Bug 1185796
| Summary: | fix switching between secure and insecure forward zones | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Pavel Šimerda (pavlix) <psimerda> | ||||||
| Component: | dnssec-trigger | Assignee: | Pavel Šimerda (pavlix) <psimerda> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Pavel Šimerda (pavlix) <psimerda> | ||||||
| Severity: | high | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 21 | CC: | pj.pandit, psimerda, pspacek, pwouters, thozza | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | dnssec-trigger-0.12-20.fc22 | Doc Type: | Bug Fix | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2015-03-26 22:04:39 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Created attachment 984155 [details]
patch to fix the two issues
Furthermore I realized that there is a problem with switching from insecure mode to secure mode using a single *forward_add* command. While there is a "+i" switch that makes sure the zone is insecure, there's no "-i" switch to make sure the zone is secure (when insecure previously). Therefore it is necessary to fix up the secure state using *insecure_remove* afterwards.
Upstream can change this in the future based on unbound-control improvements.
(In reply to Pavel Šimerda (pavlix) from comment #1) > Furthermore I realized that there is a problem with switching from insecure > mode to secure mode using a single *forward_add* command. While there is a > "+i" switch that makes sure the zone is insecure, there's no "-i" switch to > make sure the zone is secure (when insecure previously). Therefore it is > necessary to fix up the secure state using *insecure_remove* afterwards. Yes, basically you can use the 'insecure_remove' OR you could remove the insecure forward zone completely and re-add it as secure. However the final effect should be the same, so I think it is OK to do it the way you've proposed. Thanks. dnssec-trigger-0.12-18.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/dnssec-trigger-0.12-18.fc21 Package dnssec-trigger-0.12-18.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing dnssec-trigger-0.12-18.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-1279/dnssec-trigger-0.12-18.fc21 then log in and leave karma (feedback). dnssec-trigger-0.12-19.fc22 has been submitted as an update for Fedora 22. https://admin.fedoraproject.org/updates/FEDORA-2015-3864/dnssec-trigger-0.12-19.fc22 dnssec-trigger-0.12-19.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/FEDORA-2015-3843/dnssec-trigger-0.12-19.fc21 dnssec-trigger-0.12-19.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. dnssec-trigger-0.12-20.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. |
Created attachment 984150 [details] patch As dnssec-trigger-script cannot rely on a specific on a current version of Unbound, the upstream code attempts to check whether the list of servers for a zone should be changed and skips the action if not. The attached patch makes sure we always rewrite the forward zone as it may be switching between secure and insecure.