areguera / rpms / ipa

Forked from rpms/ipa 5 years ago
Clone

Blame SOURCES/1010-Disable-DNSSEC-support.patch

e3ffab
From 80cae5f5ea38528caab01efae9100659e2ebb86e Mon Sep 17 00:00:00 2001
e3ffab
From: Jan Cholasta <jcholast@redhat.com>
e3ffab
Date: Tue, 21 Oct 2014 14:25:50 +0200
e3ffab
Subject: [PATCH] Disable DNSSEC support
e3ffab
e3ffab
---
e3ffab
 install/share/bind.named.conf.template |  2 +-
e3ffab
 install/tools/ipa-dns-install          | 52 ++++------------------------------
e3ffab
 install/tools/ipa-replica-install      | 16 ++++-------
e3ffab
 install/tools/ipa-replica-manage       | 12 --------
e3ffab
 install/tools/ipa-server-install       | 40 +++-----------------------
e3ffab
 install/tools/ipa-upgradeconfig        | 10 -------
e3ffab
 ipalib/plugins/dns.py                  |  4 ++-
e3ffab
 ipaplatform/redhat/services.py         |  6 ++--
e3ffab
 ipapython/Makefile                     |  2 +-
e3ffab
 ipapython/setup.py.in                  |  2 +-
e3ffab
 ipaserver/install/bindinstance.py      | 25 ----------------
e3ffab
 11 files changed, 24 insertions(+), 147 deletions(-)
e3ffab
e3ffab
diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template
e3ffab
index 3c19383c0dde4353b30b16240ec2b81d7ea65776..b3b06211b15cc1736453b203b52bacfba8036618 100644
e3ffab
--- a/install/share/bind.named.conf.template
e3ffab
+++ b/install/share/bind.named.conf.template
e3ffab
@@ -18,7 +18,7 @@ options {
e3ffab
 	pid-file "$NAMED_PID";
e3ffab
 
e3ffab
 	dnssec-enable yes;
e3ffab
-	dnssec-validation yes;
e3ffab
+	dnssec-validation no;
e3ffab
 
e3ffab
 	/* Path to ISC DLV key */
e3ffab
 	bindkeys-file "$BINDKEYS_FILE";
e3ffab
diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install
e3ffab
index cbf3faeef3644870b6978e02c95f67354cc7e61b..114351c9f7a5a779e4c8516c1411139c38d7138b 100755
e3ffab
--- a/install/tools/ipa-dns-install
e3ffab
+++ b/install/tools/ipa-dns-install
e3ffab
@@ -23,8 +23,7 @@ from optparse import OptionGroup, SUPPRESS_HELP
e3ffab
 
e3ffab
 import krbV
e3ffab
 
e3ffab
-from ipaserver.install import (service, bindinstance, ntpinstance,
e3ffab
-    httpinstance, dnskeysyncinstance, opendnssecinstance, odsexporterinstance)
e3ffab
+from ipaserver.install import service, bindinstance, ntpinstance, httpinstance
e3ffab
 from ipaserver.install.installutils import *
e3ffab
 from ipaserver.install import installutils
e3ffab
 from ipapython import version
e3ffab
@@ -54,10 +53,6 @@ def parse_options():
e3ffab
                       help="The reverse DNS zone to use")
e3ffab
     parser.add_option("--no-reverse", dest="no_reverse", action="store_true",
e3ffab
                       default=False, help="Do not create new reverse DNS zone")
e3ffab
-    parser.add_option("--no-dnssec-validation", dest="no_dnssec_validation", action="store_true",
e3ffab
-                      default=False, help="Disable DNSSEC validation")
e3ffab
-    parser.add_option("--dnssec-master", dest="dnssec_master", action="store_true",
e3ffab
-                      default=False, help="Setup server to be DNSSEC key master")
e3ffab
     parser.add_option("--zonemgr", action="callback", callback=bindinstance.zonemgr_callback,
e3ffab
                       type="string",
e3ffab
                       help="DNS zone manager e-mail address. Defaults to hostmaster@DOMAIN")
e3ffab
@@ -67,6 +62,10 @@ def parse_options():
e3ffab
     options, args = parser.parse_args()
e3ffab
     safe_options = parser.get_safe_opts(options)
e3ffab
 
