[Freeipa-devel] [freeipa PR#351][synchronized] [fedora-26] named.conf template: update API for bind 9.11
URL: https://github.com/freeipa/freeipa/pull/351
Author: tomaskrizek
Title: #351: [fedora-26] named.conf template: update API for bind 9.11
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/351/head:pr351
git checkout pr351
From d62fbe66bf4d5c7f80182a9151bee16a0b1100d5 Mon Sep 17 00:00:00 2001
From: Tomas Krizek
Date: Mon, 16 Jan 2017 13:48:54 +0100
Subject: [PATCH 1/3] Remove obsolete serial_autoincrement from named.conf
parsing
Option serial_autoincrement is no longer supported. Remove it from
the named.conf parser and add it to deprecated options to be removed.
https://fedorahosted.org/freeipa/ticket/6565
---
ipaserver/install/server/upgrade.py | 56 +++--
1 file changed, 4 insertions(+), 52 deletions(-)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 068db21..0e034ef 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -409,8 +409,8 @@ def named_remove_deprecated_options():
From IPA 3.3, persistent search is a default mechanism for new DNS zone
detection.
-Remove psearch, zone_refresh and cache_ttl options, as they have been
-deprecated in bind-dyndb-ldap configuration file.
+Remove psearch, zone_refresh cache_ttl and serial_autoincrement options,
+as they have been deprecated in bind-dyndb-ldap configuration file.
When some change in named.conf is done, this functions returns True.
"""
@@ -422,7 +422,8 @@ def named_remove_deprecated_options():
root_logger.info('DNS is not configured')
return False
-deprecated_options = ['zone_refresh', 'psearch', 'cache_ttl']
+deprecated_options = ['zone_refresh', 'psearch', 'cache_ttl',
+ 'serial_autoincrement']
removed_options = []
try:
@@ -499,54 +500,6 @@ def named_set_minimum_connections():
return changed
-def named_enable_serial_autoincrement():
-"""
-Serial autoincrement is a requirement for zone transfers or DNSSEC. It
-should be enabled both for new installs and upgraded servers.
-
-When some change in named.conf is done, this functions returns True
-"""
-changed = False
-
-root_logger.info('[Enabling serial autoincrement in DNS]')
-
-if not bindinstance.named_conf_exists():
-# DNS service may not be configured
-root_logger.info('DNS is not configured')
-return changed
-
-try:
-serial_autoincrement = bindinstance.named_conf_get_directive(
-'serial_autoincrement')
-except IOError as e:
-root_logger.debug('Cannot retrieve psearch option from %s: %s',
- bindinstance.NAMED_CONF, e)
-return changed
-else:
-serial_autoincrement = None if serial_autoincrement is None \
-else serial_autoincrement.lower()
-
-# enable SOA serial autoincrement
-if not sysupgrade.get_upgrade_state('named.conf', 'autoincrement_enabled'):
-if serial_autoincrement != 'yes':
-try:
-bindinstance.named_conf_set_directive('serial_autoincrement',
- 'yes')
-except IOError as e:
-root_logger.error('Cannot enable serial_autoincrement in %s: %s',
-bindinstance.NAMED_CONF, e)
-return changed
-else:
-root_logger.debug('Serial autoincrement enabled')
-changed = True
-else:
-root_logger.debug('Serial autoincrement is alredy enabled')
-sysupgrade.set_upgrade_state('named.conf', 'autoincrement_enabled', True)
-else:
-root_logger.debug('Skip serial autoincrement check')
-
-return changed
-
def named_update_gssapi_configuration():
"""
Update GSSAPI configuration in named.conf to a recent API.
@@ -1706,7 +1659,6 @@ def upgrade_configuration():
named_conf_changes = (
named_remove_deprecated_options(),
named_set_minimum_connections(),
- named_enable_serial_autoincrement(),
named_update_gssapi_configuration(),
named_update_pid_file(),
named_enable_dnssec(),
From c7be6abad89301aaefe6b74fba0539b2aa57b128 Mon Sep 17 00:00:00 2001
From: Tomas Krizek
Date: Mon, 19 Dec 2016 13:12:19 +0100
Subject: [PATCH 2/3] named.conf template: update API for bind 9.11
Use the new API for bind 9.11. Removed deprecated "serial_autoincrement"
and updated the rest of configuration to conform to the new format.
