Bug 1260993 - DNSSEC signing enablement on dnszone should throw error message when DNSSEC master not installed
Summary: DNSSEC signing enablement on dnszone should throw error message when DNSSEC m...
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.2
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Pavel Picka
QA Contact: Namita Soman
Depends On:
TreeView+ depends on / blocked
Reported: 2015-09-08 11:28 UTC by Kaleem
Modified: 2016-11-04 05:46 UTC (History)
4 users (show)

Fixed In Version: ipa-4.4.0-0.el7.1.alpha1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2016-11-04 05:46:35 UTC
Target Upstream Version:

Attachments (Terms of Use)
evidence (2.21 KB, text/plain)
2016-09-06 13:07 UTC, Pavel Picka
no flags Details

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Kaleem 2015-09-08 11:28:36 UTC
Description of problem:
While turning on dnssec signing on a dnszone when DNSSEC master not installed, dnssec signing got enabled, which i think should throw a error (or warning)

[root@dhcp207-20 ~]# /usr/sbin/ipa-server-install --setup-dns --forwarder= --hostname=dhcp207-20.testrelm.test -r TESTRELM.TEST -n testrelm.test -p xxxxxxxx -a xxxxxxxx --ip-address= -U

The log file for this installation can be found in /var/log/ipaserver-install.log
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Restarting the web server
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		  * 53: bind
		UDP Ports:
		  * 88, 464: kerberos
		  * 53: bind
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
[root@dhcp207-20 ~]# echo xxxxxxxx|kinit admin
Password for admin@TESTRELM.TEST: 
[root@dhcp207-20 ~]# ipa dnszone-add dnssec.test. --dnssec=true
ipa: WARNING: DNSSEC support is experimental.
Visit 'http://www.freeipa.org/page/Releases/4.1.0#DNSSEC_Support'.
  Zone name: dnssec.test.
  Active zone: TRUE
  Authoritative nameserver: dhcp207-20.testrelm.test.
  Administrator e-mail address: hostmaster
  SOA serial: 1441710960
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant TESTRELM.TEST krb5-self * A; grant TESTRELM.TEST krb5-self * AAAA; grant TESTRELM.TEST krb5-self * SSHFP;
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;
  Allow in-line DNSSEC signing: TRUE
[root@dhcp207-20 ~]#

Here a error message should be displayed.

Version-Release number of selected component (if applicable):
[root@dhcp207-20 ~]# rpm -q ipa-server
[root@dhcp207-20 ~]#

How reproducible:

Comment 2 Petr Vobornik 2015-09-08 11:59:25 UTC
Upstream ticket:

Comment 4 Mike McCune 2016-03-28 23:03:07 UTC
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune@redhat.com with any questions

Comment 6 Pavel Picka 2016-09-06 13:07:28 UTC
Created attachment 1198259 [details]



Comment 8 errata-xmlrpc 2016-11-04 05:46:35 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.