e3ffab
+    # Disable DNSSEC support
e3ffab
+    options.no_dnssec_validation = False
e3ffab
+    options.dnssec_master = False
e3ffab
+
e3ffab
     if options.forwarders and options.no_forwarders:
e3ffab
         parser.error("You cannot specify a --forwarder option together with --no-forwarders")
e3ffab
     elif options.reverse_zones and options.no_reverse:
e3ffab
@@ -101,21 +100,6 @@ def main():
e3ffab
     print ""
e3ffab
     print "This includes:"
e3ffab
     print "  * Configure DNS (bind)"
e3ffab
-    print "  * Configure SoftHSM (required by DNSSEC)"
e3ffab
-    print "  * Configure ipa-dnskeysyncd (required by DNSSEC)"
e3ffab
-    if options.dnssec_master:
e3ffab
-        print "  * Configure ipa-ods-exporter (required by DNSSEC key master)"
e3ffab
-        print "  * Configure OpenDNSSEC (required by DNSSEC key master)"
e3ffab
-        print "  * Generate DNSSEC master key (required by DNSSEC key master)"
e3ffab
-    print ""
e3ffab
-    print "NOTE: DNSSEC zone signing is not enabled by default"
e3ffab
-    print ""
e3ffab
-    if options.dnssec_master:
e3ffab
-        print "DNSSEC support is experimental!"
e3ffab
-        print ""
e3ffab
-        print "Plan carefully, current version doesn't allow you to move DNSSEC"
e3ffab
-        print "key master to different server and master cannot be uninstalled"
e3ffab
-        print ""
e3ffab
     print ""
e3ffab
     print "To accept the default shown in brackets, press the Enter key."
e3ffab
     print ""
e3ffab
@@ -126,15 +110,9 @@ def main():
e3ffab
         sys.exit("Aborted")
e3ffab
 
e3ffab
     # Check bind packages are installed
e3ffab
-    if not (bindinstance.check_inst(options.unattended) and
e3ffab
-            dnskeysyncinstance.check_inst()):
e3ffab
+    if not bindinstance.check_inst(options.unattended):
e3ffab
         sys.exit("Aborting installation.")
e3ffab
 
e3ffab
-    if options.dnssec_master:
e3ffab
-        # check opendnssec packages are installed
e3ffab
-        if not opendnssecinstance.check_inst():
e3ffab
-            sys.exit("Aborting installation")
e3ffab
-
e3ffab
     # Initialize the ipalib api
e3ffab
     cfg = dict(
e3ffab
         in_server=True,
e3ffab
@@ -160,14 +138,6 @@ def main():
e3ffab
     except errors.ACIError:
e3ffab
         sys.exit("Password is not valid!")
e3ffab
 
e3ffab
-    ods = opendnssecinstance.OpenDNSSECInstance(fstore, dm_password)
e3ffab
-    if options.dnssec_master:
e3ffab
-        dnssec_masters = ods.get_masters()
e3ffab
-        # we can reinstall current server if it is dnssec master
e3ffab
-        if not api.env.host in dnssec_masters and dnssec_masters:
e3ffab
-            print "DNSSEC key master(s):", u','.join(dnssec_masters)
e3ffab
-            sys.exit("Only one DNSSEC key master is supported in current version.")
e3ffab
-
e3ffab
     ip_addresses = get_server_ip_address(api.env.host, fstore,
e3ffab
         options.unattended, True, options.ip_addresses)
e3ffab
 
