DNSSEC: forwarders validation improvement

Some DNS servers behaves oddly and instead sending result without RRSIG records don't reply at all when DNSSEC flag is enabled (timeout). Instead of hard error IPA should this handle as DNSSEC error and continue with installation/adding forwarders. Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
author: Martin Basti <mbasti@redhat.com> 2017-01-31 16:47:44 +0100
committer: Martin Basti <mbasti@redhat.com> 2017-02-08 15:59:41 +0100
commit: 387a1513bb9dc0dc546753bfaa8a59aae8f30b83 (patch)
tree: 5f9186b67358d8c377f7b92e6a277155a0c7643c /ipalib
parent: a5ccdc16cbcec433ef061dfe65515e32c3021ea2 (diff)
download: freeipa-387a1513bb9dc0dc546753bfaa8a59aae8f30b83.tar.gz
freeipa-387a1513bb9dc0dc546753bfaa8a59aae8f30b83.tar.xz
freeipa-387a1513bb9dc0dc546753bfaa8a59aae8f30b83.zip
1 files changed, 1 insertions, 2 deletions
diff --git a/ipalib/util.py b/ipalib/util.py
index 1c354b633..1509607db 100644
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -670,8 +670,7 @@ def validate_dnssec_global_forwarder(ip_addr, log=None, timeout=10):
                               timeout=timeout)
     except DNSException as e:
         _log_response(log, e)
-        raise UnresolvableRecordError(owner=owner, rtype=rtype, ip=ip_addr,
-                                      error=e)
+        raise DNSSECSignatureMissingError(owner=owner, rtype=rtype, ip=ip_addr)
 
     try:
         ans.response.find_rrset(
author	Martin Basti <mbasti@redhat.com>	2017-01-31 16:47:44 +0100
committer	Martin Basti <mbasti@redhat.com>	2017-02-08 15:59:41 +0100
commit	387a1513bb9dc0dc546753bfaa8a59aae8f30b83 (patch)
tree	5f9186b67358d8c377f7b92e6a277155a0c7643c /ipalib
parent	a5ccdc16cbcec433ef061dfe65515e32c3021ea2 (diff)
download	freeipa-387a1513bb9dc0dc546753bfaa8a59aae8f30b83.tar.gz freeipa-387a1513bb9dc0dc546753bfaa8a59aae8f30b83.tar.xz freeipa-387a1513bb9dc0dc546753bfaa8a59aae8f30b83.zip