DNSSEC: fix forward zone forwarders checks

https://fedorahosted.org/freeipa/ticket/5179

Reviewed-By: Petr Spacek <pspacek@redhat.com>

1 files changed, 7 insertions, 6 deletions

diff --git a/ipalib/util.py b/ipalib/util.py
index 649a4875f..a3500ae29 100644
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -694,20 +694,21 @@ def validate_dnssec_zone_forwarder_step2(ipa_ip_addr, fwzone, log=None,
         ans_cd = _resolve_record(fwzone, rtype, nameserver_ip=ipa_ip_addr,
                                  edns0=True, dnssec=True, flag_cd=True,
                                  timeout=timeout)
+    except NXDOMAIN as e:
+        # sometimes CD flag is ignored and NXDomain is returned
+        _log_response(log, e)
+        raise DNSSECValidationError(owner=fwzone, rtype=rtype, ip=ipa_ip_addr)
     except DNSException as e:
         _log_response(log, e)
+        raise UnresolvableRecordError(owner=fwzone, rtype=rtype,
+                                      ip=ipa_ip_addr, error=e)
 
     try:
         ans_do = _resolve_record(fwzone, rtype, nameserver_ip=ipa_ip_addr,
                                  edns0=True, dnssec=True, timeout=timeout)
-    except NXDOMAIN as e:
-        # sometimes CD flag is ignored and NXDomain is returned
-        _log_response(log, e)
-        raise DNSSECValidationError(owner=fwzone, rtype=rtype, ip=ipa_ip_addr)
     except DNSException as e:
         _log_response(log, e)
-        raise UnresolvableRecordError(owner=fwzone, rtype=rtype, ip=ipa_ip_addr,
-                                      error=e)
+        raise DNSSECValidationError(owner=fwzone, rtype=rtype, ip=ipa_ip_addr)
     else:
         if (ans_do.canonical_name == ans_cd.canonical_name
             and ans_do.rrset == ans_cd.rrset):