This only fixes new IPA installations. For existing installations,
named.conf will be transformed when the new version of bind-dyndb-ldap
is installed.
https://fedorahosted.org/freeipa/ticket/6565
---
inst
[Freeipa-devel] [freeipa PR#351][synchronized] [fedora-26] named.conf template: update API for bind 9.11
URL: https://github.com/freeipa/freeipa/pull/351
Author: tomaskrizek
Title: #351: [fedora-26] named.conf template: update API for bind 9.11
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/351/head:pr351
git checkout pr351
From fb08cbbd3b9b7047647bac73a59e34d49b6fd9ec Mon Sep 17 00:00:00 2001
From: Tomas Krizek
Date: Mon, 16 Jan 2017 13:48:54 +0100
Subject: [PATCH 1/3] Remove obsolete serial_autoincrement from named.conf
parsing
Option serial_autoincrement is no longer supported. Remove it from
the named.conf parser and add it to deprecated options to be removed.
https://fedorahosted.org/freeipa/ticket/6565
---
ipaserver/install/server/upgrade.py | 56 +++--
1 file changed, 4 insertions(+), 52 deletions(-)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 5d8e596..4a85103 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -409,8 +409,8 @@ def named_remove_deprecated_options():
From IPA 3.3, persistent search is a default mechanism for new DNS zone
detection.
-Remove psearch, zone_refresh and cache_ttl options, as they have been
-deprecated in bind-dyndb-ldap configuration file.
+Remove psearch, zone_refresh cache_ttl and serial_autoincrement options,
+as they have been deprecated in bind-dyndb-ldap configuration file.
When some change in named.conf is done, this functions returns True.
"""
@@ -422,7 +422,8 @@ def named_remove_deprecated_options():
root_logger.info('DNS is not configured')
return False
-deprecated_options = ['zone_refresh', 'psearch', 'cache_ttl']
+deprecated_options = ['zone_refresh', 'psearch', 'cache_ttl',
+ 'serial_autoincrement']
removed_options = []
try:
@@ -499,54 +500,6 @@ def named_set_minimum_connections():
return changed
-def named_enable_serial_autoincrement():
-"""
-Serial autoincrement is a requirement for zone transfers or DNSSEC. It
-should be enabled both for new installs and upgraded servers.
-
-When some change in named.conf is done, this functions returns True
-"""
-changed = False
-
-root_logger.info('[Enabling serial autoincrement in DNS]')
-
-if not bindinstance.named_conf_exists():
-# DNS service may not be configured
-root_logger.info('DNS is not configured')
-return changed
-
-try:
-serial_autoincrement = bindinstance.named_conf_get_directive(
-'serial_autoincrement')
-except IOError as e:
-root_logger.debug('Cannot retrieve psearch option from %s: %s',
- bindinstance.NAMED_CONF, e)
-return changed
-else:
-serial_autoincrement = None if serial_autoincrement is None \
-else serial_autoincrement.lower()
-
-# enable SOA serial autoincrement
-if not sysupgrade.get_upgrade_state('named.conf', 'autoincrement_enabled'):
-if serial_autoincrement != 'yes':
-try:
-bindinstance.named_conf_set_directive('serial_autoincrement',
- 'yes')
-except IOError as e:
-root_logger.error('Cannot enable serial_autoincrement in %s: %s',
-bindinstance.NAMED_CONF, e)
-return changed
-else:
-root_logger.debug('Serial autoincrement enabled')
-changed = True
-else:
-root_logger.debug('Serial autoincrement is alredy enabled')
-sysupgrade.set_upgrade_state('named.conf', 'autoincrement_enabled', True)
-else:
-root_logger.debug('Skip serial autoincrement check')
-
-return changed
-
def named_update_gssapi_configuration():
"""
Update GSSAPI configuration in named.conf to a recent API.
@@ -1706,7 +1659,6 @@ def upgrade_configuration():
named_conf_changes = (
named_remove_deprecated_options(),
named_set_minimum_connections(),
- named_enable_serial_autoincrement(),
named_update_gssapi_configuration(),
named_update_pid_file(),
named_enable_dnssec(),
From 043f1e74f2992bf57f268d26e74f03d845568459 Mon Sep 17 00:00:00 2001
From: Tomas Krizek
Date: Mon, 19 Dec 2016 13:12:19 +0100
Subject: [PATCH 2/3] named.conf template: update API for bind 9.11
Use the new API for bind 9.11. Removed deprecated "serial_autoincrement"
and updated the rest of configuration to conform to the new format.
