DNSSEC: Add experimental support for DNSSEC

Ticket: https://fedorahosted.org/freeipa/ticket/4408 Reviewed-By: Petr Spacek <pspacek@redhat.com>
author: Martin Basti <mbasti@redhat.com> 2014-06-27 17:07:00 +0200
committer: Petr Viktorin <pviktori@redhat.com> 2014-07-02 18:41:57 +0200
commit: 3b310d6b4f8063149d1abe823b64bc9796a97ab2 (patch)
tree: 3aa0789fa4467b505506af5042eaaa0f6152a23d /install
parent: 5c2ddaf6606736074c4b548592405a8e98027308 (diff)
download: freeipa-3b310d6b4f8063149d1abe823b64bc9796a97ab2.tar.gz
freeipa-3b310d6b4f8063149d1abe823b64bc9796a97ab2.tar.xz
freeipa-3b310d6b4f8063149d1abe823b64bc9796a97ab2.zip
2 files changed, 23 insertions, 0 deletions
diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template
index 0984febb1..6db17120f 100644
--- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template
@@ -16,6 +16,8 @@ options {
 
 	tkey-gssapi-keytab "/etc/named.keytab";
 	pid-file "/run/named/named.pid";
+
+	dnssec-enable yes;
 };
 
 /* If you want to enable debugging, eg. using the 'rndc trace' command,
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 622c92d75..2fecc1404 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -594,6 +594,26 @@ def named_update_pid_file():
     sysupgrade.set_upgrade_state('named.conf', 'pid-file_updated', True)
     return True
 
+def named_enable_dnssec():
+    """
+    Enable dnssec in named.conf
+    """
+    if not sysupgrade.get_upgrade_state('named.conf', 'dnssec_enabled'):
+        root_logger.info('[Enabling "dnssec-enable" configuration in DNS]')
+        try:
+            bindinstance.named_conf_set_directive('dnssec-enable', 'yes',
+                                                  bindinstance.NAMED_SECTION_OPTIONS,
+                                                  str_val=False)
+        except IOError, e:
+            root_logger.error('Cannot update dnssec-enable configuration in %s: %s',
+                    bindinstance.NAMED_CONF, e)
+            return False
+    else:
+        root_logger.debug('dnssec-enabled in %s' % bindinstance.NAMED_CONF)
+
+    sysupgrade.set_upgrade_state('named.conf', 'dnssec_enabled', True)
+    return True
+
 
 def certificate_renewal_update(ca):
     """
@@ -1129,6 +1149,7 @@ def main():
                           named_enable_serial_autoincrement(),
                           named_update_gssapi_configuration(),
                           named_update_pid_file(),
+                          named_enable_dnssec(),
                          )
 
     if any(named_conf_changes):
author	Martin Basti <mbasti@redhat.com>	2014-06-27 17:07:00 +0200
committer	Petr Viktorin <pviktori@redhat.com>	2014-07-02 18:41:57 +0200
commit	3b310d6b4f8063149d1abe823b64bc9796a97ab2 (patch)
tree	3aa0789fa4467b505506af5042eaaa0f6152a23d /install
parent	5c2ddaf6606736074c4b548592405a8e98027308 (diff)
download	freeipa-3b310d6b4f8063149d1abe823b64bc9796a97ab2.tar.gz freeipa-3b310d6b4f8063149d1abe823b64bc9796a97ab2.tar.xz freeipa-3b310d6b4f8063149d1abe823b64bc9796a97ab2.zip