frontend.py, line 760,
in run
return self.execute(*args, **options)
  File
/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py, line
, in
execute
**options)
  File
/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py, line
4405, in
_warning_if_forwarders_do_not_work
log=self.log)
  File /usr/lib/python2.7/site-packages/ipalib/util.py,
line 715, in
validate_dnssec_zone_forwarder_step2
timeout=timeout)
  File /usr/lib/python2.7/site-packages/ipalib/util.py,
line 610, in
_resolve_record
assert isinstance(nameserver_ip, basestring)
AssertionError
ipa: INFO: [jsonserver_session] admin@IPA.EXAMPLE:
dnsforwardzone_add(DNS
name ptr.test., idnsforwarders=(u'10.34.47.236',), all=False,
raw=False,
version=u'2.116'): AssertionError

This is constantly reproducible in my vm-090.abc. Let me know if
you
want to
take a look.


I'm attaching little response.patch which improves compatibility
with older
python-dns packages. This patch allows IPA to work while error
messages are
simply not as nice as they could be with latest python-dns :-)

check_fwd_msg.patch is a little nitpick, just to make sure everyone
understands the message.

BTW why some messages in check_forwarders() are printed using
'print' and
others using logger? I would prefer to use logger for everything
to make
sure
that logs contain all the information, including warnings.

Thank you for your time!


Thank you, fixed.

I  added missing except block after forwarders validation step2.

I confirm that this works but I just discovered another deficiency.

Setup:
- DNSSEC validation is enabled on IPA server
- forwarders uses fake TLD, e.g. 'test.'
- remote DNS server is responding, supports EDNS0 and so on

$ ipa dnsforwardzone-add ptr.test. --forwarder=10.34.47.236
Server will check DNS forwarder(s).
This may take some time, please wait ...
ipa: WARNING: DNS server 10.34.78.90: query 'ptr.test. SOA': The
DNS query
name does not exist: ptr.test..

Huh? Let's check named log:
forward zone 'ptr.test': loaded
validating ./SOA: got insecure response; parent indicates it
should be
secure

Sometimes I get SERVFAIL from IPA server, too.


Unfortunately this check was the main reason for writing this
patchset so we
need to improve it.

Maybe validate_dnssec_zone_forwarder_step2() could special-case
NXDOMAIN and
print the DNSSEC-validation-failed error, too? The problem is that
it could
trigger some false positives because NXDOMAIN may simply be caused
by a delay
somewhere.

Any ideas?

I add catch block for NXDOMAIN

By the way, this is also weird:

$ ipa dnsforwardzone-add ptr.test. --forwarder=10.34.47.236
Server will check DNS forwarder(s).
This may take some time, please wait ...
ipa: ERROR: DNS forward zone with name ptr.test. already exists

Is it actually doing the check even if the forward zone exists
already? (This
is just nitpick, not a blocker!)


The first part is written by IPA client, it is not response from
server.
It is just written when user use --forwarder option.

Updated patch attached.

NACK, it does not work for me - it explodes when I try to add a
forward zone:

$ ipa 

Re: [Freeipa-devel] [PATCHES 0233-0234] DNSSEC: forwarders validation

[Martin Basti]

On 04/06/15 17:28, Petr Spacek wrote:

On 3.6.2015 17:14, Martin Basti wrote:

On 03/06/15 14:57, Petr Spacek wrote:

On 18.5.2015 13:48, Martin Basti wrote:

On 15/05/15 18:11, Petr Spacek wrote:

On 7.5.2015 18:12, Martin Basti wrote:

On 07/05/15 12:19, Petr Spacek wrote:

On 7.5.2015 08:59, David Kupka wrote:

On 05/06/2015 03:20 PM, Martin Basti wrote:

On 05/05/15 15:00, Martin Basti wrote:

On 30/04/15 15:37, David Kupka wrote:

On 04/24/2015 02:56 PM, Martin Basti wrote:

Patches attached.





Hi,
thanks for patches.

1. You changed message in DNSServerNotRespondingWarning class but not
the test in ipatest/test_xmlrpc/test_dns_plugin.py

nitpick. Please spell 'edns' correctly. I've seen several instances
of 'ends'.


Thank you,

updated patches attached:
* new error messages
* logging to debug log server output if exception was raised
* fixed test
* fixed spelling




Fixed tests (again)

Updated patches attached


The code looks good to me and tests are no longer broken. (I would prefer
better fix of the tests but given that the priorities are different now
it can
wait.)

Petr, can you please confirm that the patch set works for you?

Sorry, NACK:

$ ipa dnsforwardzone-add ptr.test. --forwarder=10.34.47.236
Server will check DNS forwarder(s).
This may take some time, please wait ...
ipa: ERROR: an internal error has occurred

# /var/log/httpd/error_log
ipa: ERROR: non-public: AssertionError:
Traceback (most recent call last):
  File /usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line
350, in
wsgi_execute
result = self.Command[name](*args, **options)
  File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line
443, in
__call__
ret = self.run(*args, **options)
  File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 760,
in run
return self.execute(*args, **options)
  File /usr/lib/python2.7/site-packages/ipalib/plugins/dns.py, line
, in
execute
**options)
  File /usr/lib/python2.7/site-packages/ipalib/plugins/dns.py, line
4405, in
_warning_if_forwarders_do_not_work
log=self.log)
  File /usr/lib/python2.7/site-packages/ipalib/util.py, line 715, in
validate_dnssec_zone_forwarder_step2
timeout=timeout)
  File /usr/lib/python2.7/site-packages/ipalib/util.py, line 610, in
_resolve_record
assert isinstance(nameserver_ip, basestring)
AssertionError
ipa: INFO: [jsonserver_session] admin@IPA.EXAMPLE: dnsforwardzone_add(DNS
name ptr.test., idnsforwarders=(u'10.34.47.236',), all=False, raw=False,
version=u'2.116'): AssertionError

This is constantly reproducible in my vm-090.abc. Let me know if you
want to
take a look.


I'm attaching little response.patch which improves compatibility with older
python-dns packages. This patch allows IPA to work while error messages are
simply not as nice as they could be with latest python-dns :-)

check_fwd_msg.patch is a little nitpick, just to make sure everyone
understands the message.

BTW why some messages in check_forwarders() are printed using 'print' and
others using logger? I would prefer to use logger for everything to make
sure
that logs contain all the information, including warnings.

Thank you for your time!


Thank you, fixed.

I  added missing except block after forwarders validation step2.

I confirm that this works but I just discovered another deficiency.

Setup:
- DNSSEC validation is enabled on IPA server
- forwarders uses fake TLD, e.g. 'test.'
- remote DNS server is responding, supports EDNS0 and so on

$ ipa dnsforwardzone-add ptr.test. --forwarder=10.34.47.236
Server will check DNS forwarder(s).
This may take some time, please wait ...
ipa: WARNING: DNS server 10.34.78.90: query 'ptr.test. SOA': The DNS query
name does not exist: ptr.test..

Huh? Let's check named log:
forward zone 'ptr.test': loaded
validating ./SOA: got insecure response; parent indicates it should be
secure

Sometimes I get SERVFAIL from IPA server, too.


Unfortunately this check was the main reason for writing this patchset so we
need to improve it.

Maybe validate_dnssec_zone_forwarder_step2() could special-case NXDOMAIN and
print the DNSSEC-validation-failed error, too? The problem is that it could
trigger some false positives because NXDOMAIN may simply be caused by a delay
somewhere.

