Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DNSSEC: forwarders validation improvement #426

Closed
wants to merge 1 commit into from
Closed

DNSSEC: forwarders validation improvement #426

wants to merge 1 commit into from

Conversation

MartinBasti
Copy link
Contributor

@MartinBasti MartinBasti commented Jan 31, 2017
edited

Some DNS servers behaves oddly and instead sending result without RRSIG records
don't reply at all when DNSSEC flag is enabled (timeout). Instead of
hard error IPA should this handle as DNSSEC error and continue with
installation/adding forwarders.

@MartinBasti
DNSSEC: forwarders validation improvement
204b1f3 
Some DNS servers behaves oddly and instead sending result without RRSIG records
don't reply at all when DNSSEC flag is enabled (timeout). Instead of
hard error IPA should this handle as DNSSEC error and continue with
installation/adding forwarders.
tkrizek
tkrizek suggested changes Feb 7, 2017
View reviewed changes
ipalib/util.py
@@ -670,8 +670,7 @@ def validate_dnssec_global_forwarder(ip_addr, log=None, timeout=10):
timeout=timeout)
except DNSException as e:
_log_response(log, e)
raise UnresolvableRecordError(owner=owner, rtype=rtype, ip=ip_addr,
error=e)
raise DNSSECSignatureMissingError(owner=owner, rtype=rtype, ip=ip_addr)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please update the docstring since the function no longer raises UnresolvableRecordError.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It still can due _validate_edns0_forwarder() call

@tkrizek
Copy link
Contributor

tkrizek commented Feb 7, 2017

I think the same issue can also occur in validate_dnssec_zone_forwarder_step2().

@MartinBasti
Copy link
Contributor Author

I was thinking about it and I disagree. Checking forwards zone behaves differently than check for global forwarders. The validate _dnssec_zone_forwarder_step2 is called aginst an IPA DNS server, so there shouln't be that issue as we know how bind is supposed to work.

@tkrizek tkrizek added the ack Pull Request approved, can be merged label Feb 8, 2017
@MartinBasti
Copy link
Contributor Author

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/387a1513bb9dc0dc546753bfaa8a59aae8f30b83

@MartinBasti MartinBasti added the pushed Pull Request has already been pushed label Feb 8, 2017
@MartinBasti MartinBasti closed this Feb 8, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tkrizek tkrizek tkrizek approved these changes

Assignees

@tkrizek tkrizek

Labels
ack Pull Request approved, can be merged pushed Pull Request has already been pushed
Projects
None yet
Milestone
No milestone
2 participants
@MartinBasti @tkrizek