Revert "Lookup ipa-ca record with NSS"

This reverts commit 731c5b2.

NSS was missing IPv6 records when looking up host names.

Related: https://pagure.io/freeipa/issue/9195

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

ipaserver/dns_data_management.py

@@ -15,14 +15,14 @@
     rdatatype,
     zone,
 )
+from dns.exception import DNSException
 
 from time import sleep, time
 
 from ipalib import errors
 from ipalib.constants import IPA_CA_RECORD
 from ipalib.dns import record_name_format
-from ipapython.dnsutil import DNSName
-from ipaserver.install import installutils
+from ipapython.dnsutil import DNSName, resolve_rrsets
 
 if six.PY3:
     unicode=str
@@ -75,7 +75,7 @@
     (DNSName('_kerberos'), "\"{realm}\""),
 )
 
-CA_RECORDS_DNS_TIMEOUT = 15  # timeout in seconds
+CA_RECORDS_DNS_TIMEOUT = 30  # timeout in seconds
 
 
 class IPADomainIsNotManagedByIPAError(Exception):
@@ -189,20 +189,16 @@ def __add_uri_records(
     def __add_ca_records_from_hostname(self, zone_obj, hostname):
         assert isinstance(hostname, DNSName) and hostname.is_absolute()
         r_name = DNSName(IPA_CA_RECORD) + self.domain_abs
-        rrsets = None
+        rrsets = []
         end_time = time() + CA_RECORDS_DNS_TIMEOUT
-        while True:
+        while time() < end_time:
             try:
-                # function logs errors
-                rrsets = installutils.resolve_rrsets_nss(hostname)
-            except OSError:
-                # also retry on EAI_AGAIN, EAI_FAIL
+                rrsets = resolve_rrsets(hostname, (rdatatype.A, rdatatype.AAAA))
+            except DNSException:  # logging is done inside resolve_rrsets
                 pass
             if rrsets:
                 break
-            if time() >= end_time:
-                break
-            sleep(3)
+            sleep(5)
 
         if not rrsets:
             logger.error('unable to resolve host name %s to IP address, '

ipaserver/install/installutils.py

@@ -39,7 +39,7 @@
 from configparser import ConfigParser as SafeConfigParser
 from configparser import NoOptionError
 
-from dns import rrset, rdatatype, rdataclass
+from dns import rdatatype
 from dns.exception import DNSException
 import ldap
 import six
@@ -55,7 +55,7 @@
 from ipalib import api, errors, x509
 from ipalib.install import dnsforwarders
 from ipapython.dn import DN
-from ipapython.dnsutil import DNSName, resolve
+from ipapython.dnsutil import resolve
 from ipaserver.install import certs, sysupgrade
 from ipaplatform import services
 from ipaplatform.paths import paths
@@ -479,48 +479,6 @@ def resolve_ip_addresses_nss(fqdn):
     logger.debug('Name %s resolved to %s', fqdn, ip_addresses)
     return ip_addresses
 
-
-def resolve_rrsets_nss(fqdn):
-    """Get list of dnspython RRsets from NSS"""
-    if not isinstance(fqdn, DNSName):
-        fqdn = DNSName.from_text(fqdn)
-
-    ip_addresses = resolve_ip_addresses_nss(fqdn.to_text())
-
-    # split IP addresses into IPv4 and IPv6
-    ipv4 = []
-    ipv6 = []
-    for ip_address in ip_addresses:
-        # Skip reserved or link-local addresses
-        try:
-            ipautil.CheckedIPAddress(ip_address)
-        except ValueError as e:
-            logger.warning("Invalid IP address %s for %s: %s",
-                           ip_address, fqdn, unicode(e))
-            continue
-        if ip_address.version == 4:
-            ipv4.append(str(ip_address))
-        elif ip_address.version == 6:
-            ipv6.append(str(ip_address))
-
-    # construct an RRset for each address type. TTL is irrelevant
-    ttl = 3600
-    rrs = []
-    if ipv4:
-        rrs.append(
-            rrset.from_text_list(
-                fqdn, ttl, rdataclass.IN, rdatatype.A, ipv4
-            )
-        )
-    if ipv6:
-        rrs.append(
-            rrset.from_text_list(
-                fqdn, ttl, rdataclass.IN, rdatatype.AAAA, ipv6
-            )
-        )
-    return rrs
-
-
 def get_server_ip_address(host_name, unattended, setup_dns, ip_addresses):
     hostaddr = resolve_ip_addresses_nss(host_name)
     if hostaddr.intersection(