On 04/11/2013 04:35 PM, Petr Viktorin wrote:
On 04/11/2013 03:59 PM, Simo Sorce wrote:
On Thu, 2013-04-11 at 14:52 +0200, Petr Viktorin wrote:
On 04/11/2013 02:43 PM, Simo Sorce wrote:
On Thu, 2013-04-11 at 14:24 +0200, Petr Viktorin wrote:
On 04/11/2013 12:05 PM, Tomas Babej wrote:
Hi,
Makes DNAME target validation less strict and allows underscore.
This is requirement for IPA sites.
https://fedorahosted.org/freeipa/ticket/3550
Tomas
I checked with PetrĀ², and he said it would make sense to also enable
underscores for the other records types.
For records other than TXT, SRV, DNAME, and NSEC we could warn if
underscores are used, but that's probably not worth the trouble --
just
allowing underscores everywhere is fine.
Underscores are invalid DNS characters, they should not be allowed
for A
records, only for DNAME, and SRV records IMO.
Technically, they're invalid *hostname* characters; in DNS itself
anything goes.
Interestingly, we already allow them for A records:
$ ipa dnsrecord-add idm.lab.eng.brq.redhat.com _bogus --a-rec=1.2.3.4
Record name: _bogus
A record: 1.2.3.4
But this ticket is not about the record name, it's about record data
(i.e. the *target* of the DNAME).
So we are restricting record *data* but *not* record names ? That's ...
odd.
Yes. Apparently we relaxed the name validation because underscores are
used in AD or other exotic/nonstandard setups, and now we need to
relax the data validation as well.
I filed a ticket to add warnings for underscores in A records:
https://fedorahosted.org/freeipa/ticket/3557
Sorry for letting this rot on the list, I thought I sent the patch
already. Patchwork saved me this time.
Here's the updated patch.
Tomas
>From 5f1b82fed3d041cf27a46e2a1b367784eebe5f3f Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Mon, 15 Apr 2013 12:50:54 +0200
Subject: [PATCH] Allow underscore in record targets
Makes record target validation less strict and allows underscore.
This is requirement for IPA sites.
https://fedorahosted.org/freeipa/ticket/3550
---
ipalib/plugins/dns.py | 2 +-
tests/test_xmlrpc/test_dns_plugin.py | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index 3e6ed8357f0954f1fd081163611d05e3bff9a290..11275c1a45d4c20580124610c5ad73ab68462961 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -373,7 +373,7 @@ def _bind_hostname_validator(ugettext, value):
try:
# Allow domain name which is not fully qualified. These are supported
# in bind and then translated as <non-fqdn-name>.<domain>.
- validate_hostname(value, check_fqdn=False)
+ validate_hostname(value, check_fqdn=False, allow_underscore=True)
except ValueError, e:
return _('invalid domain-name: %s') \
% unicode(e)
diff --git a/tests/test_xmlrpc/test_dns_plugin.py b/tests/test_xmlrpc/test_dns_plugin.py
index fb548bb97920883c8d1e2621ecdbb8682829e8b6..334d18e454dd54fb80058cffc0ce5564cf6aa477 100644
--- a/tests/test_xmlrpc/test_dns_plugin.py
+++ b/tests/test_xmlrpc/test_dns_plugin.py
@@ -671,7 +671,7 @@ class test_dns(Declarative):
'srv_part_port' : 123,
'srv_part_target' : u'foo bar'}),
expected=errors.ValidationError(name='srv_target',
- error=u'invalid domain-name: only letters, numbers, and - ' +
+ error=u'invalid domain-name: only letters, numbers, _, and - ' +
u'are allowed. DNS label may not start or end with -'),
),
@@ -774,7 +774,7 @@ class test_dns(Declarative):
desc='Try to add invalid CNAME record %r using dnsrecord_add' % (dnsrescname),
command=('dnsrecord_add', [dnszone1, dnsrescname], {'cnamerecord': u'-.example.com'}),
expected=errors.ValidationError(name='hostname',
- error=u'invalid domain-name: only letters, numbers, and - ' +
+ error=u'invalid domain-name: only letters, numbers, _, and - ' +
u'are allowed. DNS label may not start or end with -'),
),
@@ -843,7 +843,7 @@ class test_dns(Declarative):
desc='Try to add invalid DNAME record %r using dnsrecord_add' % (dnsresdname),
command=('dnsrecord_add', [dnszone1, dnsresdname], {'dnamerecord': u'-.example.com.'}),
expected=errors.ValidationError(name='target',
- error=u'invalid domain-name: only letters, numbers, and - ' +
+ error=u'invalid domain-name: only letters, numbers, _, and - ' +
u'are allowed. DNS label may not start or end with -'),
),
--
1.8.1.4
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