This only fixes new IPA installations. For existing installations,
named.conf will be transformed when the new version of bind-dyndb-ldap
is installed.
https://fedorahosted.org/freeipa/ticket/6565
---
inst
[Freeipa-devel] [freeipa PR#351][synchronized] [fedora-26] named.conf template: update API for bind 9.11
URL: https://github.com/freeipa/freeipa/pull/351
Author: tomaskrizek
Title: #351: [fedora-26] named.conf template: update API for bind 9.11
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/351/head:pr351
git checkout pr351
From fb08cbbd3b9b7047647bac73a59e34d49b6fd9ec Mon Sep 17 00:00:00 2001
From: Tomas Krizek
Date: Mon, 16 Jan 2017 13:48:54 +0100
Subject: [PATCH 1/3] Remove obsolete serial_autoincrement from named.conf
parsing
Option serial_autoincrement is no longer supported. Remove it from
the named.conf parser and add it to deprecated options to be removed.
https://fedorahosted.org/freeipa/ticket/6565
---
ipaserver/install/server/upgrade.py | 56 +++--
1 file changed, 4 insertions(+), 52 deletions(-)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 5d8e596..4a85103 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -409,8 +409,8 @@ def named_remove_deprecated_options():
From IPA 3.3, persistent search is a default mechanism for new DNS zone
detection.
-Remove psearch, zone_refresh and cache_ttl options, as they have been
-deprecated in bind-dyndb-ldap configuration file.
+Remove psearch, zone_refresh cache_ttl and serial_autoincrement options,
+as they have been deprecated in bind-dyndb-ldap configuration file.
When some change in named.conf is done, this functions returns True.
"""
@@ -422,7 +422,8 @@ def named_remove_deprecated_options():
root_logger.info('DNS is not configured')
return False
-deprecated_options = ['zone_refresh', 'psearch', 'cache_ttl']
+deprecated_options = ['zone_refresh', 'psearch', 'cache_ttl',
+ 'serial_autoincrement']
removed_options = []
try:
@@ -499,54 +500,6 @@ def named_set_minimum_connections():
return changed
-def named_enable_serial_autoincrement():
-"""
-Serial autoincrement is a requirement for zone transfers or DNSSEC. It
-should be enabled both for new installs and upgraded servers.
-
-When some change in named.conf is done, this functions returns True
-"""
-changed = False
-
-root_logger.info('[Enabling serial autoincrement in DNS]')
-
-if not bindinstance.named_conf_exists():
-# DNS service may not be configured
-root_logger.info('DNS is not configured')
-return changed
-
-try:
-serial_autoincrement = bindinstance.named_conf_get_directive(
-'serial_autoincrement')
-except IOError as e:
-root_logger.debug('Cannot retrieve psearch option from %s: %s',
- bindinstance.NAMED_CONF, e)
-return changed
-else:
-serial_autoincrement = None if serial_autoincrement is None \
-else serial_autoincrement.lower()
-
-# enable SOA serial autoincrement
-if not sysupgrade.get_upgrade_state('named.conf', 'autoincrement_enabled'):
-if serial_autoincrement != 'yes':
-try:
-bindinstance.named_conf_set_directive('serial_autoincrement',
- 'yes')
-except IOError as e:
-root_logger.error('Cannot enable serial_autoincrement in %s: %s',
-bindinstance.NAMED_CONF, e)
-return changed
-else:
-root_logger.debug('Serial autoincrement enabled')
-changed = True
-else:
-root_logger.debug('Serial autoincrement is alredy enabled')
-sysupgrade.set_upgrade_state('named.conf', 'autoincrement_enabled', True)
-else:
-root_logger.debug('Skip serial autoincrement check')
-
-return changed
-
def named_update_gssapi_configuration():
"""
Update GSSAPI configuration in named.conf to a recent API.
@@ -1706,7 +1659,6 @@ def upgrade_configuration():
named_conf_changes = (
named_remove_deprecated_options(),
named_set_minimum_connections(),
- named_enable_serial_autoincrement(),
named_update_gssapi_configuration(),
named_update_pid_file(),
named_enable_dnssec(),
From 043f1e74f2992bf57f268d26e74f03d845568459 Mon Sep 17 00:00:00 2001
From: Tomas Krizek
Date: Mon, 19 Dec 2016 13:12:19 +0100
Subject: [PATCH 2/3] named.conf template: update API for bind 9.11
Use the new API for bind 9.11. Removed deprecated "serial_autoincrement"
and updated the rest of configuration to conform to the new format.
