diff options
author | Martin Basti <mbasti@redhat.com> | 2017-01-31 16:47:44 +0100 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2017-02-08 15:59:41 +0100 |
commit | 387a1513bb9dc0dc546753bfaa8a59aae8f30b83 (patch) | |
tree | 5f9186b67358d8c377f7b92e6a277155a0c7643c /ipalib | |
parent | a5ccdc16cbcec433ef061dfe65515e32c3021ea2 (diff) | |
download | freeipa-387a1513bb9dc0dc546753bfaa8a59aae8f30b83.tar.gz freeipa-387a1513bb9dc0dc546753bfaa8a59aae8f30b83.tar.xz freeipa-387a1513bb9dc0dc546753bfaa8a59aae8f30b83.zip |
DNSSEC: forwarders validation improvement
Some DNS servers behaves oddly and instead sending result without RRSIG records
don't reply at all when DNSSEC flag is enabled (timeout). Instead of
hard error IPA should this handle as DNSSEC error and continue with
installation/adding forwarders.
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Diffstat (limited to 'ipalib')
-rw-r--r-- | ipalib/util.py | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/ipalib/util.py b/ipalib/util.py index 1c354b633..1509607db 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -670,8 +670,7 @@ def validate_dnssec_global_forwarder(ip_addr, log=None, timeout=10): timeout=timeout) except DNSException as e: _log_response(log, e) - raise UnresolvableRecordError(owner=owner, rtype=rtype, ip=ip_addr, - error=e) + raise DNSSECSignatureMissingError(owner=owner, rtype=rtype, ip=ip_addr) try: ans.response.find_rrset( |