DNSSEC: forwarders validation improvement

Some DNS servers behaves oddly and instead sending result without RRSIG records
don't reply at all when DNSSEC flag is enabled (timeout). Instead of
hard error IPA should this handle as DNSSEC error and continue with
installation/adding forwarders.

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
This commit is contained in:
Martin Basti 2017-01-31 16:47:44 +01:00
parent a5ccdc16cb
commit 387a1513bb

View File

@ -670,8 +670,7 @@ def validate_dnssec_global_forwarder(ip_addr, log=None, timeout=10):
timeout=timeout)
except DNSException as e:
_log_response(log, e)
raise UnresolvableRecordError(owner=owner, rtype=rtype, ip=ip_addr,
error=e)
raise DNSSECSignatureMissingError(owner=owner, rtype=rtype, ip=ip_addr)
try:
ans.response.find_rrset(