mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
Remove named_validate_dnssec update step
The upgrade step used to add "dnssec-validation no" to named.conf IFF named.conf did not contain "dnssec-validation" option at all. The option has been moved to 'ipa-options-ext.conf' in IPA 4.8.7. The function only removes the upgrade state. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
parent
379b560c75
commit
cddd07f68a
@ -837,44 +837,22 @@ def named_dnssec_enable():
|
|||||||
|
|
||||||
|
|
||||||
def named_validate_dnssec():
|
def named_validate_dnssec():
|
||||||
|
"""dnssec-validation upgrade
|
||||||
|
|
||||||
|
The upgrade step used to add "dnssec-validation no" to named.conf IFF
|
||||||
|
named.conf did not contain "dnssec-validation" option at all. The
|
||||||
|
option has been moved to 'ipa-options-ext.conf' in IPA 4.8.7. Only remove
|
||||||
|
upgrade state.
|
||||||
"""
|
"""
|
||||||
Disable dnssec validation in named.conf
|
if bindinstance.named_conf_exists():
|
||||||
|
sysupgrade.remove_upgrade_state(
|
||||||
We can't let enable it by default, there can be non-valid dns forwarders
|
'named.conf', 'dnssec_validation_upgraded'
|
||||||
which breaks DNSSEC validation
|
)
|
||||||
"""
|
return False
|
||||||
if not bindinstance.named_conf_exists():
|
|
||||||
# DNS service may not be configured
|
|
||||||
logger.info('DNS is not configured')
|
|
||||||
return False
|
|
||||||
|
|
||||||
if (not sysupgrade.get_upgrade_state('named.conf', 'dnssec_validation_upgraded')
|
|
||||||
and bindinstance.named_conf_get_directive(
|
|
||||||
'dnssec-validation', bindinstance.NAMED_SECTION_OPTIONS,
|
|
||||||
str_val=False) is None):
|
|
||||||
# dnssec-validation is not configured, disable it
|
|
||||||
logger.info('[Disabling "dnssec-validate" configuration in DNS]')
|
|
||||||
try:
|
|
||||||
bindinstance.named_conf_set_directive('dnssec-validation', 'no',
|
|
||||||
bindinstance.NAMED_SECTION_OPTIONS,
|
|
||||||
str_val=False)
|
|
||||||
except IOError as e:
|
|
||||||
logger.error('Cannot update dnssec-validate configuration in %s: '
|
|
||||||
'%s',
|
|
||||||
paths.NAMED_CONF, e)
|
|
||||||
return False
|
|
||||||
else:
|
|
||||||
logger.debug('dnssec-validate already configured in %s',
|
|
||||||
paths.NAMED_CONF)
|
|
||||||
|
|
||||||
sysupgrade.set_upgrade_state(
|
|
||||||
'named.conf', 'dnssec_validation_upgraded', True
|
|
||||||
)
|
|
||||||
return True
|
|
||||||
|
|
||||||
|
|
||||||
def named_bindkey_file_option():
|
def named_bindkey_file_option():
|
||||||
"""Remove options bindkey_file to named.conf
|
"""Remove options bindkey_file to named.conf (4.8.7)
|
||||||
|
|
||||||
DNSSEC Lookaside Validation is deprecated and dlv.isc.org is shutting
|
DNSSEC Lookaside Validation is deprecated and dlv.isc.org is shutting
|
||||||
down.
|
down.
|
||||||
|
Loading…
Reference in New Issue
Block a user