From ecdbcea1e8493e42d55e15e57e57de7ee18f1199 Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Tue, 30 Jan 2018 10:25:56 +0100
Subject: [PATCH] ipaserver: Fix DNS installation forward policy and DNSSEC
 validation

forward_policy needs to be None for the DNS check for proper initialization
if the user is not providing another forward_policy value. forward_policy will
be set in the DNS check.

no_dnssec_validation is enabled in the DNS check if the forwarders do not
provide DNSSEC validation. Therefore this needs to be handed over to the dns
installation later on.

New return values for forward_policy and no_dnssec_validation have been added
to the ipaserver_test module.
---
 roles/ipaserver/library/ipaserver_test.py | 4 +++-
 roles/ipaserver/tasks/install.yml         | 8 ++++----
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/roles/ipaserver/library/ipaserver_test.py b/roles/ipaserver/library/ipaserver_test.py
index e7f2a68e..442419b7 100644
--- a/roles/ipaserver/library/ipaserver_test.py
+++ b/roles/ipaserver/library/ipaserver_test.py
@@ -108,7 +108,7 @@ def main():
             forwarders=dict(required=False, type='list', default=[]),
             no_forwarders=dict(required=False, type='bool', default=False),
             auto_forwarders=dict(required=False, type='bool', default=False),
-            forward_policy=dict(default='first', choices=['first', 'only']),
+            forward_policy=dict(default=None, choices=['first', 'only']),
             no_dnssec_validation=dict(required=False, type='bool',
                                       default=False),
             ### ad trust ###
@@ -766,7 +766,9 @@ def main():
                              _ca_subject=options._ca_subject,
                              ### dns ###
                              reverse_zones=options.reverse_zones,
+                             forward_policy=options.forward_policy,
                              forwarders=options.forwarders,
+                             no_dnssec_validation=options.no_dnssec_validation,
                              ### additional ###
                              _installation_cleanup=_installation_cleanup,
                              domainlevel=options.domainlevel,
diff --git a/roles/ipaserver/tasks/install.yml b/roles/ipaserver/tasks/install.yml
index 8693f72c..1bf536a2 100644
--- a/roles/ipaserver/tasks/install.yml
+++ b/roles/ipaserver/tasks/install.yml
@@ -131,7 +131,7 @@
       no_reverse: "{{ ipaserver_no_reverse }}"
       auto_reverse: "{{ ipaserver_auto_reverse }}"
       auto_forwarders: "{{ ipaserver_auto_forwarders }}"
-      no_dnssec_validation: "{{ ipaserver_no_dnssec_validation }}"
+      no_dnssec_validation: "{{ result_ipaserver_test.no_dnssec_validation }}"
       ### additional ###
       setup_ca: "{{ result_ipaserver_test.setup_ca }}"
       _hostname_overridden: "{{ result_ipaserver_test._hostname_overridden }}"
@@ -282,10 +282,10 @@
       hostname: "{{ result_ipaserver_test.hostname }}"
       setup_ca: "{{ result_ipaserver_test.setup_ca }}"
       setup_dns: "{{ ipaserver_setup_dns }}"
-      forwarders: "{{ result_ipaserver_test.forwarders | default(omit) }}"
-      forward_policy: "{{ ipaserver_forward_policy | default(omit) }}"
+      forwarders: "{{ result_ipaserver_test.forwarders }}"
+      forward_policy: "{{ result_ipaserver_test.forward_policy }}"
       zonemgr: "{{ ipaserver_zonemgr | default(omit) }}"
-      no_dnssec_validation: "{{ ipaserver_no_dnssec_validation }}"
+      no_dnssec_validation: "{{ result_ipaserver_test.no_dnssec_validation }}"
       ### additional ###
       dns_ip_addresses: "{{ result_ipaserver_test.dns_ip_addresses }}"
       dns_reverse_zones: "{{ result_ipaserver_test.dns_reverse_zones }}"
-- 
GitLab