URL: https://github.com/freeipa/freeipa/pull/426 Author: MartinBasti Title: #426: DNSSEC: forwarders validation improvement Action: opened
PR body: """ Some DNS servers behaves oddly and instead sending result without RRSIG records don't reply at all when DNSSEC flag is enabled (timeout). Instead of hard error IPA should this handle as DNSSEC error and continue with installation/adding forwarders. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/426/head:pr426 git checkout pr426
From 204b1f3e0147e418be3d50a0b5f5fa57e186ceb2 Mon Sep 17 00:00:00 2001 From: Martin Basti <mba...@redhat.com> Date: Tue, 31 Jan 2017 16:47:44 +0100 Subject: [PATCH] DNSSEC: forwarders validation improvement Some DNS servers behaves oddly and instead sending result without RRSIG records don't reply at all when DNSSEC flag is enabled (timeout). Instead of hard error IPA should this handle as DNSSEC error and continue with installation/adding forwarders. --- ipalib/util.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ipalib/util.py b/ipalib/util.py index 1c354b6..1509607 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -670,8 +670,7 @@ def validate_dnssec_global_forwarder(ip_addr, log=None, timeout=10): timeout=timeout) except DNSException as e: _log_response(log, e) - raise UnresolvableRecordError(owner=owner, rtype=rtype, ip=ip_addr, - error=e) + raise DNSSECSignatureMissingError(owner=owner, rtype=rtype, ip=ip_addr) try: ans.response.find_rrset(
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code