Any ideas?

I add catch block for NXDOMAIN

By the way, this is also weird:

$ ipa dnsforwardzone-add ptr.test. --forwarder=10.34.47.236
Server will check DNS forwarder(s).
This may take some time, please wait ...
ipa: ERROR: DNS forward zone with name ptr.test. already exists

Is it actually doing the check even if the forward zone exists already? (This
is just nitpick, not a blocker!)


The first part is written by IPA client, it is not response from server.
It is just written when user use --forwarder option.

Updated patch attached.

NACK, it does not work for me - it explodes when I try to add a forward zone:

$ ipa dnsforwardzone-add ptr.test. --forwarder=192.0.2.1

Re: [Freeipa-devel] [PATCHES 0233-0234] DNSSEC: forwarders validation

[Petr Spacek]

On 3.6.2015 17:14, Martin Basti wrote:
 On 03/06/15 14:57, Petr Spacek wrote:
 On 18.5.2015 13:48, Martin Basti wrote:
 On 15/05/15 18:11, Petr Spacek wrote:
 On 7.5.2015 18:12, Martin Basti wrote:
 On 07/05/15 12:19, Petr Spacek wrote:
 On 7.5.2015 08:59, David Kupka wrote:
 On 05/06/2015 03:20 PM, Martin Basti wrote:
 On 05/05/15 15:00, Martin Basti wrote:
 On 30/04/15 15:37, David Kupka wrote:
 On 04/24/2015 02:56 PM, Martin Basti wrote:
 Patches attached.




 Hi,
 thanks for patches.

 1. You changed message in DNSServerNotRespondingWarning class but not
 the test in ipatest/test_xmlrpc/test_dns_plugin.py

 nitpick. Please spell 'edns' correctly. I've seen several instances
 of 'ends'.

 Thank you,

 updated patches attached:
 * new error messages
 * logging to debug log server output if exception was raised
 * fixed test
 * fixed spelling



 Fixed tests (again)

 Updated patches attached

 The code looks good to me and tests are no longer broken. (I would 
 prefer
 better fix of the tests but given that the priorities are different now
 it can
 wait.)

 Petr, can you please confirm that the patch set works for you?
 Sorry, NACK:

 $ ipa dnsforwardzone-add ptr.test. --forwarder=10.34.47.236
 Server will check DNS forwarder(s).
 This may take some time, please wait ...
 ipa: ERROR: an internal error has occurred

 # /var/log/httpd/error_log
 ipa: ERROR: non-public: AssertionError:
 Traceback (most recent call last):
  File /usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line
 350, in
 wsgi_execute
result = self.Command[name](*args, **options)
  File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line
 443, in
 __call__
ret = self.run(*args, **options)
  File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 
 760,
 in run
return self.execute(*args, **options)
  File /usr/lib/python2.7/site-packages/ipalib/plugins/dns.py, line
 , in
 execute
**options)
  File /usr/lib/python2.7/site-packages/ipalib/plugins/dns.py, line
 4405, in
 _warning_if_forwarders_do_not_work
log=self.log)
  File /usr/lib/python2.7/site-packages/ipalib/util.py, line 715, in
 validate_dnssec_zone_forwarder_step2
timeout=timeout)
  File /usr/lib/python2.7/site-packages/ipalib/util.py, line 610, in
 _resolve_record
assert isinstance(nameserver_ip, basestring)
 AssertionError
 ipa: INFO: [jsonserver_session] admin@IPA.EXAMPLE: 
 dnsforwardzone_add(DNS
 name ptr.test., idnsforwarders=(u'10.34.47.236',), all=False, raw=False,
 version=u'2.116'): AssertionError

 This is constantly reproducible in my vm-090.abc. Let me know if you
 want to
 take a look.


 I'm attaching little response.patch which improves compatibility with 
 older
 python-dns packages. This patch allows IPA to work while error messages 
 are
 simply not as nice as they could be with latest python-dns :-)

 check_fwd_msg.patch is a little nitpick, just to make sure everyone
 understands the message.

 BTW why some messages in check_forwarders() are printed using 'print' and
 others using logger? I would prefer to use logger for everything to make
 sure
 that logs contain all the information, including warnings.

 Thank you for your time!

 Thank you, fixed.

 I  added missing except block after forwarders validation step2.
 I confirm that this works but I just discovered another deficiency.

 Setup:
 - DNSSEC validation is enabled on IPA server
 - forwarders uses fake TLD, e.g. 'test.'
 - remote DNS server is responding, supports EDNS0 and so on

 $ ipa dnsforwardzone-add ptr.test. --forwarder=10.34.47.236
 Server will check DNS forwarder(s).
 This may take some time, please wait ...
 ipa: WARNING: DNS server 10.34.78.90: query 'ptr.test. SOA': The DNS query
 name does not exist: ptr.test..

 Huh? Let's check named log:
forward zone 'ptr.test': loaded
validating ./SOA: got insecure response; parent indicates it should be
 secure

 Sometimes I get SERVFAIL from IPA server, too.


 Unfortunately this check was the main reason for writing this patchset so 
 we
 need to improve it.

 Maybe validate_dnssec_zone_forwarder_step2() could special-case NXDOMAIN 
 and
 print the DNSSEC-validation-failed error, too? The problem is that it could
 trigger some false positives because NXDOMAIN may simply be caused by a 
 delay
 somewhere.

 Any ideas?
 I add catch block for NXDOMAIN
 By the way, this is also weird:

 $ ipa dnsforwardzone-add ptr.test. --forwarder=10.34.47.236
 Server will check DNS forwarder(s).
 This may take some time, please wait ...
 ipa: ERROR: DNS forward zone with name ptr.test. already exists

 Is it actually doing the check even if the forward zone exists already? 
 (This
 is just nitpick, not a blocker!)

 The first part is written by IPA client, it is not response from server.
 It is just written when user use --forwarder option.

 Updated patch attached.
 NACK, it does not work for me - it explodes when I try to add a forward zone:

 $ 

Re: [Freeipa-devel] [PATCHES 0233-0234] DNSSEC: forwarders validation

[Petr Spacek]

On 18.5.2015 13:48, Martin Basti wrote:
 On 15/05/15 18:11, Petr Spacek wrote:
 On 7.5.2015 18:12, Martin Basti wrote:
 On 07/05/15 12:19, Petr Spacek wrote:
 On 7.5.2015 08:59, David Kupka wrote:
 On 05/06/2015 03:20 PM, Martin Basti wrote:
 On 05/05/15 15:00, Martin Basti wrote:
 On 30/04/15 15:37, David Kupka wrote:
 On 04/24/2015 02:56 PM, Martin Basti wrote:
 Patches attached.




 Hi,
 thanks for patches.

 1. You changed message in DNSServerNotRespondingWarning class but not
 the test in ipatest/test_xmlrpc/test_dns_plugin.py

 nitpick. Please spell 'edns' correctly. I've seen several instances
 of 'ends'.

 Thank you,

 updated patches attached:
 * new error messages
 * logging to debug log server output if exception was raised
 * fixed test
 * fixed spelling



 Fixed tests (again)

 Updated patches attached

 The code looks good to me and tests are no longer broken. (I would prefer
 better fix of the tests but given that the priorities are different now
 it can
 wait.)