e3ffab
@@ -213,16 +183,6 @@ def main():
e3ffab
                no_dnssec_validation=options.no_dnssec_validation)
e3ffab
     bind.create_instance()
e3ffab
 
e3ffab
-    # on dnssec master this must be installed last
e3ffab
-    dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore, dm_password)
e3ffab
-    dnskeysyncd.create_instance(api.env.host, api.env.realm)
e3ffab
-    if options.dnssec_master:
e3ffab
-        ods_exporter = odsexporterinstance.ODSExporterInstance(fstore, dm_password)
e3ffab
-
e3ffab
-        ods_exporter.create_instance(api.env.host, api.env.realm)
e3ffab
-        ods.create_instance(api.env.host, api.env.realm)
e3ffab
-
e3ffab
-    dnskeysyncd.start_dnskeysyncd()
e3ffab
     bind.start_named()
e3ffab
 
e3ffab
     # Restart http instance to make sure that python-dns has the right resolver
e3ffab
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
e3ffab
index 70190b718965518803b9767325d58f9526c32f7c..b8813aaa5d54d40756e9d9b8f0ee3e2dd7e8b253 100755
e3ffab
--- a/install/tools/ipa-replica-install
e3ffab
+++ b/install/tools/ipa-replica-install
e3ffab
@@ -33,7 +33,7 @@ from ipapython import ipautil
e3ffab
 
e3ffab
 from ipaserver.install import dsinstance, installutils, krbinstance, service
e3ffab
 from ipaserver.install import bindinstance, httpinstance, ntpinstance
e3ffab
-from ipaserver.install import memcacheinstance, dnskeysyncinstance
e3ffab
+from ipaserver.install import memcacheinstance
e3ffab
 from ipaserver.install import otpdinstance
e3ffab
 from ipaserver.install.replication import replica_conn_check, ReplicationManager
e3ffab
 from ipaserver.install.installutils import (ReplicaConfig, expand_replica_info,
e3ffab
@@ -112,8 +112,6 @@ def parse_options():
e3ffab
                          action="append", help="The reverse DNS zone to use")
e3ffab
     dns_group.add_option("--no-reverse", dest="no_reverse", action="store_true",
e3ffab
                       default=False, help="Do not create new reverse DNS zone")
e3ffab
-    dns_group.add_option("--no-dnssec-validation", dest="no_dnssec_validation", action="store_true",
e3ffab
-                      default=False, help="Disable DNSSEC validation")
e3ffab
     dns_group.add_option("--no-host-dns", dest="no_host_dns", action="store_true",
e3ffab
                       default=False,
e3ffab
                       help="Do not use DNS for hostname lookup during installation")
e3ffab
@@ -127,6 +125,9 @@ def parse_options():
e3ffab
     # pkinit is disabled in production version
e3ffab
     options.setup_pkinit = False
e3ffab
 
e3ffab
+    # Disable DNSSEC support
e3ffab
+    options.no_dnssec_validation = False
e3ffab
+
e3ffab
     if len(args) != 1:
e3ffab
         parser.error("you must provide a file generated by ipa-replica-prepare")
e3ffab
 
e3ffab
@@ -139,8 +140,6 @@ def parse_options():
e3ffab
             parser.error("You cannot specify a --reverse-zone option without the --setup-dns option")
e3ffab
         if options.no_reverse:
e3ffab
             parser.error("You cannot specify a --no-reverse option without the --setup-dns option")
e3ffab
-        if options.no_dnssec_validation:
e3ffab
-            parser.error("You cannot specify a --no-dnssec-validation option without the --setup-dns option")
e3ffab
     elif options.forwarders and options.no_forwarders:
e3ffab
         parser.error("You cannot specify a --forwarder option together with --no-forwarders")
e3ffab
     elif not options.forwarders and not options.no_forwarders:
e3ffab
@@ -274,10 +273,6 @@ def install_bind(config, options):
e3ffab
                no_dnssec_validation=options.no_dnssec_validation)
e3ffab
     bind.create_instance()
e3ffab
     print ""
e3ffab
-    dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(
e3ffab
-        dm_password=config.dirman_password)
e3ffab
-    dnskeysyncd.create_instance(api.env.host, api.env.realm)
e3ffab
-    dnskeysyncd.start_dnskeysyncd()
e3ffab
     bind.start_named()
e3ffab
     print ""
e3ffab
     bind.check_global_configuration()
e3ffab
@@ -354,8 +349,7 @@ def check_dirsrv():
e3ffab
         sys.exit(1)
e3ffab
 
