URL: https://github.com/freeipa/freeipa/pull/426
Author: MartinBasti
Title: #426: DNSSEC: forwarders validation improvement
Action: opened
PR body:
"""
Some DNS servers behaves oddly and instead sending result without RRSIG records
don't reply at all when DNSSEC flag is enabled (timeout). Instead of
hard error IPA should this handle as DNSSEC error and continue with
installation/adding forwarders.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/426/head:pr426
git checkout pr426
From 204b1f3e0147e418be3d50a0b5f5fa57e186ceb2 Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Tue, 31 Jan 2017 16:47:44 +0100
Subject: [PATCH] DNSSEC: forwarders validation improvement
Some DNS servers behaves oddly and instead sending result without RRSIG records
don't reply at all when DNSSEC flag is enabled (timeout). Instead of
hard error IPA should this handle as DNSSEC error and continue with
installation/adding forwarders.
---
ipalib/util.py | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/ipalib/util.py b/ipalib/util.py
index 1c354b6..1509607 100644
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -670,8 +670,7 @@ def validate_dnssec_global_forwarder(ip_addr, log=None, timeout=10):
timeout=timeout)
except DNSException as e:
_log_response(log, e)
- raise UnresolvableRecordError(owner=owner, rtype=rtype, ip=ip_addr,
- error=e)
+ raise DNSSECSignatureMissingError(owner=owner, rtype=rtype, ip=ip_addr)
try:
ans.response.find_rrset(
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