 Petr, can you please confirm that the patch set works for you?
 Sorry, NACK:

 $ ipa dnsforwardzone-add ptr.test. --forwarder=10.34.47.236
 Server will check DNS forwarder(s).
 This may take some time, please wait ...
 ipa: ERROR: an internal error has occurred

 # /var/log/httpd/error_log
 ipa: ERROR: non-public: AssertionError:
 Traceback (most recent call last):
 File /usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line
 350, in
 wsgi_execute
   result = self.Command[name](*args, **options)
 File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 443, 
 in
 __call__
   ret = self.run(*args, **options)
 File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 760,
 in run
   return self.execute(*args, **options)
 File /usr/lib/python2.7/site-packages/ipalib/plugins/dns.py, line
 , in
 execute
   **options)
 File /usr/lib/python2.7/site-packages/ipalib/plugins/dns.py, line
 4405, in
 _warning_if_forwarders_do_not_work
   log=self.log)
 File /usr/lib/python2.7/site-packages/ipalib/util.py, line 715, in
 validate_dnssec_zone_forwarder_step2
   timeout=timeout)
 File /usr/lib/python2.7/site-packages/ipalib/util.py, line 610, in
 _resolve_record
   assert isinstance(nameserver_ip, basestring)
 AssertionError
 ipa: INFO: [jsonserver_session] admin@IPA.EXAMPLE: dnsforwardzone_add(DNS
 name ptr.test., idnsforwarders=(u'10.34.47.236',), all=False, raw=False,
 version=u'2.116'): AssertionError

 This is constantly reproducible in my vm-090.abc. Let me know if you want 
 to
 take a look.


 I'm attaching little response.patch which improves compatibility with older
 python-dns packages. This patch allows IPA to work while error messages are
 simply not as nice as they could be with latest python-dns :-)

 check_fwd_msg.patch is a little nitpick, just to make sure everyone
 understands the message.

 BTW why some messages in check_forwarders() are printed using 'print' and
 others using logger? I would prefer to use logger for everything to make 
 sure
 that logs contain all the information, including warnings.

 Thank you for your time!

 Thank you, fixed.

 I  added missing except block after forwarders validation step2.
 I confirm that this works but I just discovered another deficiency.

 Setup:
 - DNSSEC validation is enabled on IPA server
 - forwarders uses fake TLD, e.g. 'test.'
 - remote DNS server is responding, supports EDNS0 and so on

 $ ipa dnsforwardzone-add ptr.test. --forwarder=10.34.47.236
 Server will check DNS forwarder(s).
 This may take some time, please wait ...
 ipa: WARNING: DNS server 10.34.78.90: query 'ptr.test. SOA': The DNS query
 name does not exist: ptr.test..

 Huh? Let's check named log:
   forward zone 'ptr.test': loaded
   validating ./SOA: got insecure response; parent indicates it should be 
 secure

 Sometimes I get SERVFAIL from IPA server, too.


 Unfortunately this check was the main reason for writing this patchset so we
 need to improve it.

 Maybe validate_dnssec_zone_forwarder_step2() could special-case NXDOMAIN and
 print the DNSSEC-validation-failed error, too? The problem is that it could
 trigger some false positives because NXDOMAIN may simply be caused by a delay
 somewhere.

 Any ideas?
 I add catch block for NXDOMAIN

 By the way, this is also weird:

 $ ipa dnsforwardzone-add ptr.test. --forwarder=10.34.47.236
 Server will check DNS forwarder(s).
 This may take some time, please wait ...
 ipa: ERROR: DNS forward zone with name ptr.test. already exists

 Is it actually doing the check even if the forward zone exists already? (This
 is just nitpick, not a blocker!)

 The first part is written by IPA client, it is not response from server.
 It is just written when user use --forwarder option.
 
 Updated patch attached.

NACK, it does not work for me - it explodes when I try to add a forward zone:

$ ipa dnsforwardzone-add ptr.test. --forwarder=192.0.2.1

ipa: ERROR: non-public: TypeError: 

Re: [Freeipa-devel] [PATCHES 0233-0234] DNSSEC: forwarders validation

[Martin Basti]

On 03/06/15 14:57, Petr Spacek wrote:

On 18.5.2015 13:48, Martin Basti wrote:

On 15/05/15 18:11, Petr Spacek wrote:

On 7.5.2015 18:12, Martin Basti wrote:

On 07/05/15 12:19, Petr Spacek wrote:

On 7.5.2015 08:59, David Kupka wrote:

On 05/06/2015 03:20 PM, Martin Basti wrote:

On 05/05/15 15:00, Martin Basti wrote:

On 30/04/15 15:37, David Kupka wrote:

On 04/24/2015 02:56 PM, Martin Basti wrote:

Patches attached.





Hi,
thanks for patches.

1. You changed message in DNSServerNotRespondingWarning class but not
the test in ipatest/test_xmlrpc/test_dns_plugin.py

nitpick. Please spell 'edns' correctly. I've seen several instances
of 'ends'.


Thank you,

updated patches attached:
* new error messages
* logging to debug log server output if exception was raised
* fixed test
* fixed spelling




Fixed tests (again)

Updated patches attached


The code looks good to me and tests are no longer broken. (I would prefer
better fix of the tests but given that the priorities are different now
it can
wait.)

Petr, can you please confirm that the patch set works for you?

Sorry, NACK:

$ ipa dnsforwardzone-add ptr.test. --forwarder=10.34.47.236
Server will check DNS forwarder(s).
This may take some time, please wait ...
ipa: ERROR: an internal error has occurred

# /var/log/httpd/error_log
ipa: ERROR: non-public: AssertionError:
Traceback (most recent call last):
 File /usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line
350, in
wsgi_execute
   result = self.Command[name](*args, **options)
 File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 443, in
__call__
   ret = self.run(*args, **options)
 File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 760,
in run
   return self.execute(*args, **options)
 File /usr/lib/python2.7/site-packages/ipalib/plugins/dns.py, line
, in
execute
   **options)
 File /usr/lib/python2.7/site-packages/ipalib/plugins/dns.py, line
4405, in
_warning_if_forwarders_do_not_work
   log=self.log)
 File /usr/lib/python2.7/site-packages/ipalib/util.py, line 715, in
validate_dnssec_zone_forwarder_step2
   timeout=timeout)
 File /usr/lib/python2.7/site-packages/ipalib/util.py, line 610, in
_resolve_record
   assert isinstance(nameserver_ip, basestring)
AssertionError
ipa: INFO: [jsonserver_session] admin@IPA.EXAMPLE: dnsforwardzone_add(DNS
name ptr.test., idnsforwarders=(u'10.34.47.236',), all=False, raw=False,
version=u'2.116'): AssertionError

This is constantly reproducible in my vm-090.abc. Let me know if you want to
take a look.


I'm attaching little response.patch which improves compatibility with older
python-dns packages. This patch allows IPA to work while error messages are
simply not as nice as they could be with latest python-dns :-)

check_fwd_msg.patch is a little nitpick, just to make sure everyone
understands the message.

BTW why some messages in check_forwarders() are printed using 'print' and
others using logger? I would prefer to use logger for everything to make sure
that logs contain all the information, including warnings.

Thank you for your time!


Thank you, fixed.

I  added missing except block after forwarders validation step2.

I confirm that this works but I just discovered another deficiency.

