Re: [Freeipa-devel] [PATCHES 0117, 0135-0149] DNSSEC support

Alexander Bokovoy Tue, 21 Oct 2014 00:51:56 -0700

On Tue, 21 Oct 2014, Martin Kosek wrote:

On 10/21/2014 08:50 AM, Jan Cholasta wrote:

Dne 21.10.2014 v 08:45 Alexander Bokovoy napsal(a):

On Tue, 21 Oct 2014, Jan Cholasta wrote:

Dne 20.10.2014 v 23:40 Martin Basti napsal(a):

On 20/10/14 18:28, Jan Cholasta wrote:

Hi,


Dne 20.10.2014 v 17:37 Petr Spacek napsal(a):

On 20.10.2014 17:21, Martin Basti wrote:

Hello! Hold your hats, DNSSEC patches are here.

Martin^2, Petr^2


For testing you will need following package:
http://koji.fedoraproject.org/koji/taskinfo?taskID=7915293

From me, functional self-ACK :-)


Patch 117:

1)

As we discussed off-line, this code is wrong and a ticket should be
opened to fix it to properly handle service files conflicting with the
mask command:

+        if instance_name != "":
+            srv_tgt = os.path.join(paths.ETC_SYSTEMD_SYSTEM_DIR,
instance_name)
+            # remove instance file or link before masking
+            if os.path.islink(srv_tgt):
+                os.unlink(srv_tgt)


Patch 137:

1)

There are some whitespace errors:

Applying: DNSSEC: add ipapk11helper module
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:95:
trailing whitespace.
*
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:100:
trailing whitespace.
*
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:105:
trailing whitespace.
*
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:203:
trailing whitespace.
*
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:208:
trailing whitespace.
*
warning: squelched 3 whitespace errors
warning: 8 lines add whitespace errors.


Patch 138:

1)

There is a whitespace error:

Applying: DNSSEC: DNS key synchronization daemon
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:54: new
blank line at EOF.
+
warning: 1 line adds whitespace errors.


Patch 140:

1)

Unless there is a dnssec_keys ipalib plugins, I don't think there
should be container_dnssec_keys. Use "DN(('cn', 'keys'), ('cn',
'sec'), api.env.container_dns, ...)" instead of
"DN(api.env.container_dnssec_keys, ...)".


2)

The masking method definitions in PlatformService should be moved to
patch 117.


3)

The changes in dnskeysyncinstance.py, odsexportedinstance.py and
opendnssecinstance.py should be moved to patches 138 and 139.


Patch 147:

1)

There are some whitespace errors:

Applying: DNSSEC: add ipa dnssec daemons
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:135:
trailing whitespace.
   # synchronize metadata about master keys in LDAP
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:1228:
trailing whitespace.

/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:1291:
trailing whitespace.

/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:873: new
blank line at EOF.
+
/home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:1126: new
blank line at EOF.
+
warning: squelched 1 whitespace error
warning: 6 lines add whitespace errors.


Honza

Whitespaces fixed,
 mask, and dnssec_container issues move to 4.1.1 please.


mask ACK, container NACK - I don't think we want to introduce a new
configuration option and deprecate it right away and it's a change in
just 3 lines of code.


But we have schema conflict:

[20/Oct/2014:04:48:40 -0400] dse_read_one_file - The entry cn=schema in
file /etc/dirsrv/slapd-IPA-EXAMPLE/schema/71idviews.ldif (lineno: 1) is
invalid, error code 20 (Type or value exists) - object class
ipaOverrideTarget: The name does not match the OID
"2.16.840.1.113730.3.8.12.34". Another object class is already using the
name or OID.

git grep -n "2.16.840.1.113730.3.8.12.34"
install/share/60basev3.ldif:79:objectClasses:
(2.16.840.1.113730.3.8.12.34 NAME 'ipaSecretKeyRefObject' DESC 'Indirect
storage for encoded key material' SUP top AUXILIARY MUST (
ipaSecretKeyRef ) X-...

install/share/71idviews.ldif:8:objectClasses:
(2.16.840.1.113730.3.8.12.34 NAME 'ipaOverrideTarget' SUP top STRUCTURAL
MUST ( ipaAnchorUUID ) X-ORIGIN 'IPA v4' )

Updated patches atached.
"2.16.840.1.113730.3.8.12.35" is not used, I change it in patch
mbasti-0150


NACK on patch 150, 2.16.840.1.113730.3.8.12.34 was reserved for
ipaSecretKeyRefObject, there is no reserved OID for ipaOverrideTarget,
so it's ipaOverrideTarget which should be fixed.

We were meaning to reserve .34 for ipaOverrideTarget for long time. As
ipaOverrideTarget is already in git, it makes sense to change dnssec
OIDs instead. Yes, we've got to step over each other's toes but that's
life. I've already have slapi-nis 0.54 released which relies on
ipaOverrideTarget definition.


That's unreleased code and it surely does not rely on it's OID, does it?

It's *your* mess and *you* should clean it up. That's life.


If the code was released, I would give +1 for Alexander as we really cannot
changed *released* OIDs.

But this is not the case so I think that fixing the OID that was not properly
registered is a good practice.

I did push a one-liner to master and ipa-4-1 that changes OID to .35.

You will need to do full reinstall if you had ipa-4-1 or git master
installed with the previous change.
--
/ Alexander Bokovoy

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES 0117, 0135-0149] DNSSEC support

Reply via email to