diff options
| author | Martin Basti <mbasti@redhat.com> | 2014-10-16 16:27:00 +0200 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2014-10-21 12:23:03 +0200 |
| commit | ca030a089f9e45a5dae5f6fb5993f4cc714f1ab2 (patch) | |
| tree | f99b61a736b118ce42773cc1d9ab8769b28a6a79 /install/tools/ipa-replica-install | |
| parent | 30bc3a55cf816cc5114ddbd102afa8b52f598dec (diff) | |
| download | freeipa-ca030a089f9e45a5dae5f6fb5993f4cc714f1ab2.tar.gz freeipa-ca030a089f9e45a5dae5f6fb5993f4cc714f1ab2.tar.xz freeipa-ca030a089f9e45a5dae5f6fb5993f4cc714f1ab2.zip | |
DNSSEC: validate forwarders
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417
Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
Diffstat (limited to 'install/tools/ipa-replica-install')
| -rwxr-xr-x | install/tools/ipa-replica-install | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index df0e5d565..51809b140 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -116,6 +116,8 @@ def parse_options(): action="append", help="The reverse DNS zone to use") dns_group.add_option("--no-reverse", dest="no_reverse", action="store_true", default=False, help="Do not create new reverse DNS zone") + dns_group.add_option("--no-dnssec-validation", dest="no_dnssec_validation", action="store_true", + default=False, help="Disable DNSSEC validation") dns_group.add_option("--no-host-dns", dest="no_host_dns", action="store_true", default=False, help="Do not use DNS for hostname lookup during installation") @@ -138,6 +140,8 @@ def parse_options(): parser.error("You cannot specify a --reverse-zone option without the --setup-dns option") if options.no_reverse: parser.error("You cannot specify a --no-reverse option without the --setup-dns option") + if options.no_dnssec_validation: + parser.error("You cannot specify a --no-dnssec-validation option without the --setup-dns option") elif options.forwarders and options.no_forwarders: parser.error("You cannot specify a --forwarder option together with --no-forwarders") elif not options.forwarders and not options.no_forwarders: @@ -268,7 +272,8 @@ def install_bind(config, options): bind.setup(config.host_name, config.ips, config.realm_name, config.domain_name, forwarders, options.conf_ntp, - config.reverse_zones, ca_configured=options.setup_ca) + config.reverse_zones, ca_configured=options.setup_ca, + no_dnssec_validation=options.no_dnssec_validation) bind.create_instance() print "" @@ -471,6 +476,13 @@ def main(): if options.setup_dns: check_bind() + # test DNSSEC forwarders + if options.forwarders: + if (not bindinstance.check_forwarders(options.forwarders, root_logger) + and not options.no_dnssec_validation): + options.no_dnssec_validation = True + print "WARNING: DNSSEC validation will be disabled" + # Check to see if httpd is already configured to listen on 443 if httpinstance.httpd_443_configured(): sys.exit("Aborting installation") |