Setup:
- DNSSEC validation is enabled on IPA server
- forwarders uses fake TLD, e.g. 'test.'
- remote DNS server is responding, supports EDNS0 and so on

$ ipa dnsforwardzone-add ptr.test. --forwarder=10.34.47.236
Server will check DNS forwarder(s).
This may take some time, please wait ...
ipa: WARNING: DNS server 10.34.78.90: query 'ptr.test. SOA': The DNS query
name does not exist: ptr.test..

Huh? Let's check named log:
   forward zone 'ptr.test': loaded
   validating ./SOA: got insecure response; parent indicates it should be secure

Sometimes I get SERVFAIL from IPA server, too.


Unfortunately this check was the main reason for writing this patchset so we
need to improve it.

Maybe validate_dnssec_zone_forwarder_step2() could special-case NXDOMAIN and
print the DNSSEC-validation-failed error, too? The problem is that it could
trigger some false positives because NXDOMAIN may simply be caused by a delay
somewhere.

Any ideas?

I add catch block for NXDOMAIN

By the way, this is also weird:

$ ipa dnsforwardzone-add ptr.test. --forwarder=10.34.47.236
Server will check DNS forwarder(s).
This may take some time, please wait ...
ipa: ERROR: DNS forward zone with name ptr.test. already exists

Is it actually doing the check even if the forward zone exists already? (This
is just nitpick, not a blocker!)


The first part is written by IPA client, it is not response from server.
It is just written when user use --forwarder option.

Updated patch attached.

NACK, it does not work for me - it explodes when I try to add a forward zone:

$ ipa dnsforwardzone-add ptr.test. --forwarder=192.0.2.1

ipa: ERROR: non-public: TypeError: _warning_if_forwarders_do_not_work() got
multiple values for 

Re: [Freeipa-devel] [PATCHES 0233-0234] DNSSEC: forwarders validation

[Martin Basti]

On 15/05/15 18:11, Petr Spacek wrote:

On 7.5.2015 18:12, Martin Basti wrote:

On 07/05/15 12:19, Petr Spacek wrote:

On 7.5.2015 08:59, David Kupka wrote:

On 05/06/2015 03:20 PM, Martin Basti wrote:

On 05/05/15 15:00, Martin Basti wrote:

On 30/04/15 15:37, David Kupka wrote:

On 04/24/2015 02:56 PM, Martin Basti wrote:

Patches attached.





Hi,
thanks for patches.

1. You changed message in DNSServerNotRespondingWarning class but not
the test in ipatest/test_xmlrpc/test_dns_plugin.py

nitpick. Please spell 'edns' correctly. I've seen several instances
of 'ends'.


Thank you,

updated patches attached:
* new error messages
* logging to debug log server output if exception was raised
* fixed test
* fixed spelling




Fixed tests (again)

Updated patches attached


The code looks good to me and tests are no longer broken. (I would prefer
better fix of the tests but given that the priorities are different now it can
wait.)

Petr, can you please confirm that the patch set works for you?

Sorry, NACK:

$ ipa dnsforwardzone-add ptr.test. --forwarder=10.34.47.236
Server will check DNS forwarder(s).
This may take some time, please wait ...
ipa: ERROR: an internal error has occurred

# /var/log/httpd/error_log
ipa: ERROR: non-public: AssertionError:
Traceback (most recent call last):
File /usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 350, in
wsgi_execute
  result = self.Command[name](*args, **options)
File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 443, in
__call__
  ret = self.run(*args, **options)
File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 760, in run
  return self.execute(*args, **options)
File /usr/lib/python2.7/site-packages/ipalib/plugins/dns.py, line , in
execute
  **options)
File /usr/lib/python2.7/site-packages/ipalib/plugins/dns.py, line 4405, in
_warning_if_forwarders_do_not_work
  log=self.log)
File /usr/lib/python2.7/site-packages/ipalib/util.py, line 715, in
validate_dnssec_zone_forwarder_step2
  timeout=timeout)
File /usr/lib/python2.7/site-packages/ipalib/util.py, line 610, in
_resolve_record
  assert isinstance(nameserver_ip, basestring)
AssertionError
ipa: INFO: [jsonserver_session] admin@IPA.EXAMPLE: dnsforwardzone_add(DNS
name ptr.test., idnsforwarders=(u'10.34.47.236',), all=False, raw=False,
version=u'2.116'): AssertionError

This is constantly reproducible in my vm-090.abc. Let me know if you want to
take a look.


I'm attaching little response.patch which improves compatibility with older
python-dns packages. This patch allows IPA to work while error messages are
simply not as nice as they could be with latest python-dns :-)

check_fwd_msg.patch is a little nitpick, just to make sure everyone
understands the message.

BTW why some messages in check_forwarders() are printed using 'print' and
others using logger? I would prefer to use logger for everything to make sure
that logs contain all the information, including warnings.

Thank you for your time!


Thank you, fixed.

I  added missing except block after forwarders validation step2.

I confirm that this works but I just discovered another deficiency.

Setup:
- DNSSEC validation is enabled on IPA server
- forwarders uses fake TLD, e.g. 'test.'
- remote DNS server is responding, supports EDNS0 and so on

$ ipa dnsforwardzone-add ptr.test. --forwarder=10.34.47.236
Server will check DNS forwarder(s).
This may take some time, please wait ...
ipa: WARNING: DNS server 10.34.78.90: query 'ptr.test. SOA': The DNS query
name does not exist: ptr.test..

Huh? Let's check named log:
  forward zone 'ptr.test': loaded
  validating ./SOA: got insecure response; parent indicates it should be secure

Sometimes I get SERVFAIL from IPA server, too.


Unfortunately this check was the main reason for writing this patchset so we
need to improve it.

Maybe validate_dnssec_zone_forwarder_step2() could special-case NXDOMAIN and
print the DNSSEC-validation-failed error, too? The problem is that it could
trigger some false positives because NXDOMAIN may simply be caused by a delay
somewhere.

Any ideas?

I add catch block for NXDOMAIN


By the way, this is also weird:

$ ipa dnsforwardzone-add ptr.test. --forwarder=10.34.47.236
Server will check DNS forwarder(s).
This may take some time, please wait ...
ipa: ERROR: DNS forward zone with name ptr.test. already exists

Is it actually doing the check even if the forward zone exists already? (This
is just nitpick, not a blocker!)


The first part is written by IPA client, it is not response from server.
It is just written when user use --forwarder option.

Updated patch attached.

--
Martin Basti

From 8b14534382cdb95782483c669e6c6cc4057636d8 Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Wed, 22 Apr 2015 15:29:21 +0200
Subject: [PATCH 1/2] DNSSEC: Improve global forwarders validation

Validation now provides more detailed information and less false
positives failures.

Re: [Freeipa-devel] [PATCHES 0233-0234] DNSSEC: forwarders validation

[Petr Spacek]

On 7.5.2015 18:12, Martin Basti wrote:
 On 07/05/15 12:19, Petr Spacek wrote:
 On 7.5.2015 08:59, David Kupka wrote:
 On 05/06/2015 03:20 PM, Martin Basti wrote:
 On 05/05/15 15:00, Martin Basti wrote:
 On 30/04/15 15:37, David Kupka wrote:
 On 04/24/2015 02:56 PM, Martin Basti wrote:
 Patches attached.




 Hi,
 thanks for patches.

