Hide Forgot
Description of problem: While turning on dnssec signing on a dnszone when DNSSEC master not installed, dnssec signing got enabled, which i think should throw a error (or warning) [root@dhcp207-20 ~]# /usr/sbin/ipa-server-install --setup-dns --forwarder=10.65.201.89 --hostname=dhcp207-20.testrelm.test -r TESTRELM.TEST -n testrelm.test -p xxxxxxxx -a xxxxxxxx --ip-address=10.65.207.20 -U The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) .. ... .... ..... Done configuring DNS key synchronization service (ipa-dnskeysyncd). Restarting ipa-dnskeysyncd Restarting named Restarting the web server ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificates stored in /root/cacert.p12 These files are required to create replicas. The password for these files is the Directory Manager password [root@dhcp207-20 ~]# echo xxxxxxxx|kinit admin Password for admin@TESTRELM.TEST: [root@dhcp207-20 ~]# ipa dnszone-add dnssec.test. --dnssec=true ipa: WARNING: DNSSEC support is experimental. Visit 'http://www.freeipa.org/page/Releases/4.1.0#DNSSEC_Support'. Zone name: dnssec.test. Active zone: TRUE Authoritative nameserver: dhcp207-20.testrelm.test. Administrator e-mail address: hostmaster SOA serial: 1441710960 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant TESTRELM.TEST krb5-self * A; grant TESTRELM.TEST krb5-self * AAAA; grant TESTRELM.TEST krb5-self * SSHFP; Dynamic update: FALSE Allow query: any; Allow transfer: none; Allow in-line DNSSEC signing: TRUE [root@dhcp207-20 ~]# Here a error message should be displayed. Version-Release number of selected component (if applicable): [root@dhcp207-20 ~]# rpm -q ipa-server ipa-server-4.2.0-8.el7.x86_64 [root@dhcp207-20 ~]# How reproducible: Always.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/5290
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/179d86b5f6d4f3297d20a553f4aa723e4f949fce https://fedorahosted.org/freeipa/changeset/92a4b18fc282ab7b40899c4885617fc080e9e955 ipa-4-2: https://fedorahosted.org/freeipa/changeset/ffd0e64dbb6e765ac30abc27c5b6a0a333db0140 https://fedorahosted.org/freeipa/changeset/1c173749872193b8c9234137a77f3c5400f33d2a
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune@redhat.com with any questions
Created attachment 1198259 [details] evidence Verified 4.4.0-8
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2404.html