From 387a1513bb9dc0dc546753bfaa8a59aae8f30b83 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Tue, 31 Jan 2017 16:47:44 +0100 Subject: [PATCH] DNSSEC: forwarders validation improvement Some DNS servers behaves oddly and instead sending result without RRSIG records don't reply at all when DNSSEC flag is enabled (timeout). Instead of hard error IPA should this handle as DNSSEC error and continue with installation/adding forwarders. Reviewed-By: Tomas Krizek --- ipalib/util.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ipalib/util.py b/ipalib/util.py index 1c354b633..1509607db 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -670,8 +670,7 @@ def validate_dnssec_global_forwarder(ip_addr, log=None, timeout=10): timeout=timeout) except DNSException as e: _log_response(log, e) - raise UnresolvableRecordError(owner=owner, rtype=rtype, ip=ip_addr, - error=e) + raise DNSSECSignatureMissingError(owner=owner, rtype=rtype, ip=ip_addr) try: ans.response.find_rrset(