 1. You changed message in DNSServerNotRespondingWarning class but not
 the test in ipatest/test_xmlrpc/test_dns_plugin.py

 nitpick. Please spell 'edns' correctly. I've seen several instances
 of 'ends'.

 Thank you,

 updated patches attached:
 * new error messages
 * logging to debug log server output if exception was raised
 * fixed test
 * fixed spelling



 Fixed tests (again)

 Updated patches attached

 The code looks good to me and tests are no longer broken. (I would prefer
 better fix of the tests but given that the priorities are different now it 
 can
 wait.)

 Petr, can you please confirm that the patch set works for you?
 Sorry, NACK:

 $ ipa dnsforwardzone-add ptr.test. --forwarder=10.34.47.236
 Server will check DNS forwarder(s).
 This may take some time, please wait ...
 ipa: ERROR: an internal error has occurred

 # /var/log/httpd/error_log
 ipa: ERROR: non-public: AssertionError:
 Traceback (most recent call last):
File /usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 350, 
 in
 wsgi_execute
  result = self.Command[name](*args, **options)
File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 443, in
 __call__
  ret = self.run(*args, **options)
File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 760, in 
 run
  return self.execute(*args, **options)
File /usr/lib/python2.7/site-packages/ipalib/plugins/dns.py, line , 
 in
 execute
  **options)
File /usr/lib/python2.7/site-packages/ipalib/plugins/dns.py, line 4405, 
 in
 _warning_if_forwarders_do_not_work
  log=self.log)
File /usr/lib/python2.7/site-packages/ipalib/util.py, line 715, in
 validate_dnssec_zone_forwarder_step2
  timeout=timeout)
File /usr/lib/python2.7/site-packages/ipalib/util.py, line 610, in
 _resolve_record
  assert isinstance(nameserver_ip, basestring)
 AssertionError
 ipa: INFO: [jsonserver_session] admin@IPA.EXAMPLE: dnsforwardzone_add(DNS
 name ptr.test., idnsforwarders=(u'10.34.47.236',), all=False, raw=False,
 version=u'2.116'): AssertionError

 This is constantly reproducible in my vm-090.abc. Let me know if you want to
 take a look.


 I'm attaching little response.patch which improves compatibility with older
 python-dns packages. This patch allows IPA to work while error messages are
 simply not as nice as they could be with latest python-dns :-)

 check_fwd_msg.patch is a little nitpick, just to make sure everyone
 understands the message.

 BTW why some messages in check_forwarders() are printed using 'print' and
 others using logger? I would prefer to use logger for everything to make sure
 that logs contain all the information, including warnings.

 Thank you for your time!

 Thank you, fixed.
 
 I  added missing except block after forwarders validation step2.

I confirm that this works but I just discovered another deficiency.

Setup:
- DNSSEC validation is enabled on IPA server
- forwarders uses fake TLD, e.g. 'test.'
- remote DNS server is responding, supports EDNS0 and so on

$ ipa dnsforwardzone-add ptr.test. --forwarder=10.34.47.236
Server will check DNS forwarder(s).
This may take some time, please wait ...
ipa: WARNING: DNS server 10.34.78.90: query 'ptr.test. SOA': The DNS query
name does not exist: ptr.test..

Huh? Let's check named log:
 forward zone 'ptr.test': loaded
 validating ./SOA: got insecure response; parent indicates it should be secure

Sometimes I get SERVFAIL from IPA server, too.


Unfortunately this check was the main reason for writing this patchset so we
need to improve it.

Maybe validate_dnssec_zone_forwarder_step2() could special-case NXDOMAIN and
print the DNSSEC-validation-failed error, too? The problem is that it could
trigger some false positives because NXDOMAIN may simply be caused by a delay
somewhere.

Any ideas?


By the way, this is also weird:

$ ipa dnsforwardzone-add ptr.test. --forwarder=10.34.47.236
Server will check DNS forwarder(s).
This may take some time, please wait ...
ipa: ERROR: DNS forward zone with name ptr.test. already exists

Is it actually doing the check even if the forward zone exists already? (This
is just nitpick, not a blocker!)

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES 0233-0234] DNSSEC: forwarders validation

[David Kupka]

On 05/06/2015 03:20 PM, Martin Basti wrote:

On 05/05/15 15:00, Martin Basti wrote:

On 30/04/15 15:37, David Kupka wrote:

On 04/24/2015 02:56 PM, Martin Basti wrote:

Patches attached.





Hi,
thanks for patches.

1. You changed message in DNSServerNotRespondingWarning class but not
the test in ipatest/test_xmlrpc/test_dns_plugin.py

nitpick. Please spell 'edns' correctly. I've seen several instances
of 'ends'.


Thank you,

updated patches attached:
* new error messages
* logging to debug log server output if exception was raised
* fixed test
* fixed spelling




Fixed tests (again)

Updated patches attached

The code looks good to me and tests are no longer broken. (I would 
prefer better fix of the tests but given that the priorities are 
different now it can wait.)


Petr, can you please confirm that the patch set works for you?

--
David Kupka

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES 0233-0234] DNSSEC: forwarders validation

[Petr Spacek]

On 7.5.2015 08:59, David Kupka wrote:
 On 05/06/2015 03:20 PM, Martin Basti wrote:
 On 05/05/15 15:00, Martin Basti wrote:
 On 30/04/15 15:37, David Kupka wrote:
 On 04/24/2015 02:56 PM, Martin Basti wrote:
 Patches attached.




 Hi,
 thanks for patches.

 1. You changed message in DNSServerNotRespondingWarning class but not
 the test in ipatest/test_xmlrpc/test_dns_plugin.py

 nitpick. Please spell 'edns' correctly. I've seen several instances
 of 'ends'.

 Thank you,

 updated patches attached:
 * new error messages
 * logging to debug log server output if exception was raised
 * fixed test
 * fixed spelling



 Fixed tests (again)

 Updated patches attached

 The code looks good to me and tests are no longer broken. (I would prefer
 better fix of the tests but given that the priorities are different now it can
 wait.)
 
 Petr, can you please confirm that the patch set works for you?

Sorry, NACK:

$ ipa dnsforwardzone-add ptr.test. --forwarder=10.34.47.236
Server will check DNS forwarder(s).
This may take some time, please wait ...
ipa: ERROR: an internal error has occurred

# /var/log/httpd/error_log
ipa: ERROR: non-public: AssertionError:
Traceback (most recent call last):
  File /usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 350, in
wsgi_execute
result = self.Command[name](*args, **options)
  File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 443, in
__call__
ret = self.run(*args, **options)
  File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 760, in run
return self.execute(*args, **options)
  File /usr/lib/python2.7/site-packages/ipalib/plugins/dns.py, line , in
execute
**options)
  File /usr/lib/python2.7/site-packages/ipalib/plugins/dns.py, line 4405, in
_warning_if_forwarders_do_not_work
log=self.log)
  File /usr/lib/python2.7/site-packages/ipalib/util.py, line 715, in
validate_dnssec_zone_forwarder_step2
timeout=timeout)
  File /usr/lib/python2.7/site-packages/ipalib/util.py, line 610, in
_resolve_record
assert isinstance(nameserver_ip, basestring)
AssertionError
ipa: INFO: [jsonserver_session] admin@IPA.EXAMPLE: dnsforwardzone_add(DNS
name ptr.test., idnsforwarders=(u'10.34.47.236',), all=False, raw=False,
version=u'2.116'): AssertionError

This is constantly reproducible in my vm-090.abc. Let me know if you want to
take a look.


