From cddd07f68a28f1b1c21103e9edd6e31a6e4c3716 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Jun 10 2020 14:07:07 +0000 Subject: Remove named_validate_dnssec update step The upgrade step used to add "dnssec-validation no" to named.conf IFF named.conf did not contain "dnssec-validation" option at all. The option has been moved to 'ipa-options-ext.conf' in IPA 4.8.7. The function only removes the upgrade state. Signed-off-by: Christian Heimes Reviewed-By: Alexander Bokovoy --- diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 2adf1a8..409f2ba 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -837,44 +837,22 @@ def named_dnssec_enable(): def named_validate_dnssec(): - """ - Disable dnssec validation in named.conf + """dnssec-validation upgrade - We can't let enable it by default, there can be non-valid dns forwarders - which breaks DNSSEC validation + The upgrade step used to add "dnssec-validation no" to named.conf IFF + named.conf did not contain "dnssec-validation" option at all. The + option has been moved to 'ipa-options-ext.conf' in IPA 4.8.7. Only remove + upgrade state. """ - if not bindinstance.named_conf_exists(): - # DNS service may not be configured - logger.info('DNS is not configured') - return False - - if (not sysupgrade.get_upgrade_state('named.conf', 'dnssec_validation_upgraded') - and bindinstance.named_conf_get_directive( - 'dnssec-validation', bindinstance.NAMED_SECTION_OPTIONS, - str_val=False) is None): - # dnssec-validation is not configured, disable it - logger.info('[Disabling "dnssec-validate" configuration in DNS]') - try: - bindinstance.named_conf_set_directive('dnssec-validation', 'no', - bindinstance.NAMED_SECTION_OPTIONS, - str_val=False) - except IOError as e: - logger.error('Cannot update dnssec-validate configuration in %s: ' - '%s', - paths.NAMED_CONF, e) - return False - else: - logger.debug('dnssec-validate already configured in %s', - paths.NAMED_CONF) - - sysupgrade.set_upgrade_state( - 'named.conf', 'dnssec_validation_upgraded', True - ) - return True + if bindinstance.named_conf_exists(): + sysupgrade.remove_upgrade_state( + 'named.conf', 'dnssec_validation_upgraded' + ) + return False def named_bindkey_file_option(): - """Remove options bindkey_file to named.conf + """Remove options bindkey_file to named.conf (4.8.7) DNSSEC Lookaside Validation is deprecated and dlv.isc.org is shutting down.