ipatests: disable bind dns validation when preparing to establish AD trust

Before establishing trust with AD it is recommended in documentation (and for many setups necessary) to create add DNS forwarder for AD domain. Bind config supplied by ipa server has dnssec validation enabled. If Windows server DNS does not have DNSSEC enabled with valid certificate, then bind will not be able to use it as forwarder and trust will not be established. Related to https://pagure.io/freeipa/issue/7889 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-02-25 18:55:28 -06:00 · 2019-03-26 16:41:30 +01:00 · 2019-03-26 16:41:30 +01:00 · 14f27d299e
commit 14f27d299e
parent 3e01d2619e
1 changed files with 9 additions and 0 deletions
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@ -567,6 +567,14 @@ def install_adtrust(host):
    run_repeatedly(host, dig_command, test=dig_test)


+def disable_dnssec_validation(host):
+    named_conf = host.get_file_contents(paths.NAMED_CONF)
+    named_conf = re.sub(br'dnssec-validation\s*yes;', b'dnssec-validation no;',
+                        named_conf)
+    host.put_file_contents(paths.NAMED_CONF, named_conf)
+    restart_named(host)
+
+
 def configure_dns_for_trust(master, ad):
    """
    This configures DNS on IPA master according to the relationship of the
@ -606,6 +614,7 @@ def configure_dns_for_trust(master, ad):
        master.run_command(['ipa', 'dnszone-mod', master.domain.name,
                            '--allow-transfer', ad.ip])
    else:
+        disable_dnssec_validation(master)
        master.run_command(['ipa', 'dnsforwardzone-add', ad.domain.name,
                            '--forwarder', ad.ip,
                            '--forward-policy', 'only',