I'm attaching little response.patch which improves compatibility with older
python-dns packages. This patch allows IPA to work while error messages are
simply not as nice as they could be with latest python-dns :-)

check_fwd_msg.patch is a little nitpick, just to make sure everyone
understands the message.

BTW why some messages in check_forwarders() are printed using 'print' and
others using logger? I would prefer to use logger for everything to make sure
that logs contain all the information, including warnings.

Thank you for your time!

-- 
Petr^2 Spacek
--- a/ipalib/util.py	2015-05-07 11:33:28.67900 +0200
+++ b/ipalib/util.py	2015-05-07 11:54:54.96000 +0200
@@ -593,7 +593,7 @@
 
 assert isinstance(e, DNSException)
 if log is not None:
-response = e.kwargs.get('response')
+response = getattr(e, 'kwargs', {}).get('response')
 if response:
 log.debug(DNSException: %s; server response: %s, e, response)
 
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 725324c..77ff342 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -464,7 +464,7 @@ def check_reverse_zones(ip_addresses, reverse_zones, options, unattended, search
 return ret_reverse_zones
 
 def check_forwarders(dns_forwarders, logger):
-print Checking forwarders, please wait ...
+print Checking DNS forwarders, please wait ...
 forwarders_dnssec_valid = True
 for forwarder in dns_forwarders:
 logger.debug(Checking DNS server: %s, forwarder)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES 0233-0234] DNSSEC: forwarders validation

[Martin Basti]

On 07/05/15 12:19, Petr Spacek wrote:

On 7.5.2015 08:59, David Kupka wrote:

On 05/06/2015 03:20 PM, Martin Basti wrote:

On 05/05/15 15:00, Martin Basti wrote:

On 30/04/15 15:37, David Kupka wrote:

On 04/24/2015 02:56 PM, Martin Basti wrote:

Patches attached.





Hi,
thanks for patches.

1. You changed message in DNSServerNotRespondingWarning class but not
the test in ipatest/test_xmlrpc/test_dns_plugin.py

nitpick. Please spell 'edns' correctly. I've seen several instances
of 'ends'.


Thank you,

updated patches attached:
* new error messages
* logging to debug log server output if exception was raised
* fixed test
* fixed spelling




Fixed tests (again)

Updated patches attached


The code looks good to me and tests are no longer broken. (I would prefer
better fix of the tests but given that the priorities are different now it can
wait.)

Petr, can you please confirm that the patch set works for you?

Sorry, NACK:

$ ipa dnsforwardzone-add ptr.test. --forwarder=10.34.47.236
Server will check DNS forwarder(s).
This may take some time, please wait ...
ipa: ERROR: an internal error has occurred

# /var/log/httpd/error_log
ipa: ERROR: non-public: AssertionError:
Traceback (most recent call last):
   File /usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 350, in
wsgi_execute
 result = self.Command[name](*args, **options)
   File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 443, in
__call__
 ret = self.run(*args, **options)
   File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 760, in run
 return self.execute(*args, **options)
   File /usr/lib/python2.7/site-packages/ipalib/plugins/dns.py, line , in
execute
 **options)
   File /usr/lib/python2.7/site-packages/ipalib/plugins/dns.py, line 4405, in
_warning_if_forwarders_do_not_work
 log=self.log)
   File /usr/lib/python2.7/site-packages/ipalib/util.py, line 715, in
validate_dnssec_zone_forwarder_step2
 timeout=timeout)
   File /usr/lib/python2.7/site-packages/ipalib/util.py, line 610, in
_resolve_record
 assert isinstance(nameserver_ip, basestring)
AssertionError
ipa: INFO: [jsonserver_session] admin@IPA.EXAMPLE: dnsforwardzone_add(DNS
name ptr.test., idnsforwarders=(u'10.34.47.236',), all=False, raw=False,
version=u'2.116'): AssertionError

This is constantly reproducible in my vm-090.abc. Let me know if you want to
take a look.


I'm attaching little response.patch which improves compatibility with older
python-dns packages. This patch allows IPA to work while error messages are
simply not as nice as they could be with latest python-dns :-)

check_fwd_msg.patch is a little nitpick, just to make sure everyone
understands the message.

BTW why some messages in check_forwarders() are printed using 'print' and
others using logger? I would prefer to use logger for everything to make sure
that logs contain all the information, including warnings.

Thank you for your time!


Thank you, fixed.

I  added missing except block after forwarders validation step2.

Updated patch attached.

--
Martin Basti

From 5dcd3704914a830b6b33837ded1448b0035b3726 Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Wed, 22 Apr 2015 15:29:21 +0200
Subject: [PATCH 1/2] DNSSEC: Improve global forwarders validation

Validation now provides more detailed information and less false
positives failures.

https://fedorahosted.org/freeipa/ticket/4657
---
 ipalib/messages.py  |  23 +-
 ipalib/plugins/dns.py   |  64 +---
 ipalib/util.py  | 130 ++--
 ipaserver/install/bindinstance.py   |  32 +---
 ipatests/test_xmlrpc/test_dns_plugin.py |   5 +-
 5 files changed, 187 insertions(+), 67 deletions(-)

diff --git a/ipalib/messages.py b/ipalib/messages.py
index b44beca729f5483a7241e4c98a9f724ed663e70f..236b683b30692d88e5257d9189c559dd9f848885 100644
--- a/ipalib/messages.py
+++ b/ipalib/messages.py
@@ -179,14 +179,14 @@ class OptionSemanticChangedWarning(PublicMessage):
u%(hint)s)
 
 
-class DNSServerNotRespondingWarning(PublicMessage):
+class DNSServerValidationWarning(PublicMessage):
 
-**13006**  Used when a DNS server is not responding to queries
+**13006**  Used when a DNS server is not to able to resolve query
 
 
 errno = 13006
 type = warning
-format = _(uDNS server %(server)s not responding.)
+format = _(uDNS server %(server)s: %(error)s.)
 
 
 class DNSServerDoesNotSupportDNSSECWarning(PublicMessage):
@@ -196,10 +196,11 @@ class DNSServerDoesNotSupportDNSSECWarning(PublicMessage):
 
 errno = 13007
 type = warning
-format = _(uDNS server %(server)s does not support DNSSEC. 
+format = _(uDNS server %(server)s does not support DNSSEC: %(error)s.\n
uIf DNSSEC validation is enabled on IPA server(s), 
uplease disable it.)
 
+
 class ForwardzoneIsNotEffectiveWarning(PublicMessage):
 
 **13008** 

Re: [Freeipa-devel] [PATCHES 0233-0234] DNSSEC: forwarders validation

[Martin Basti]

On 05/05/15 15:00, Martin Basti wrote:

On 30/04/15 15:37, David Kupka wrote:

On 04/24/2015 02:56 PM, Martin Basti wrote:

Patches attached.





Hi,
thanks for patches.

1. You changed message in DNSServerNotRespondingWarning class but not 
the test in ipatest/test_xmlrpc/test_dns_plugin.py


nitpick. Please spell 'edns' correctly. I've seen several instances 
of 'ends'.