This only fixes new IPA installations. For existing installations,
named.conf will be transformed when the new version of bind-dyndb-ldap
is installed.
https://fedorahosted.org/freeipa/ticket/6565
---
inst
[Freeipa-devel] [freeipa PR#351][synchronized] [fedora-26] named.conf template: update API for bind 9.11
URL: https://github.com/freeipa/freeipa/pull/351
Author: tomaskrizek
Title: #351: [fedora-26] named.conf template: update API for bind 9.11
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/351/head:pr351
git checkout pr351
From 2b7becb7f6d6cc15679b7f0aa76d6fa0164e961e Mon Sep 17 00:00:00 2001
From: Tomas Krizek
Date: Mon, 19 Dec 2016 13:12:19 +0100
Subject: [PATCH 1/2] named.conf template: update API for bind 9.11
Use the new API for bind 9.11. Removed deprecated "serial_autoincrement"
and updated the rest of configuration to conform to the new format.
This only fixes new IPA installations. For existing installations,
named.conf will be transformed when the new version of bind-dyndb-ldap
is installed.
https://fedorahosted.org/freeipa/ticket/6565
---
install/share/bind.named.conf.template | 16 +++-
ipaplatform/redhat/paths.py| 1 +
ipaserver/install/bindinstance.py | 1 +
3 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template
index e8ea8fb..b7c3a0b 100644
--- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template
@@ -43,13 +43,11 @@ zone "." IN {
include "$RFC1912_ZONES";
include "$ROOT_KEY";
-dynamic-db "ipa" {
- library "ldap.so";
- arg "uri ldapi://%2fvar%2frun%2fslapd-$SERVER_ID.socket";
- arg "base cn=dns, $SUFFIX";
- arg "server_id $FQDN";
- arg "auth_method sasl";
- arg "sasl_mech GSSAPI";
- arg "sasl_user DNS/$FQDN";
- arg "serial_autoincrement yes";
+dyndb "ipa" "$BIND_LDAP_SO" {
+ uri "ldapi://%2fvar%2frun%2fslapd-$SERVER_ID.socket";
+ base "cn=dns, $SUFFIX";
+ server_id "$FQDN";
+ auth_method "sasl";
+ sasl_mech "GSSAPI";
+ sasl_user "DNS/$FQDN";
};
diff --git a/ipaplatform/redhat/paths.py b/ipaplatform/redhat/paths.py
index b27b065..8212f40 100644
--- a/ipaplatform/redhat/paths.py
+++ b/ipaplatform/redhat/paths.py
@@ -33,6 +33,7 @@ class RedHatPathNamespace(BasePathNamespace):
if sys.maxsize > 2**32:
LIBSOFTHSM2_SO = BasePathNamespace.LIBSOFTHSM2_SO_64
PAM_KRB5_SO = BasePathNamespace.PAM_KRB5_SO_64
+BIND_LDAP_SO = BasePathNamespace.BIND_LDAP_SO_64
paths = RedHatPathNamespace()
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index e24249a..c9097c2 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -769,6 +769,7 @@ def __setup_sub_dict(self):
RFC1912_ZONES=paths.NAMED_RFC1912_ZONES,
NAMED_PID=paths.NAMED_PID,
NAMED_VAR_DIR=paths.NAMED_VAR_DIR,
+BIND_LDAP_SO=paths.BIND_LDAP_SO,
)
def __setup_dns_container(self):
From c00ae001855e997b2e3ce7ae2c614ce270c40f09 Mon Sep 17 00:00:00 2001
From: Tomas Krizek
Date: Mon, 19 Dec 2016 16:52:08 +0100
Subject: [PATCH 2/2] bump required version of BIND, bind-dyndb-ldap
bynd-dyndb-ldap used a custom configuration file format. Since BIND 9.11,
an API was accepted upstream. This caused backward incompatible changes
to the named.conf configuration file used to configure the
bind-dyndb-ldap BIND plugin. Version 11.0 of bind-dyndb-ldap plugin and
BIND 9.11 are required to use with the new config file format.
