From 27534f8d7294536364147b18b76ecb2bac67870f Mon Sep 17 00:00:00 2001 From: Petr Spacek Date: Aug 16 2016 12:25:00 +0000 Subject: DNS server upgrade: do not fail when DNS server did not respond Previously, update_dnsforward_emptyzones failed with an exeception if DNS query failed for some reason. Now the error is logged and upgrade continues. I assume that this is okay because the DNS query is used as heuristics of last resort in the upgrade logic and failure to do so should not have catastrophics consequences: In the worst case, the admin needs to manually change forwarding policy from 'first' to 'only'. In the end I have decided not to auto-start BIND because BIND depends on GSSAPI for authentication, which in turn depends on KDC ... Alternative like reconfiguring BIND to use LDAPI+EXTERNAL and reconfiguring DS to accept LDAP external bind from named user are too complicated. https://fedorahosted.org/freeipa/ticket/6205 Reviewed-By: Martin Basti --- diff --git a/ipaserver/install/plugins/dns.py b/ipaserver/install/plugins/dns.py index 873dbd0..6f67f98 100644 --- a/ipaserver/install/plugins/dns.py +++ b/ipaserver/install/plugins/dns.py @@ -17,6 +17,9 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . +from __future__ import absolute_import + +import dns.exception import ldap as _ldap import re import traceback @@ -489,8 +492,15 @@ class update_dnsforward_emptyzones(DNSUpdater): self.api.Command['dnsconfig_mod'](ipadnsversion=2) self.update_zones() - if dnsutil.has_empty_zone_addresses(self.api.env.host): - self.update_global_ldap_forwarder() + try: + if dnsutil.has_empty_zone_addresses(self.api.env.host): + self.update_global_ldap_forwarder() + except dns.exception.DNSException as ex: + self.log.error('Skipping update of global DNS forwarder in LDAP: ' + 'Unable to determine if local server is using an ' + 'IP address belonging to an automatic empty zone. ' + 'Consider changing forwarding policy to "only". ' + 'DNS exception: %s', ex) return False, []