Thank you,

updated patches attached:
* new error messages
* logging to debug log server output if exception was raised
* fixed test
* fixed spelling




Fixed tests (again)

Updated patches attached

--
Martin Basti

From acde762eb941e61991f9ec3d8069d723d1021bd8 Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Wed, 22 Apr 2015 15:29:21 +0200
Subject: [PATCH 1/2] DNSSEC: Improve global forwarders validation

Validation now provides more detailed information and less false
positives failures.

https://fedorahosted.org/freeipa/ticket/4657
---
 ipalib/messages.py  |  23 +-
 ipalib/plugins/dns.py   |  64 +---
 ipalib/util.py  | 130 ++--
 ipaserver/install/bindinstance.py   |  30 +---
 ipatests/test_xmlrpc/test_dns_plugin.py |   5 +-
 5 files changed, 186 insertions(+), 66 deletions(-)

diff --git a/ipalib/messages.py b/ipalib/messages.py
index b44beca729f5483a7241e4c98a9f724ed663e70f..236b683b30692d88e5257d9189c559dd9f848885 100644
--- a/ipalib/messages.py
+++ b/ipalib/messages.py
@@ -179,14 +179,14 @@ class OptionSemanticChangedWarning(PublicMessage):
u%(hint)s)
 
 
-class DNSServerNotRespondingWarning(PublicMessage):
+class DNSServerValidationWarning(PublicMessage):
 
-**13006**  Used when a DNS server is not responding to queries
+**13006**  Used when a DNS server is not to able to resolve query
 
 
 errno = 13006
 type = warning
-format = _(uDNS server %(server)s not responding.)
+format = _(uDNS server %(server)s: %(error)s.)
 
 
 class DNSServerDoesNotSupportDNSSECWarning(PublicMessage):
@@ -196,10 +196,11 @@ class DNSServerDoesNotSupportDNSSECWarning(PublicMessage):
 
 errno = 13007
 type = warning
-format = _(uDNS server %(server)s does not support DNSSEC. 
+format = _(uDNS server %(server)s does not support DNSSEC: %(error)s.\n
uIf DNSSEC validation is enabled on IPA server(s), 
uplease disable it.)
 
+
 class ForwardzoneIsNotEffectiveWarning(PublicMessage):
 
 **13008** Forwardzone is not effective, forwarding will not work because
@@ -214,6 +215,20 @@ class ForwardzoneIsNotEffectiveWarning(PublicMessage):
u\%(ns_rec)s\ to parent zone \%(authzone)s\.)
 
 
+class DNSServerDoesNotSupportEDNS0Warning(PublicMessage):
+
+**13009** Used when a DNS server does not support EDNS0, required for
+DNSSEC support
+
+
+errno = 13009
+type = warning
+format = _(uDNS server %(server)s does not support EDNS0 (RFC 6891): 
+   u%(error)s.\n
+   uIf DNSSEC validation is enabled on IPA server(s), 
+   uplease disable it.)
+
+
 def iter_messages(variables, base):
 Return a tuple with all subclasses
 
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index f589ab5b77a918b75fe6c48b465ecd9f02cb6d42..d2dcff9084ddf0a2f91b32812e670eb747392b05 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -43,7 +43,10 @@ from ipalib.util import (normalize_zonemgr,
  get_dns_forward_zone_update_policy,
  get_dns_reverse_zone_update_policy,
  get_reverse_zone_default, REVERSE_DNS_ZONES,
- normalize_zone, validate_dnssec_forwarder)
+ normalize_zone, validate_dnssec_global_forwarder,
+ DNSSECSignatureMissingError, UnresolvableRecordError,
+ EDNS0UnsupportedError)
+
 from ipapython.ipautil import CheckedIPAddress, is_host_resolvable
 from ipapython.dnsutil import DNSName
 
@@ -4262,40 +4265,43 @@ class dnsconfig_mod(LDAPUpdate):
 
 def interactive_prompt_callback(self, kw):
 if kw.get('idnsforwarders', False):
-self.Backend.textui.print_plain(Server will check forwarder(s).)
-self.Backend.textui.print_plain(This may take some time, please wait ...)
+self.Backend.textui.print_plain(
+_(Server will check DNS forwarder(s).))
+self.Backend.textui.print_plain(
+_(This may take some time, please wait ...))
 
 def execute(self, *keys, **options):
 # test dnssec forwarders
-non_dnssec_forwarders = []
-not_responding_forwarders = []
 forwarders = options.get('idnsforwarders')
+
+result = super(dnsconfig_mod, self).execute(*keys, **options)
+self.obj.postprocess_result(result)
+
 if forwarders:
 for forwarder in 

Re: [Freeipa-devel] [PATCHES 0233-0234] DNSSEC: forwarders validation

[Martin Basti]

On 30/04/15 15:37, David Kupka wrote:

On 04/24/2015 02:56 PM, Martin Basti wrote:

Patches attached.





Hi,
thanks for patches.

1. You changed message in DNSServerNotRespondingWarning class but not 
the test in ipatest/test_xmlrpc/test_dns_plugin.py


nitpick. Please spell 'edns' correctly. I've seen several instances of 
'ends'.



Thank you,

updated patches attached:
* new error messages
* logging to debug log server output if exception was raised
* fixed test
* fixed spelling

--
Martin Basti

From 6860bae3ebc026f09f01021b6be02269eb3f8079 Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Wed, 22 Apr 2015 15:29:21 +0200
Subject: [PATCH 1/2] DNSSEC: Improve global forwarders validation

Validation now provides more detailed information and less false
positives failures.

https://fedorahosted.org/freeipa/ticket/4657
---
 ipalib/messages.py  |  23 +-
 ipalib/plugins/dns.py   |  64 +---
 ipalib/util.py  | 130 ++--
 ipaserver/install/bindinstance.py   |  30 +---
 ipatests/test_xmlrpc/test_dns_plugin.py |   5 +-
 5 files changed, 186 insertions(+), 66 deletions(-)

diff --git a/ipalib/messages.py b/ipalib/messages.py
index b44beca729f5483a7241e4c98a9f724ed663e70f..236b683b30692d88e5257d9189c559dd9f848885 100644
--- a/ipalib/messages.py
+++ b/ipalib/messages.py
@@ -179,14 +179,14 @@ class OptionSemanticChangedWarning(PublicMessage):
u%(hint)s)
 
 
-class DNSServerNotRespondingWarning(PublicMessage):
+class DNSServerValidationWarning(PublicMessage):
 
-**13006**  Used when a DNS server is not responding to queries
+**13006**  Used when a DNS server is not to able to resolve query
 
 
 errno = 13006
 type = warning
-format = _(uDNS server %(server)s not responding.)
+format = _(uDNS server %(server)s: %(error)s.)
 
 
 class DNSServerDoesNotSupportDNSSECWarning(PublicMessage):
@@ -196,10 +196,11 @@ class DNSServerDoesNotSupportDNSSECWarning(PublicMessage):
 
 errno = 13007
 type = warning
-format = _(uDNS server %(server)s does not support DNSSEC. 
+format = _(uDNS server %(server)s does not support DNSSEC: %(error)s.\n
uIf DNSSEC validation is enabled on IPA server(s), 
uplease disable it.)
 
+
 class ForwardzoneIsNotEffectiveWarning(PublicMessage):
 
 **13008** Forwardzone is not effective, forwarding will not work because
@@ -214,6 +215,20 @@ class ForwardzoneIsNotEffectiveWarning(PublicMessage):
u\%(ns_rec)s\ to parent zone \%(authzone)s\.)
 
