Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1260993
Description of problem: While turning on dnssec signing on a dnszone when DNSSEC master not installed, dnssec signing got enabled, which i think should throw a error (or warning) [root@dhcp207-20 ~]# /usr/sbin/ipa-server-install --setup-dns --forwarder=10.65.201.89 --hostname=dhcp207-20.testrelm.test -r TESTRELM.TEST -n testrelm.test -p xxxxxxxx -a xxxxxxxx --ip-address=10.65.207.20 -U The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) .. ... .... ..... Done configuring DNS key synchronization service (ipa-dnskeysyncd). Restarting ipa-dnskeysyncd Restarting named Restarting the web server ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificates stored in /root/cacert.p12 These files are required to create replicas. The password for these files is the Directory Manager password [root@dhcp207-20 ~]# echo xxxxxxxx|kinit admin Password for admin@TESTRELM.TEST: [root@dhcp207-20 ~]# ipa dnszone-add dnssec.test. --dnssec=true ipa: WARNING: DNSSEC support is experimental. Visit 'http://www.freeipa.org/page/Releases/4.1.0#DNSSEC_Support'. Zone name: dnssec.test. Active zone: TRUE Authoritative nameserver: dhcp207-20.testrelm.test. Administrator e-mail address: hostmaster SOA serial: 1441710960 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant TESTRELM.TEST krb5-self * A; grant TESTRELM.TEST krb5-self * AAAA; grant TESTRELM.TEST krb5-self * SSHFP; Dynamic update: FALSE Allow query: any; Allow transfer: none; Allow in-line DNSSEC signing: TRUE [root@dhcp207-20 ~]# Here a error message should be displayed. Version-Release number of selected component (if applicable): [root@dhcp207-20 ~]# rpm -q ipa-server ipa-server-4.2.0-8.el7.x86_64 [root@dhcp207-20 ~]# How reproducible: Always.
master:
ipa-4-2:
Metadata Update from @pvoborni: - Issue assigned to mbasti - Issue set to the milestone: FreeIPA 4.2.3
Login to comment on this ticket.