Handle failures to resolve non-existing reverse zones during deployment with systemd-resolved

Resolves: rhbz#1948034

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>

freeipa-bz1948034.patch

@@ -0,0 +1,114 @@
+From 03f7731d39689ee6da7118fa4d5de01b4012c427 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Sat, 10 Apr 2021 15:40:22 +0300
+Subject: [PATCH] ipaserver/install/dns: handle SERVFAIL when checking reverse
+ zone
+
+systemd-resolved in Fedora 34+ returns SERVFAIL for reverse zone that
+does not yet exist when we attempt to look it up before installation.
+Assume that this is OK -- we are going to create the zone ourselves
+during installation.
+
+Fixes: https://pagure.io/freeipa/issue/8794
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ ipapython/dnsutil.py              |  6 ++++++
+ ipaserver/install/bindinstance.py | 12 ++++++++++++
+ ipaserver/install/dns.py          | 12 +++++++++++-
+ 3 files changed, 29 insertions(+), 1 deletion(-)
+
+diff --git a/ipapython/dnsutil.py b/ipapython/dnsutil.py
+index 63eb64dc1..67a5a5334 100644
+--- a/ipapython/dnsutil.py
++++ b/ipapython/dnsutil.py
+@@ -125,6 +125,10 @@ class DNSZoneAlreadyExists(dns.exception.DNSException):
+            "and is handled by server(s): {ns}")
+ 
+ 
++class DNSNoNameservers(dns.resolver.NoNameservers):
++    pass
++
++
+ @six.python_2_unicode_compatible
+ class DNSName(dns.name.Name):
+     labels = None  # make pylint happy
+@@ -447,6 +451,8 @@ def check_zone_overlap(zone, raise_on_error=True):
+     except dns.exception.DNSException as e:
+         msg = ("DNS check for domain %s failed: %s." % (zone, e))
+         if raise_on_error:
++            if isinstance(e, dns.resolver.NoNameservers):
++                raise DNSNoNameservers(**e.kwargs) from None
+             raise ValueError(msg)
+         else:
+             logger.warning('%s', msg)
+diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
+index 19941cd00..f1c9e0aa2 100644
+--- a/ipaserver/install/bindinstance.py
++++ b/ipaserver/install/bindinstance.py
+@@ -312,6 +312,7 @@ def read_reverse_zone(default, ip_address, allow_zone_overlap=False):
+                 logger.error("Reverse zone %s will not be used: %s",
+                              zone, e)
+                 continue
++
+         break
+ 
+     return normalize_zone(zone)
+@@ -338,6 +339,12 @@ def get_auto_reverse_zones(ip_addresses, allow_zone_overlap=False):
+                             default_reverse, ip)
+                 logger.debug('%s', e)
+                 continue
++            except dnsutil.DNSNoNameservers as e:
++                # Show warning and continue in case we've got SERVFAIL
++                # because we are supposedly going to create this reverse zone
++                logger.warning('%s', str(e))
++                continue
++
+         auto_zones.append((ip, default_reverse))
+     return auto_zones
+ 
+@@ -505,6 +512,11 @@ def check_reverse_zones(ip_addresses, reverse_zones, options, unattended,
+                 else:
+                     logger.warning('%s', msg)
+                 continue
++            except dnsutil.DNSNoNameservers as e:
++                # Show warning and continue in case we've got SERVFAIL
++                # because we are supposedly going to create this reverse zone
++                logger.warning('%s', str(e))
++                continue
+         checked_reverse_zones.append(normalize_zone(rz))
+ 
+     # check that there is reverse zone for every IP
+diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py
+index b51b92bfd..cbdaf99fd 100644
+--- a/ipaserver/install/dns.py
++++ b/ipaserver/install/dns.py
+@@ -151,6 +151,10 @@ def install_check(standalone, api, replica, options, hostname):
+                 logger.warning('%s', str(e))
+             else:
+                 raise e
++        except dnsutil.DNSNoNameservers as e:
++            # Show warning and continue in case we've got SERVFAIL
++            # because we are supposedly going to create this reverse zone
++            logger.warning('%s', str(e))
+ 
+     if standalone:
+         print("==============================================================================")
+@@ -457,7 +461,13 @@ class DNSInstallInterface(hostname.HostNameInstallInterface):
+     def reverse_zones(self, values):
+         if not self.allow_zone_overlap:
+             for zone in values:
+-                check_zone_overlap(zone)
++                try:
++                    check_zone_overlap(zone)
++                except dnsutil.DNSNoNameservers as e:
++                    # Show warning and continue in case we've got SERVFAIL
++                    # we are supposedly going to create this reverse zone
++                    logger.warning('%s', str(e))
++                    continue
+ 
+     no_reverse = knob(
+         None,
+-- 
+2.31.1
+

freeipa.spec

@@ -181,7 +181,7 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        1%{?rc_version:.%rc_version}%{?dist}
+Release:        2%{?rc_version:.%rc_version}%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 License:        GPLv3+
@@ -192,6 +192,8 @@ Source0:        https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers
 Source1:        https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_version}.tar.gz.asc
 %endif
 
+Patch0001:      freeipa-bz1948034.patch
+
 # RHEL spec file only: START: Change branding to IPA and Identity Management
 # Moved branding logos and background to redhat-logos-ipa-80.4:
 # header-logo.png, login-screen-background.jpg, login-screen-logo.png,
@@ -1677,6 +1679,10 @@ fi
 %endif
 
 %changelog
+* Mon Apr 12 2021  Alexander Bokovoy <abokovoy@redhat.com> - 4.9.3-2
+- Handle failures to resolve non-existing reverse zones during deployment with systemd-resolved
+- Resolves: rhbz#1948034
+
 * Wed Mar 31 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.3-1
 - Upstream release FreeIPA 4.9.3