https://fedorahosted.org/freeipa/ticket/6565
---
freeipa.spec.in | 17 +
1 file changed, 5 insertions(+), 12 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index cba40c2..99b3a0f 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -295,18 +295,11 @@ Summary: IPA integrated DNS server with support for automatic DNSSEC signing
Group: System Environment/Base
BuildArch: noarch
Requires: %{name}-server = %{version}-%{release}
-Requires: bind-dyndb-ldap >= 10.0
-%if 0%{?fedora} >= 21
-Requires: bind >= 9.9.6-3
-Requires: bind-utils >= 9.9.6-3
-Requires: bind-pkcs11 >= 9.9.6-3
-Requires: bind-pkcs11-utils >= 9.9.6-3
-%else
-Requires: bind >= 9.9.4-21
-Requires: bind-utils >= 9.9.4-21
-Requires: bind-pkcs11 >= 9.9.4-21
-Requires: bind-pkcs11-utils >= 9.9.4-21
-%endif
+Requires: bind-dyndb-ldap >= 11.0
+Requires: bind >= 9.11.0-2
+Requires: bind-utils >= 9.11.0-2
+Requires: bind-pkcs11 >= 9.11.0-2
+Requires: bind-pkcs11-utils >= 9.11.0-2
Requires: opendnssec >= 1.4.6-4
Provides: %{alt_name}-server-dns = %{version}
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#351][synchronized] [fedora-26] named.conf template: update API for bind 9.11
URL: https://github.com/freeipa/freeipa/pull/351
Author: tomaskrizek
Title: #351: [fedora-26] named.conf template: update API for bind 9.11
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/351/head:pr351
git checkout pr351
From bf1a7f648ca008668dfbc2ee48f89f70c5ab2d92 Mon Sep 17 00:00:00 2001
From: Tomas Krizek
Date: Mon, 19 Dec 2016 13:12:19 +0100
Subject: [PATCH 1/2] named.conf template: update API for bind 9.11
Use the new API for bind 9.11. Removed deprecated "serial_autoincrement"
and updated the rest of configuration to conform to the new format.
https://fedorahosted.org/freeipa/ticket/6565
---
install/share/bind.named.conf.template | 16 +++-
1 file changed, 7 insertions(+), 9 deletions(-)
diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template
index e8ea8fb..21b4098 100644
--- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template
@@ -43,13 +43,11 @@ zone "." IN {
include "$RFC1912_ZONES";
include "$ROOT_KEY";
-dynamic-db "ipa" {
- library "ldap.so";
- arg "uri ldapi://%2fvar%2frun%2fslapd-$SERVER_ID.socket";
- arg "base cn=dns, $SUFFIX";
- arg "server_id $FQDN";
- arg "auth_method sasl";
- arg "sasl_mech GSSAPI";
- arg "sasl_user DNS/$FQDN";
- arg "serial_autoincrement yes";
+dyndb "ipa-ldap" "/usr/lib64/bind/ldap.so" {
+ uri "ldapi://%2fvar%2frun%2fslapd-$SERVER_ID.socket";
+ base "cn=dns, $SUFFIX";
+ server_id "$FQDN";
+ auth_method "sasl";
+ sasl_mech "GSSAPI";
+ sasl_user "DNS/$FQDN";
};
From c05e5d16e5b4da5c1a20757a378aa5e4e767ab62 Mon Sep 17 00:00:00 2001
From: Tomas Krizek
Date: Mon, 19 Dec 2016 16:52:08 +0100
Subject: [PATCH 2/2] bump required version of BIND, bind-dyndb-ldap
bynd-dyndb-ldap used a custom configuration file format. Since BIND 9.11,
an API was accepted upstream. This caused backward incompatible changes
to the named.conf configuration file used to configure the
bind-dyndb-ldap BIND plugin. Version 11.0 of bind-dyndb-ldap plugin and
BIND 9.11 are required to use with the new config file format.
https://fedorahosted.org/freeipa/ticket/6565
---
freeipa.spec.in | 17 +
1 file changed, 5 insertions(+), 12 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index cba40c2..99b3a0f 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -295,18 +295,11 @@ Summary: IPA integrated DNS server with support for automatic DNSSEC signing
Group: System Environment/Base
BuildArch: noarch
Requires: %{name}-server = %{version}-%{release}
-Requires: bind-dyndb-ldap >= 10.0
-%if 0%{?fedora} >= 21
-Requires: bind >= 9.9.6-3
-Requires: bind-utils >= 9.9.6-3
-Requires: bind-pkcs11 >= 9.9.6-3
-Requires: bind-pkcs11-utils >= 9.9.6-3
-%else
-Requires: bind >= 9.9.4-21
-Requires: bind-utils >= 9.9.4-21
-Requires: bind-pkcs11 >= 9.9.4-21
-Requires: bind-pkcs11-utils >= 9.9.4-21
-%endif
+Requires: bind-dyndb-ldap >= 11.0
+Requires: bind >= 9.11.0-2
+Requires: bind-utils >= 9.11.0-2
+Requires: bind-pkcs11 >= 9.11.0-2
+Requires: bind-pkcs11-utils >= 9.11.0-2
Requires: opendnssec >= 1.4.6-4
Provides: %{alt_name}-server-dns = %{version}
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
