diff options
author | Martin Basti <mbasti@redhat.com> | 2014-06-27 17:07:00 +0200 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2014-07-02 18:41:57 +0200 |
commit | 3b310d6b4f8063149d1abe823b64bc9796a97ab2 (patch) | |
tree | 3aa0789fa4467b505506af5042eaaa0f6152a23d | |
parent | 5c2ddaf6606736074c4b548592405a8e98027308 (diff) | |
download | freeipa-3b310d6b4f8063149d1abe823b64bc9796a97ab2.tar.gz freeipa-3b310d6b4f8063149d1abe823b64bc9796a97ab2.tar.xz freeipa-3b310d6b4f8063149d1abe823b64bc9796a97ab2.zip |
DNSSEC: Add experimental support for DNSSEC
Ticket: https://fedorahosted.org/freeipa/ticket/4408
Reviewed-By: Petr Spacek <pspacek@redhat.com>
-rw-r--r-- | install/share/bind.named.conf.template | 2 | ||||
-rw-r--r-- | install/tools/ipa-upgradeconfig | 21 |
2 files changed, 23 insertions, 0 deletions
diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template index 0984febb1..6db17120f 100644 --- a/install/share/bind.named.conf.template +++ b/install/share/bind.named.conf.template @@ -16,6 +16,8 @@ options { tkey-gssapi-keytab "/etc/named.keytab"; pid-file "/run/named/named.pid"; + + dnssec-enable yes; }; /* If you want to enable debugging, eg. using the 'rndc trace' command, diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 622c92d75..2fecc1404 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -594,6 +594,26 @@ def named_update_pid_file(): sysupgrade.set_upgrade_state('named.conf', 'pid-file_updated', True) return True +def named_enable_dnssec(): + """ + Enable dnssec in named.conf + """ + if not sysupgrade.get_upgrade_state('named.conf', 'dnssec_enabled'): + root_logger.info('[Enabling "dnssec-enable" configuration in DNS]') + try: + bindinstance.named_conf_set_directive('dnssec-enable', 'yes', + bindinstance.NAMED_SECTION_OPTIONS, + str_val=False) + except IOError, e: + root_logger.error('Cannot update dnssec-enable configuration in %s: %s', + bindinstance.NAMED_CONF, e) + return False + else: + root_logger.debug('dnssec-enabled in %s' % bindinstance.NAMED_CONF) + + sysupgrade.set_upgrade_state('named.conf', 'dnssec_enabled', True) + return True + def certificate_renewal_update(ca): """ @@ -1129,6 +1149,7 @@ def main(): named_enable_serial_autoincrement(), named_update_gssapi_configuration(), named_update_pid_file(), + named_enable_dnssec(), ) if any(named_conf_changes): |