 
+class DNSServerDoesNotSupportEDNS0Warning(PublicMessage):
+
+**13009** Used when a DNS server does not support EDNS0, required for
+DNSSEC support
+
+
+errno = 13009
+type = warning
+format = _(uDNS server %(server)s does not support EDNS0 (RFC 6891): 
+   u%(error)s.\n
+   uIf DNSSEC validation is enabled on IPA server(s), 
+   uplease disable it.)
+
+
 def iter_messages(variables, base):
 Return a tuple with all subclasses
 
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index f589ab5b77a918b75fe6c48b465ecd9f02cb6d42..d2dcff9084ddf0a2f91b32812e670eb747392b05 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -43,7 +43,10 @@ from ipalib.util import (normalize_zonemgr,
  get_dns_forward_zone_update_policy,
  get_dns_reverse_zone_update_policy,
  get_reverse_zone_default, REVERSE_DNS_ZONES,
- normalize_zone, validate_dnssec_forwarder)
+ normalize_zone, validate_dnssec_global_forwarder,
+ DNSSECSignatureMissingError, UnresolvableRecordError,
+ EDNS0UnsupportedError)
+
 from ipapython.ipautil import CheckedIPAddress, is_host_resolvable
 from ipapython.dnsutil import DNSName
 
@@ -4262,40 +4265,43 @@ class dnsconfig_mod(LDAPUpdate):
 
 def interactive_prompt_callback(self, kw):
 if kw.get('idnsforwarders', False):
-self.Backend.textui.print_plain(Server will check forwarder(s).)
-self.Backend.textui.print_plain(This may take some time, please wait ...)
+self.Backend.textui.print_plain(
+_(Server will check DNS forwarder(s).))
+self.Backend.textui.print_plain(
+_(This may take some time, please wait ...))
 
 def execute(self, *keys, **options):
 # test dnssec forwarders
-non_dnssec_forwarders = []
-not_responding_forwarders = []
 forwarders = options.get('idnsforwarders')
+
+result = super(dnsconfig_mod, self).execute(*keys, **options)
+self.obj.postprocess_result(result)
+
 if forwarders:
 for forwarder in forwarders:
-dnssec_status = validate_dnssec_forwarder(forwarder)
-   

Re: [Freeipa-devel] [PATCHES 0233-0234] DNSSEC: forwarders validation

[David Kupka]

On 04/24/2015 02:56 PM, Martin Basti wrote:

Patches attached.





Hi,
thanks for patches.

1. You changed message in DNSServerNotRespondingWarning class but not 
the test in ipatest/test_xmlrpc/test_dns_plugin.py


nitpick. Please spell 'edns' correctly. I've seen several instances of 
'ends'.


--
David Kupka

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCHES 0233-0234] DNSSEC: forwarders validation

[Martin Basti]

Patches attached.


--
Martin Basti

From 874a8c6be571953f3bc09db015e6209d627de628 Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Wed, 22 Apr 2015 15:29:21 +0200
Subject: [PATCH 1/2] DNSSEC: Improve global forwarders validation

Validation now provides more detailed information and less false
positives failures.

https://fedorahosted.org/freeipa/ticket/4657
---
 ipalib/messages.py|  15 -
 ipalib/plugins/dns.py |  58 +-
 ipalib/util.py| 123 +++---
 ipaserver/install/bindinstance.py |  22 +--
 4 files changed, 163 insertions(+), 55 deletions(-)

diff --git a/ipalib/messages.py b/ipalib/messages.py
index b44beca729f5483a7241e4c98a9f724ed663e70f..dd33ad75276bb96c1993175945ad26d4822ec5ca 100644
--- a/ipalib/messages.py
+++ b/ipalib/messages.py
@@ -186,7 +186,7 @@ class DNSServerNotRespondingWarning(PublicMessage):
 
 errno = 13006
 type = warning
-format = _(uDNS server %(server)s not responding.)
+format = _(uDNS server %(server)s not responding (%(error)s).)
 
 
 class DNSServerDoesNotSupportDNSSECWarning(PublicMessage):
@@ -214,6 +214,19 @@ class ForwardzoneIsNotEffectiveWarning(PublicMessage):
u\%(ns_rec)s\ to parent zone \%(authzone)s\.)
 
 
+class DNSServerDoesNotSupportEDNS0Warning(PublicMessage):
+
+**13009** Used when a DNS server does not support ENDS0, required for
+DNSSEC support
+
+
+errno = 13009
+type = warning
+format = _(uDNS server %(server)s does not support EDNS0 (RFC 6891). 
+   uIf DNSSEC validation is enabled on IPA server(s), 
+   uplease disable it.)
+
+
 def iter_messages(variables, base):
 Return a tuple with all subclasses
 
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index f589ab5b77a918b75fe6c48b465ecd9f02cb6d42..09378c6ec9808fd247fffd94c1cd904f4a7b1696 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -43,7 +43,10 @@ from ipalib.util import (normalize_zonemgr,
  get_dns_forward_zone_update_policy,
  get_dns_reverse_zone_update_policy,
  get_reverse_zone_default, REVERSE_DNS_ZONES,
- normalize_zone, validate_dnssec_forwarder)
+ normalize_zone, validate_dnssec_global_forwarder,
+ DNSSECSignatureMissingError, UnresolvableRecordError,
+ EDNS0UnsupportedError)
+
 from ipapython.ipautil import CheckedIPAddress, is_host_resolvable
 from ipapython.dnsutil import DNSName
 
@@ -4267,35 +4270,36 @@ class dnsconfig_mod(LDAPUpdate):
 
 def execute(self, *keys, **options):
 # test dnssec forwarders
-non_dnssec_forwarders = []
-not_responding_forwarders = []
 forwarders = options.get('idnsforwarders')
+
+result = super(dnsconfig_mod, self).execute(*keys, **options)
+self.obj.postprocess_result(result)
+
 if forwarders:
 for forwarder in forwarders:
-dnssec_status = validate_dnssec_forwarder(forwarder)
-if dnssec_status is None:
-not_responding_forwarders.append(forwarder)
-elif dnssec_status is False:
-non_dnssec_forwarders.append(forwarder)
-
-result = super(dnsconfig_mod, self).execute(*keys, **options)
-self.obj.postprocess_result(result)
-
-# add messages
-for forwarder in not_responding_forwarders:
-messages.add_message(
-options['version'],
-result, messages.DNSServerNotRespondingWarning(
-server=forwarder,
-)
-)
-for forwarder in non_dnssec_forwarders:
-messages.add_message(
-options['version'],
-result, messages.DNSServerDoesNotSupportDNSSECWarning(
-server=forwarder,
-)
-)
+try:
+validate_dnssec_global_forwarder(forwarder, log=self.log)
+except DNSSECSignatureMissingError as e:
+messages.add_message(
+options['version'],
+result, messages.DNSServerDoesNotSupportDNSSECWarning(
+server=forwarder
+)
+)
+except EDNS0UnsupportedError as e:
+messages.add_message(
+options['version'],
+result, messages.DNSServerDoesNotSupportEDNS0Warning(
+server=forwarder
+)
+)
+except UnresolvableRecordError as e:
+messages.add_message(
+options['version'],
+result,