e3ffab
 def check_bind():
e3ffab
-    if not (bindinstance.check_inst(unattended=True) and
e3ffab
-            dnskeysyncinstance.check_inst()):
e3ffab
+    if not bindinstance.check_inst(unattended=True):
e3ffab
         print "Aborting installation"
e3ffab
         sys.exit(1)
e3ffab
 
e3ffab
diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
e3ffab
index 4f92c0c927b3267eeb466a06d3283823c05437b0..86d77844489abe4d7151a29a4e81320e01d5c412 100755
e3ffab
--- a/install/tools/ipa-replica-manage
e3ffab
+++ b/install/tools/ipa-replica-manage
e3ffab
@@ -29,7 +29,6 @@ import socket
e3ffab
 from ipapython import ipautil
e3ffab
 from ipaserver.install import replication, dsinstance, installutils
e3ffab
 from ipaserver.install import bindinstance, cainstance, certs
e3ffab
-from ipaserver.install import opendnssecinstance, dnskeysyncinstance
e3ffab
 from ipaserver.plugins import ldap2
e3ffab
 from ipapython import version, ipaldap
e3ffab
 from ipalib import api, errors, util
e3ffab
@@ -695,14 +694,6 @@ def del_master(realm, hostname, options):
e3ffab
             if not options.force and not ipautil.user_input("Continue to delete?", False):
e3ffab
                 sys.exit("Deletion aborted")
e3ffab
 
e3ffab
-        # test if replica is not DNSSEC master
e3ffab
-        # allow to delete it if is last DNS server
e3ffab
-        if 'DNS' in this_services and other_dns and not options.force:
e3ffab
-            dnssec_masters = opendnssecinstance.get_dnssec_key_masters(delrepl.conn)
e3ffab
-            if hostname in dnssec_masters:
e3ffab
-                print "Replica is active DNSSEC key master. Uninstall could break your DNS system."
e3ffab
-                sys.exit("Deletion aborted")
e3ffab
-
e3ffab
         # Pick CA renewal master
e3ffab
         ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
e3ffab
         if ca.is_renewal_master(hostname):
e3ffab
@@ -757,9 +748,6 @@ def del_master(realm, hostname, options):
e3ffab
             bind.remove_master_dns_records(hostname, realm, realm.lower())
e3ffab
             bind.remove_ipa_ca_dns_records(hostname, realm.lower())
e3ffab
             bind.remove_server_ns_records(hostname)
e3ffab
-
e3ffab
-            keysyncd = dnskeysyncinstance.DNSKeySyncInstance()
e3ffab
-            keysyncd.remove_replica_public_keys(hostname)
e3ffab
     except Exception, e:
e3ffab
         print "Failed to cleanup %s DNS entries: %s" % (hostname, e)
e3ffab
         print "You may need to manually remove them from the tree"
e3ffab
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
e3ffab
index 3b748aaab37fa8806ebc7a4983ed97cc8243a9c4..6bcb0a16dbdfc0258ab40c70ea94740dfb537d8a 100755
e3ffab
--- a/install/tools/ipa-server-install
e3ffab
+++ b/install/tools/ipa-server-install
e3ffab
@@ -49,9 +49,6 @@ except ImportError:
e3ffab
 from ipaserver.install import dsinstance
e3ffab
 from ipaserver.install import krbinstance
e3ffab
 from ipaserver.install import bindinstance
e3ffab
-from ipaserver.install import dnskeysyncinstance
e3ffab
-from ipaserver.install import opendnssecinstance
e3ffab
-from ipaserver.install import odsexporterinstance
e3ffab
 from ipaserver.install import httpinstance
e3ffab
 from ipaserver.install import ntpinstance
e3ffab
 from ipaserver.install import certs
e3ffab
@@ -272,8 +269,6 @@ def parse_options():
e3ffab
                       action="append", default=[])
e3ffab
     dns_group.add_option("--no-reverse", dest="no_reverse", action="store_true",
e3ffab
                       default=False, help="Do not create reverse DNS zone")
e3ffab
-    dns_group.add_option("--no-dnssec-validation", dest="no_dnssec_validation", action="store_true",
e3ffab
-                      default=False, help="Disable DNSSEC validation")
e3ffab
     dns_group.add_option("--zonemgr", action="callback", callback=bindinstance.zonemgr_callback,
e3ffab
                       type="string",
e3ffab
                       help="DNS zone manager e-mail address. Defaults to hostmaster@DOMAIN")
e3ffab
@@ -297,6 +292,9 @@ def parse_options():
e3ffab
     options.pkinit_pin = False
e3ffab
     options.pkinit_cert_files = False
e3ffab
 
