On 16/09/14 09:32, Martin Basti wrote:
On 15/09/14 20:31, Martin Kosek wrote:
On 09/15/2014 05:16 PM, Martin Basti wrote:
On 15/09/14 17:10, Petr Spacek wrote:
On 12.9.2014 15:19, Martin Basti wrote:
On 03/09/14 12:45, Martin Basti wrote:
On 03/09/14 12:27, Martin Kosek wrote:
On 09/02/2014 05:46 PM, Petr Spacek wrote:
On 25.8.2014 14:52, Martin Basti wrote:
Patches attached.
Ticket: https://fedorahosted.org/freeipa/ticket/4149
There is a bug in bind-dyndb-ldap (or worse in dirsrv), which
cause the
named
service is stopped after deleting zone.
Bug ticket: https://fedorahosted.org/bind-dyndb-ldap/ticket/138
Functional ACK, it works for me. It can be pushed if Python
gurus are okay
with
the code.
Is it safe to commit the change given that bind-dyndb-ldap still
crash when
"."
is removed? Wouldn't it break our CI tests?
Maybe we should wait until fixed bind-dydnb-ldap is released.
Hopefully it
would be soon.
Martin
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
It will broke tests, don't push it until bind-dyndb-ldap is fixed.
Currently I'm testing bind-dyndb-ldap related patch.
Added patches 120 and 121, which are required by DNS to work
correctly.
Patches 120 and 121 add all DNS replicas to zone apex as NS,
--name-server
option doesn't add NS record, only changes the SOA MNAME attribute
Original and new patches attached.
NACK, unfortunately it doesn't work for me:
# ipa dnszone-add tri.test. --name-server=ns.test.
Administrator e-mail address [hostmaster.tri.test.]:
ipa: WARNING: '--name-server' is used only for setting up the SOA
MNAME record.
To edit NS record(s) in zone apex, use command 'dnsrecord-mod [zone] @
--ns-rec=nameserver'.
Zone name: tri.test.
Active zone: TRUE
Authoritative nameserver: ns.test.
Administrator e-mail address: hostmaster.tri.test.
SOA serial: 1410793406
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
BIND update policy: grant IPA.EXAMPLE krb5-self * A; grant
IPA.EXAMPLE
krb5-self * AAAA; grant IPA.EXAMPLE krb5-self * SSHFP;
Dynamic update: FALSE
Allow query: any;
Allow transfer: none;
[root@vm-035 rpms]# ipa dnszone-show tri.test. --all --raw
dn: idnsname=tri.test.,cn=dns,dc=ipa,dc=example
idnsname: tri.test.
idnszoneactive: TRUE
idnssoamname: ns.test.
idnssoarname: hostmaster.tri.test.
idnssoaserial: 1410793408
idnssoarefresh: 3600
idnssoaretry: 900
idnssoaexpire: 1209600
idnssoaminimum: 3600
idnsallowquery: any;
idnsallowtransfer: none;
idnsAllowDynUpdate: FALSE
idnsUpdatePolicy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE
krb5-self * AAAA; grant IPA.EXAMPLE krb5-self * SSHFP;
nsrecord: vm-035.idm.lab.eng.brq.redhat.com.
objectClass: idnszone
objectClass: top
objectClass: idnsrecord
[root@vm-035 rpms]# ipa dnsrecord-mod @ tri.test.
--ns-rec=$(hostname).
ipa: ERROR: tri.test.: DNS resource record not found
NACKing NACK
ipa dnsrecord-mod @ tri.test. --ns-rec=$(hostname).
you switched order zone and record, it should be
ipa dnsrecord-mod tri.test. @ --ns-rec=$(hostname).
BTW, since we are so nicely breaking the dnszone-add interface, can
we also get rid of always asking for "Administrator e-mail address"?
>> # ipa dnszone-add tri.test. --name-server=ns.test.
>> Administrator e-mail address [hostmaster.tri.test.]:
...
Is there any risk in filling that with default as any other
attribute? IMO it would simplify adding zones for one more redundant
step. CCing Rob in case he knows some historical reasons why this is
requested every time.
Martin
There is no risk, because ipa-replica-prepare do that with default values
However, this will not work with root zone ".", and I'm not sure how
often an admin email is used. I think whois is better utility to get
contact email.
Also RIPE-203 [1] recommends to use 'hostmaster' alias.
[1] http://www.ripe.net/ripe/docs/ripe-203
--
Martin Basti
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel