#5290 DNSSEC signing enablement on dnszone should throw error message when DNSSEC master not installed
Closed: Fixed None Opened 8 years ago by pvoborni.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1260993

Description of problem:
While turning on dnssec signing on a dnszone when DNSSEC master not installed,
dnssec signing got enabled, which i think should throw a error (or warning)

[root@dhcp207-20 ~]# /usr/sbin/ipa-server-install --setup-dns
--forwarder=10.65.201.89 --hostname=dhcp207-20.testrelm.test -r TESTRELM.TEST
-n testrelm.test -p xxxxxxxx -a xxxxxxxx --ip-address=10.65.207.20 -U

The log file for this installation can be found in
/var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)
..
...
....
.....
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Restarting the web server
==============================================================================
Setup complete

Next steps:
        1. You must make sure these network ports are open:
                TCP Ports:
                  * 80, 443: HTTP/HTTPS
                  * 389, 636: LDAP/LDAPS
                  * 88, 464: kerberos
                  * 53: bind
                UDP Ports:
                  * 88, 464: kerberos
                  * 53: bind
                  * 123: ntp

        2. You can now obtain a kerberos ticket using the command: 'kinit
admin'
           This ticket will allow you to use the IPA tools (e.g., ipa user-add)
           and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
[root@dhcp207-20 ~]# echo xxxxxxxx|kinit admin
Password for admin@TESTRELM.TEST:
[root@dhcp207-20 ~]# ipa dnszone-add dnssec.test. --dnssec=true
ipa: WARNING: DNSSEC support is experimental.
Visit 'http://www.freeipa.org/page/Releases/4.1.0#DNSSEC_Support'.
  Zone name: dnssec.test.
  Active zone: TRUE
  Authoritative nameserver: dhcp207-20.testrelm.test.
  Administrator e-mail address: hostmaster
  SOA serial: 1441710960
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant TESTRELM.TEST krb5-self * A; grant TESTRELM.TEST
krb5-self * AAAA; grant TESTRELM.TEST krb5-self * SSHFP;
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;
  Allow in-line DNSSEC signing: TRUE
[root@dhcp207-20 ~]#

Here a error message should be displayed.

Version-Release number of selected component (if applicable):
[root@dhcp207-20 ~]# rpm -q ipa-server
ipa-server-4.2.0-8.el7.x86_64
[root@dhcp207-20 ~]#

How reproducible:
Always.

master:

  • 179d86b DNSSEC: Remove service containers from LDAP after uninstalling
  • 92a4b18 DNSSEC: warn user if DNSSEC key master is not installed

ipa-4-2:

  • ffd0e64 DNSSEC: Remove service containers from LDAP after uninstalling
  • 1c17374 DNSSEC: warn user if DNSSEC key master is not installed

Metadata Update from @pvoborni:
- Issue assigned to mbasti
- Issue set to the milestone: FreeIPA 4.2.3

7 years ago

Login to comment on this ticket.

Metadata