e3ffab
+    # Disable DNSSEC support
e3ffab
+    options.no_dnssec_validation = False
e3ffab
+
e3ffab
     if options.dm_password is not None:
e3ffab
         try:
e3ffab
             validate_dm_password(options.dm_password)
e3ffab
@@ -323,8 +321,6 @@ def parse_options():
e3ffab
             parser.error("You cannot specify a --reverse-zone option without the --setup-dns option")
e3ffab
         if options.no_reverse:
e3ffab
             parser.error("You cannot specify a --no-reverse option without the --setup-dns option")
e3ffab
-        if options.no_dnssec_validation:
e3ffab
-            parser.error("You cannot specify a --no-dnssec-validation option without the --setup-dns option")
e3ffab
     elif options.forwarders and options.no_forwarders:
e3ffab
         parser.error("You cannot specify a --forwarder option together with --no-forwarders")
e3ffab
     elif options.reverse_zones and options.no_reverse:
e3ffab
@@ -564,17 +560,7 @@ def uninstall():
e3ffab
         api.env.realm, certs.NSS_DIR, dogtag_constants=dogtag_constants)
e3ffab
     if ca_instance.is_configured():
e3ffab
         ca_instance.uninstall()
e3ffab
-
e3ffab
-    ods = opendnssecinstance.OpenDNSSECInstance(fstore)
e3ffab
-    if ods.is_configured():
e3ffab
-        ods.uninstall()
e3ffab
-
e3ffab
-    ods_exporter = odsexporterinstance.ODSExporterInstance(fstore)
e3ffab
-    if ods_exporter.is_configured():
e3ffab
-        ods_exporter.uninstall()
e3ffab
-
e3ffab
     bindinstance.BindInstance(fstore).uninstall()
e3ffab
-    dnskeysyncinstance.DNSKeySyncInstance(fstore).uninstall()
e3ffab
     httpinstance.HTTPInstance(fstore).uninstall()
e3ffab
     krbinstance.KrbInstance(fstore).uninstall()
e3ffab
     dsinstance.DsInstance(fstore=fstore).uninstall()
e3ffab
@@ -737,20 +723,6 @@ def main():
e3ffab
                    "agreements.\n\n")
e3ffab
             print textwrap.fill(msg, width=80, replace_whitespace=False)
e3ffab
         else:
e3ffab
-
e3ffab
-            # test if server is DNSSEC key master
e3ffab
-            masters = opendnssecinstance.get_dnssec_key_masters(conn)
e3ffab
-            if api.env.host in masters:
e3ffab
-                print "This server is active DNSSEC key master. Uninstall could break your DNS system."
e3ffab
-                if not (options.unattended or user_input("Are you sure you "
e3ffab
-                                                         "want to continue "
e3ffab
-                                                         "with the uninstall "
e3ffab
-                                                         "procedure?",
e3ffab
-                                                         False)):
e3ffab
-                    print ""
e3ffab
-                    print "Aborting uninstall operation."
e3ffab
-                    sys.exit(1)
e3ffab
-
e3ffab
             rm = replication.ReplicationManager(
e3ffab
                 realm=api.env.realm,
e3ffab
                 hostname=api.env.host,
e3ffab
@@ -899,8 +871,7 @@ def main():
e3ffab
 
