diff options
| author | Martin Basti <mbasti@redhat.com> | 2014-10-16 16:27:00 +0200 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2014-10-21 12:23:03 +0200 |
| commit | ca030a089f9e45a5dae5f6fb5993f4cc714f1ab2 (patch) | |
| tree | f99b61a736b118ce42773cc1d9ab8769b28a6a79 /install/tools/ipa-server-install | |
| parent | 30bc3a55cf816cc5114ddbd102afa8b52f598dec (diff) | |
| download | freeipa-ca030a089f9e45a5dae5f6fb5993f4cc714f1ab2.tar.gz freeipa-ca030a089f9e45a5dae5f6fb5993f4cc714f1ab2.tar.xz freeipa-ca030a089f9e45a5dae5f6fb5993f4cc714f1ab2.zip | |
DNSSEC: validate forwarders
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417
Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
Diffstat (limited to 'install/tools/ipa-server-install')
| -rwxr-xr-x | install/tools/ipa-server-install | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 3fa7bd72a..39662db0c 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -286,6 +286,8 @@ def parse_options(): action="append", default=[]) dns_group.add_option("--no-reverse", dest="no_reverse", action="store_true", default=False, help="Do not create reverse DNS zone") + dns_group.add_option("--no-dnssec-validation", dest="no_dnssec_validation", action="store_true", + default=False, help="Disable DNSSEC validation") dns_group.add_option("--zonemgr", action="callback", callback=bindinstance.zonemgr_callback, type="string", help="DNS zone manager e-mail address. Defaults to hostmaster@DOMAIN") @@ -331,6 +333,8 @@ def parse_options(): parser.error("You cannot specify a --reverse-zone option without the --setup-dns option") if options.no_reverse: parser.error("You cannot specify a --no-reverse option without the --setup-dns option") + if options.no_dnssec_validation: + parser.error("You cannot specify a --no-dnssec-validation option without the --setup-dns option") elif options.forwarders and options.no_forwarders: parser.error("You cannot specify a --forwarder option together with --no-forwarders") elif options.reverse_zones and options.no_reverse: @@ -1033,6 +1037,13 @@ def main(): else: dns_forwarders = read_dns_forwarders() + #test DNSSEC forwarders + if dns_forwarders: + if (not bindinstance.check_forwarders(dns_forwarders, root_logger) + and not options.no_dnssec_validation): + options.no_dnssec_validation = True + print "WARNING: DNSSEC validation will be disabled" + reverse_zones = bindinstance.check_reverse_zones(ip_addresses, options.reverse_zones, options, options.unattended) @@ -1267,7 +1278,8 @@ def main(): bind = bindinstance.BindInstance(fstore, dm_password) bind.setup(host_name, ip_addresses, realm_name, domain_name, dns_forwarders, options.conf_ntp, reverse_zones, zonemgr=options.zonemgr, - ca_configured=setup_ca) + ca_configured=setup_ca, + no_dnssec_validation=options.no_dnssec_validation) if options.setup_dns: api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=dm_password) |