From a66789603a30b9582d9255a02edfbf66d90ae78d Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Sep 03 2018 13:05:23 +0000
Subject: ipa-server-install: do not perform forwarder validation with --no-dnssec-validation


ipa-server-install is checking if the forwarder(s) specified with
--forwarder argument support DNSSEC. When the --no-dnssec-validation
option is added, the installer should not perform the check.

Fixes: https://pagure.io/freeipa/issue/7666
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>

---

diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py
index c7c2217..9c28d1b 100644
--- a/ipaserver/install/dns.py
+++ b/ipaserver/install/dns.py
@@ -292,8 +292,8 @@ def install_check(standalone, api, replica, options, hostname):
 
     # test DNSSEC forwarders
     if options.forwarders:
-        if (not bindinstance.check_forwarders(options.forwarders)
-                and not options.no_dnssec_validation):
+        if not options.no_dnssec_validation \
+                and not bindinstance.check_forwarders(options.forwarders):
             options.no_dnssec_validation = True
             print("WARNING: DNSSEC validation will be disabled")