e3ffab
     # check bind packages are installed
e3ffab
     if options.setup_dns:
e3ffab
-        if not (bindinstance.check_inst(options.unattended) and
e3ffab
-                dnskeysyncinstance.check_inst()):
e3ffab
+        if not bindinstance.check_inst(options.unattended):
e3ffab
             sys.exit("Aborting installation")
e3ffab
 
e3ffab
         # Don't require an external DNS to say who we are if we are
e3ffab
@@ -1289,9 +1260,6 @@ def main():
e3ffab
         api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=dm_password)
e3ffab
 
e3ffab
         bind.create_instance()
e3ffab
-        dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore, dm_password)
e3ffab
-        dnskeysyncd.create_instance(api.env.host, api.env.realm)
e3ffab
-        dnskeysyncd.start_dnskeysyncd()
e3ffab
         bind.start_named()
e3ffab
         print ""
e3ffab
         bind.check_global_configuration()
e3ffab
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
e3ffab
index cd50edeecb055c71831fad806afde43c2779cdf8..cf85f58c26510fcd105b54126152a50474c869b5 100755
e3ffab
--- a/install/tools/ipa-upgradeconfig
e3ffab
+++ b/install/tools/ipa-upgradeconfig
e3ffab
@@ -53,7 +53,6 @@ from ipaserver.install import cainstance
e3ffab
 from ipaserver.install import certs
e3ffab
 from ipaserver.install import otpdinstance
e3ffab
 from ipaserver.install import sysupgrade
e3ffab
-from ipaserver.install import dnskeysyncinstance
e3ffab
 
e3ffab
 
e3ffab
 def parse_options():
e3ffab
@@ -1421,14 +1420,6 @@ def main():
e3ffab
         except ipalib.errors.DuplicateEntry:
e3ffab
             pass
e3ffab
 
e3ffab
-    # install DNSKeySync service only if DNS is configured on server
e3ffab
-    if bindinstance.named_conf_exists():
e3ffab
-            dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore, ldapi=True)
e3ffab
-            if not dnskeysyncd.is_configured():
e3ffab
-                ds.start()
e3ffab
-                dnskeysyncd.create_instance(fqdn, api.env.realm)
e3ffab
-                dnskeysyncd.start_dnskeysyncd()
e3ffab
-
e3ffab
     cleanup_kdc(fstore)
e3ffab
     cleanup_adtrust(fstore)
e3ffab
     setup_firefox_extension(fstore)
e3ffab
@@ -1447,7 +1438,6 @@ def main():
e3ffab
                           named_bindkey_file_option(),
e3ffab
                           named_managed_keys_dir_option(),
e3ffab
                           named_root_key_include(),
e3ffab
-                          mask_named_regular(),
e3ffab
                          )
e3ffab
 
