2 files changed, 22 insertions, 7 deletions

diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index 366ecca2d..e525a02f4 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -663,6 +663,7 @@ def ensure_last_services(conn, hostname, masters, options):
         dnssec_masters = opendnssecinstance.get_dnssec_key_masters(conn)
         if hostname in dnssec_masters:
             print "Replica is active DNSSEC key master. Uninstall could break your DNS system."
+            print "Please disable or replace DNSSEC key master first."
             sys.exit("Deletion aborted")
 
     ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py
index 1382382b5..bd176c1ef 100644
--- a/ipaserver/install/dns.py
+++ b/ipaserver/install/dns.py
@@ -154,8 +154,15 @@ def install_check(standalone, replica, options, hostname):
         if dnssec_zones and not options.force:
             raise RuntimeError(
                 "Cannot disable DNSSEC key master, DNSSEC signing is still "
-                "enabled for following zone(s): %s\n"
-                "Use --force option to skip this check." %
+                "enabled for following zone(s):\n"
+                "%s\n"
+                "It is possible to move DNSSEC key master role to a different "
+                "server by using --force option to skip this check.\n\n"
+                "WARNING: You have to immediatelly copy kasp.db file to a new "
+                "server and run command 'ipa-dns-install --dnssec-master "
+                "--kasp-db'.\n"
+                "Your DNS zones will become unavailable if you "
+                "do not reinstall the DNSSEC key master role immediatelly." %
                 ", ".join([str(zone) for zone in dnssec_zones]))
     elif options.dnssec_master:
         # check opendnssec packages are installed
@@ -186,8 +193,10 @@ def install_check(standalone, replica, options, hostname):
                             suplementary_groups=[named.get_group_name()])
             except CalledProcessError as e:
                 root_logger.debug("%s", e)
-                raise RuntimeError("IPA server cannot be the new DNSSEC master "
-                                   "(some keys are missing)")
+                raise RuntimeError("This IPA server cannot be promoted to "
+                                   "DNSSEC master role because some keys were "
+                                   "not replicated from the original "
+                                   "DNSSEC master server")
             finally:
                 if dnskeysyncd_running:
                     dnskeysyncd.start()
@@ -195,9 +204,14 @@ def install_check(standalone, replica, options, hostname):
             # some zones have --dnssec=true, make sure a user really want to
             # install new database
             raise RuntimeError(
-                "DNSSEC is enabled for following zone(s): %s\n"
-                "Please use option --kasp-db to keep current OpenDNSSEC "
-                "database or use --force option to skip this check." %
+                "DNSSEC signing is already enabled for following zone(s): %s\n"
+                "Installation cannot continue without the OpenDNSSEC database "
+                "file from the original DNSSEC master server.\n"
+                "Please use option --kasp-db to specify location "
+                "of the kasp.db file copied from the original "
+                "DNSSEC master server.\n"
+                "WARNING: Zones will become unavailable if you do not provide "
+                "the original kasp.db file." %
                 ", ".join([str(zone) for zone in dnssec_zones]))