From e1d517032afa2a8258c1ff8bd6bfdd4175b42327 Mon Sep 17 00:00:00 2001
From: Antonio Torres <antorres@redhat.com>
Date: Mon, 17 Feb 2025 10:21:53 +0100
Subject: [PATCH] dns: don't populate forwarders with DoT forwarders

DNS over TLS setup overrides global forwarder to point to Unbound, so no
need to setup regular forwarders.

Resolves: https://pagure.io/freeipa/issue/9748
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
 ipaserver/install/dns.py | 12 ++----------
 1 file changed, 2 insertions(+), 10 deletions(-)

diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py
index 88aff19bcec11f778af5644167c32c45cbcab594..470e1915971f66d84e4e4f279caaf81bd3a85cd3 100644
--- a/ipaserver/install/dns.py
+++ b/ipaserver/install/dns.py
@@ -360,14 +360,9 @@ def install_check(standalone, api, replica, options, hostname):
 
     if options.no_forwarders:
         options.forwarders = []
-    elif (options.forwarders
-          or options.dot_forwarders or options.auto_forwarders):
+    elif options.forwarders or options.auto_forwarders:
         if not options.forwarders:
-            if options.dot_forwarders:
-                options.forwarders = [fw.split("#")[0]
-                                      for fw in options.dot_forwarders]
-            else:
-                options.forwarders = []
+            options.forwarders = []
         if options.auto_forwarders:
             options.forwarders.extend(dnsforwarders.get_nameservers())
     elif standalone or not replica:
@@ -436,9 +431,6 @@ def install(standalone, replica, options, api=api):
             "and IPA CA is not present."
         )
 
-    if not options.forwarders and options.dot_forwarders:
-        options.forwaders = [fw.split("#")[0] for fw in options.dot_forwarders]
-
     bind = bindinstance.BindInstance(fstore, api=api)
     bind.setup(api.env.host, ip_addresses, api.env.realm, api.env.domain,
                options.forwarders, options.forward_policy,
-- 
2.49.0