e3ffab
     if any(named_conf_changes):
e3ffab
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
e3ffab
index 34afc189866993481229bb68a5edd77e0a4eaff3..d01dde31ad37f7d7aa4044de77704f4d560f0d30 100644
e3ffab
--- a/ipalib/plugins/dns.py
e3ffab
+++ b/ipalib/plugins/dns.py
e3ffab
@@ -2362,7 +2362,9 @@ class dnszone(DNSZoneBase):
e3ffab
             if options['idnssecinlinesigning'] is True:
e3ffab
                 messages.add_message(options['version'], result,
e3ffab
                     messages.DNSSECWarning(
e3ffab
-                    additional_info=_("Visit 'http://www.freeipa.org/page/Releases/4.1.0#DNSSEC_Support'.")
e3ffab
+                    additional_info=_("Manual configuration needed, please "
e3ffab
+                    "visit 'http://www.freeipa.org/page/Releases/4.0.0#"
e3ffab
+                    "Experimental_DNSSEC_Support'")
e3ffab
                 ))
e3ffab
             else:
e3ffab
                 messages.add_message(options['version'], result,
e3ffab
diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py
e3ffab
index 20d0adec421ecd3285464e2a51b9d5c61a0e3d92..5c9bae56552cefec1f3b8a16a52b8704171d4024 100644
e3ffab
--- a/ipaplatform/redhat/services.py
e3ffab
+++ b/ipaplatform/redhat/services.py
e3ffab
@@ -69,7 +69,7 @@ redhat_system_units['ipa-otpd'] = 'ipa-otpd.socket'
e3ffab
 redhat_system_units['ipa-dnskeysyncd'] = 'ipa-dnskeysyncd.service'
e3ffab
 redhat_system_units['named-regular'] = 'named.service'
e3ffab
 redhat_system_units['named-pkcs11'] = 'named-pkcs11.service'
e3ffab
-redhat_system_units['named'] = redhat_system_units['named-pkcs11']
e3ffab
+redhat_system_units['named'] = redhat_system_units['named-regular']
e3ffab
 redhat_system_units['ods-enforcerd'] = 'ods-enforcerd.service'
e3ffab
 redhat_system_units['ods_enforcerd'] = redhat_system_units['ods-enforcerd']
e3ffab
 redhat_system_units['ods-signerd'] = 'ods-signerd.service'
e3ffab
@@ -242,10 +242,10 @@ class RedHatNamedService(RedHatService):
e3ffab
         return u'named'
e3ffab
 
e3ffab
     def get_binary_path(self):
e3ffab
-        return paths.NAMED_PKCS11
e3ffab
+        return paths.NAMED
e3ffab
 
e3ffab
     def get_package_name(self):
e3ffab
-        return u"bind-pkcs11"
e3ffab
+        return u"bind"
e3ffab
 
e3ffab
 
e3ffab
 class RedHatODSEnforcerdService(RedHatService):
e3ffab
diff --git a/ipapython/Makefile b/ipapython/Makefile
e3ffab
index b2cf719fdd580801a147def17e5a7483665b3d79..e09956ad32cf48d1ed585a494c8083e58c48d037 100644
e3ffab
--- a/ipapython/Makefile
e3ffab
+++ b/ipapython/Makefile
e3ffab
@@ -3,7 +3,7 @@ PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR)/ipa
e3ffab
 CONFIGDIR ?= $(DESTDIR)/etc/ipa
e3ffab
 TESTS = $(wildcard test/*.py)
e3ffab
 
e3ffab
-SUBDIRS = py_default_encoding ipap11helper
e3ffab
+SUBDIRS = py_default_encoding
e3ffab
 
