Bug 1260993

Summary: DNSSEC signing enablement on dnszone should throw error message when DNSSEC master not installed
Product: Red Hat Enterprise Linux 7 Reporter: Kaleem <ksiddiqu>
Component: ipaAssignee: Pavel Picka <ppicka>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: mbasti, ppicka, pvoborni, rcritten
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.4.0-0.el7.1.alpha1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 05:46:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
evidence none

Description Kaleem 2015-09-08 11:28:36 UTC 
Description of problem:
While turning on dnssec signing on a dnszone when DNSSEC master not installed, dnssec signing got enabled, which i think should throw a error (or warning)

[root@dhcp207-20 ~]# /usr/sbin/ipa-server-install --setup-dns --forwarder=10.65.201.89 --hostname=dhcp207-20.testrelm.test -r TESTRELM.TEST -n testrelm.test -p xxxxxxxx -a xxxxxxxx --ip-address=10.65.207.20 -U

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)
..
...
....
.....
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Restarting the web server
==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		  * 53: bind
		UDP Ports:
		  * 88, 464: kerberos
		  * 53: bind
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
[root@dhcp207-20 ~]# echo xxxxxxxx|kinit admin
Password for admin: 
[root@dhcp207-20 ~]# ipa dnszone-add dnssec.test. --dnssec=true
ipa: WARNING: DNSSEC support is experimental.
Visit 'http://www.freeipa.org/page/Releases/4.1.0#DNSSEC_Support'.
  Zone name: dnssec.test.
  Active zone: TRUE
  Authoritative nameserver: dhcp207-20.testrelm.test.
  Administrator e-mail address: hostmaster
  SOA serial: 1441710960
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant TESTRELM.TEST krb5-self * A; grant TESTRELM.TEST krb5-self * AAAA; grant TESTRELM.TEST krb5-self * SSHFP;
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;
  Allow in-line DNSSEC signing: TRUE
[root@dhcp207-20 ~]#

Here a error message should be displayed.

Version-Release number of selected component (if applicable):
[root@dhcp207-20 ~]# rpm -q ipa-server
ipa-server-4.2.0-8.el7.x86_64
[root@dhcp207-20 ~]#

How reproducible:
Always.
Comment 2 Petr Vobornik 2015-09-08 11:59:25 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5290
Comment 3 Martin Bašti 2015-10-22 16:31:10 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/179d86b5f6d4f3297d20a553f4aa723e4f949fce
https://fedorahosted.org/freeipa/changeset/92a4b18fc282ab7b40899c4885617fc080e9e955
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/ffd0e64dbb6e765ac30abc27c5b6a0a333db0140
https://fedorahosted.org/freeipa/changeset/1c173749872193b8c9234137a77f3c5400f33d2a
Comment 4 Mike McCune 2016-03-28 23:03:07 UTC 
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions
Comment 6 Pavel Picka 2016-09-06 13:07:28 UTC 
Created attachment 1198259 [details]
evidence

Verified

4.4.0-8
Comment 8 errata-xmlrpc 2016-11-04 05:46:35 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html