From a9704de4bda8e72fc231f48e98a1003c1a70dace Mon Sep 17 00:00:00 2001
From: Adam Williamson <awilliam@redhat.com>
Date: Fri, 23 Oct 2020 11:38:01 -0700
Subject: [PATCH] FreeIPA: disable dnssec validation till weird bug is fixed

I noticed today that if we deploy FreeIPA with dnssec validation
enabled, dnf can't resolve dl.fedoraproject.org afterwards, which
is a problem because it means we wind up falling through to
random mirrors for metadata and package download once the server
is deployed, which can be slow and give old packages. This seems
to be why the server upgrade test on F33 is sometimes failing
because we get an older FreeIPA package on upgrade, even though
the newer one has been stable for a week.

It's difficult to pin down exactly where this bug is and fix it,
I've mailed some folks to try and work it out, but until that's
figured out, let's just disable dnssec validation.

Signed-off-by: Adam Williamson <awilliam@redhat.com>
---
 tests/realmd_join_sssd.pm              | 2 +-
 tests/role_deploy_domain_controller.pm | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/realmd_join_sssd.pm b/tests/realmd_join_sssd.pm
index 855fb903..8ebe17ab 100644
--- a/tests/realmd_join_sssd.pm
+++ b/tests/realmd_join_sssd.pm
@@ -56,7 +56,7 @@ sub run {
 
         # deploy as a replica
         my ($ip, $hostname) = split(/ /, get_var("POST_STATIC"));
-        my $args = "--ip-address=$ip --setup-dns --auto-forwarders --setup-ca --allow-zone-overlap -U --principal admin --admin-password monkeys123";
+        my $args = "--ip-address=$ip --setup-dns --no-dnssec-validation --auto-forwarders --setup-ca --allow-zone-overlap -U --principal admin --admin-password monkeys123";
         assert_script_run "ipa-replica-install $args", 1500;
 
         # enable and start the systemd service
diff --git a/tests/role_deploy_domain_controller.pm b/tests/role_deploy_domain_controller.pm
index 0580e757..f24c429f 100644
--- a/tests/role_deploy_domain_controller.pm
+++ b/tests/role_deploy_domain_controller.pm
@@ -38,7 +38,7 @@ sub run {
     }
     assert_script_run "systemctl restart firewalld.service";
     # deploy the server
-    my $args = "-U --auto-forwarders --realm=DOMAIN.LOCAL --domain=domain.local --ds-password=monkeys123 --admin-password=monkeys123 --setup-dns --reverse-zone=2.16.172.in-addr.arpa --allow-zone-overlap";
+    my $args = "-U --auto-forwarders --realm=DOMAIN.LOCAL --domain=domain.local --ds-password=monkeys123 --admin-password=monkeys123 --setup-dns --no-dnssec-validation --reverse-zone=2.16.172.in-addr.arpa --allow-zone-overlap";
     assert_script_run "ipa-server-install $args", 1200;
     # enable and start the systemd service
     assert_script_run "systemctl enable ipa.service";