e3ffab
 all:
e3ffab
 	@for subdir in $(SUBDIRS); do \
e3ffab
diff --git a/ipapython/setup.py.in b/ipapython/setup.py.in
e3ffab
index 6caf179051533e0db77a4091db5874bbdae426c9..a839f094ac0f9a2c303862e397bb4deb7589cc62 100644
e3ffab
--- a/ipapython/setup.py.in
e3ffab
+++ b/ipapython/setup.py.in
e3ffab
@@ -65,7 +65,7 @@ def setup_package():
e3ffab
             classifiers=filter(None, CLASSIFIERS.split('\n')),
e3ffab
             platforms = ["Linux", "Solaris", "Unix"],
e3ffab
             package_dir = {'ipapython': ''},
e3ffab
-            packages = [ "ipapython", "ipapython.dnssec" ],
e3ffab
+            packages = [ "ipapython" ],
e3ffab
         )
e3ffab
     finally:
e3ffab
         del sys.path[0]
e3ffab
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
e3ffab
index 547cf19ee36140b5f29fcf7d217933fa68e1952b..9085cf9b59a064d82c0df774a6fa961c9d158ccf 100644
e3ffab
--- a/ipaserver/install/bindinstance.py
e3ffab
+++ b/ipaserver/install/bindinstance.py
e3ffab
@@ -543,7 +543,6 @@ class BindInstance(service.Service):
e3ffab
         self.sub_dict = None
e3ffab
         self.reverse_zones = []
e3ffab
         self.dm_password = dm_password
e3ffab
-        self.named_regular = services.service('named-regular')
e3ffab
 
e3ffab
         if fstore:
e3ffab
             self.fstore = fstore
e3ffab
@@ -652,8 +651,6 @@ class BindInstance(service.Service):
e3ffab
             if self.get_state("running") is None:
e3ffab
                 # first time store status
e3ffab
                 self.backup_state("running", self.is_running())
e3ffab
-                self.backup_state("named-regular-running",
e3ffab
-                                  self.named_regular.is_running())
e3ffab
             self.restart()
e3ffab
         except Exception as e:
e3ffab
             root_logger.error("Named service failed to start (%s)", e)
e3ffab
@@ -662,8 +659,6 @@ class BindInstance(service.Service):
e3ffab
     def __enable(self):
e3ffab
         if self.get_state("enabled") is None:
e3ffab
             self.backup_state("enabled", self.is_running())
e3ffab
-            self.backup_state("named-regular-enabled",
e3ffab
-                              self.named_regular.is_running())
e3ffab
         # We do not let the system start IPA components on its own,
e3ffab
         # Instead we reply on the IPA init script to start only enabled
e3ffab
         # components as found in our LDAP configuration tree
e3ffab
@@ -674,17 +669,6 @@ class BindInstance(service.Service):
e3ffab
             # don't crash, just report error
e3ffab
             root_logger.error("DNS service already exists")
e3ffab
 
e3ffab
-        # disable named, we need to run named-pkcs11 only
e3ffab
-        try:
e3ffab
-            self.named_regular.stop()
e3ffab
-        except Exception as e:
e3ffab
-            root_logger.debug("Unable to stop named (%s)", e)
e3ffab
-
e3ffab
-        try:
e3ffab
-            self.named_regular.mask()
e3ffab
-        except Exception as e:
e3ffab
-            root_logger.debug("Unable to mask named (%s)", e)
e3ffab
-
e3ffab
     def __setup_sub_dict(self):
e3ffab
         if self.forwarders:
e3ffab
             fwds = "\n"
e3ffab
@@ -1167,8 +1151,6 @@ class BindInstance(service.Service):
e3ffab
 
e3ffab
         running = self.restore_state("running")
e3ffab
         enabled = self.restore_state("enabled")
e3ffab
-        named_regular_running = self.restore_state("named-regular-running")
e3ffab
-        named_regular_enabled = self.restore_state("named-regular-enabled")
e3ffab
 
e3ffab
         self.dns_backup.clear_records(api.Backend.ldap2.isconnected())
e3ffab
 
e3ffab
@@ -1187,10 +1169,3 @@ class BindInstance(service.Service):
e3ffab
 
e3ffab
         if not running is None and running:
e3ffab
             self.start()
e3ffab
-
e3ffab
-        self.named_regular.unmask()
e3ffab
-        if named_regular_enabled:
e3ffab
-            self.named_regular.enable()
e3ffab
-
e3ffab
-        if named_regular_running:
e3ffab
-            self.named_regular.start()
e3ffab
-- 
e3ffab
2.1.0
e3ffab