Hello,
This patch set configures secure zones according to policies in LDAP.
--
Petr^2 Spacek
From 68a247c0abc6a3ba8c0eb4f849eef2868f85bb82 Mon Sep 17 00:00:00 2001
From: Petr Spacek <pspa...@redhat.com>
Date: Wed, 23 Apr 2014 18:04:55 +0200
Subject: [PATCH] Move secure zone configuration from create_zone() to
zone_master_reconfigure().
https://fedorahosted.org/bind-dyndb-ldap/ticket/56
Signed-off-by: Petr Spacek <pspa...@redhat.com>
---
src/ldap_helper.c | 49 +++++++++++++++++++++++++++++++++----------------
1 file changed, 33 insertions(+), 16 deletions(-)
diff --git a/src/ldap_helper.c b/src/ldap_helper.c
index b9afc792862ed6e14b29862ac4d527528aae8e87..c698fd359dd31f12875528ce289cfb801bfaf4f1 100644
--- a/src/ldap_helper.c
+++ b/src/ldap_helper.c
@@ -949,20 +949,6 @@ create_zone(ldap_instance_t * const inst, const char * const dn,
CHECK(dns_zone_setdbtype(secure, 1, rbt_argv));
CHECK(dns_zonemgr_managezone(inst->zmgr, secure));
CHECK(dns_zone_link(secure, raw));
-
- /* Magic constants are taken from zoneconf.c */
- dns_zone_setsigvalidityinterval(secure, 2592000); /* sig-validity-interval */
- dns_zone_setsigresigninginterval(secure, 648000); /* re-sign */
- dns_zone_setsignatures(secure, 10); /* sig-signing-signatures */
- dns_zone_setnodes(secure, 10); /* sig-signing-nodes */
- dns_zone_setprivatetype(secure, 65534); /* sig-signing-type */
- dns_zone_setoption(secure, DNS_ZONEOPT_UPDATECHECKKSK,
- ISC_TRUE); /* update-check-ksk */
- dns_zone_setrefreshkeyinterval(secure, 60); /* dnssec-loadkeys-interval */
- /* auto-dnssec = maintain */
- dns_zone_setkeyopt(secure, DNS_ZONEKEY_ALLOW, ISC_TRUE);
- dns_zone_setkeyopt(secure, DNS_ZONEKEY_MAINTAIN, ISC_TRUE);
-
dns_zone_rekey(secure, ISC_TRUE);
CHECK(configure_paths(inst->mctx, inst, secure, ISC_TRUE));
}
@@ -1881,7 +1867,7 @@ cleanup:
*/
static isc_result_t ATTR_NONNULLS ATTR_CHECKRESULT
zone_master_reconfigure(ldap_entry_t *entry, settings_set_t *zone_settings,
- dns_zone_t *raw, isc_task_t *task) {
+ dns_zone_t *raw, dns_zone_t *secure, isc_task_t *task) {
isc_result_t result;
const char *dn = NULL;
ldap_valuelist_t values;
@@ -1952,6 +1938,37 @@ zone_master_reconfigure(ldap_entry_t *entry, settings_set_t *zone_settings,
result = ISC_R_SUCCESS;
}
+ if (secure != NULL) {
+ /* notifications should be sent from secure zone only */
+ dns_zone_setnotifytype(raw, dns_notifytype_no);
+
+ /* Magic constants are taken from zoneconf.c */
+ /* sig-validity-interval */
+ dns_zone_setsigvalidityinterval(secure, 2592000);
+
+ /* re-sign */
+ dns_zone_setsigresigninginterval(secure, 648000);
+
+ /* sig-signing-signatures */
+ dns_zone_setsignatures(secure, 10);
+
+ /* sig-signing-nodes */
+ dns_zone_setnodes(secure, 10);
+
+ /* sig-signing-type */
+ dns_zone_setprivatetype(secure, 65534);
+
+ /* update-check-ksk */
+ dns_zone_setoption(secure, DNS_ZONEOPT_UPDATECHECKKSK, ISC_TRUE);
+
+ /* dnssec-loadkeys-interval */
+ CHECK(dns_zone_setrefreshkeyinterval(secure, 60));
+
+ /* auto-dnssec = maintain */
+ dns_zone_setkeyopt(secure, DNS_ZONEKEY_ALLOW, ISC_TRUE);
+ dns_zone_setkeyopt(secure, DNS_ZONEKEY_MAINTAIN, ISC_TRUE);
+ }
+
cleanup:
return result;
}
@@ -2162,7 +2179,7 @@ ldap_parse_master_zoneentry(ldap_entry_t *entry, ldap_instance_t *inst,
}
CHECK(zr_get_zone_settings(inst->zone_register, &name, &zone_settings));
- CHECK(zone_master_reconfigure(entry, zone_settings, raw, task));
+ CHECK(zone_master_reconfigure(entry, zone_settings, raw, secure, task));
sync_state_get(inst->sctx, &sync_state);
if (new_zone == ISC_TRUE && sync_state == sync_finished)
--
1.9.0
From c6b16f1a183af69740de2c2f1369abd13c28a2ea Mon Sep 17 00:00:00 2001
From: Petr Spacek <pspa...@redhat.com>
Date: Wed, 23 Apr 2014 18:08:05 +0200
Subject: [PATCH] Follow query/transfer/update policies for secure zones.
https://fedorahosted.org/bind-dyndb-ldap/ticket/56
Signed-off-by: Petr Spacek <pspa...@redhat.com>
---
src/ldap_helper.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/src/ldap_helper.c b/src/ldap_helper.c
index c698fd359dd31f12875528ce289cfb801bfaf4f1..23e32928382226662098b5643a3c24b683113b19 100644
--- a/src/ldap_helper.c
+++ b/src/ldap_helper.c
@@ -1873,15 +1873,21 @@ zone_master_reconfigure(ldap_entry_t *entry, settings_set_t *zone_settings,
ldap_valuelist_t values;
isc_mem_t *mctx = NULL;
isc_boolean_t ssu_changed;
+ dns_zone_t *inview = NULL;
REQUIRE(entry != NULL);
REQUIRE(zone_settings != NULL);
REQUIRE(raw != NULL);
REQUIRE(task != NULL);
dn = entry->dn;
mctx = dns_zone_getmctx(raw);
+ if (secure != NULL)
+ dns_zone_attach(secure, &inview);
+ else
+ dns_zone_attach(raw, &inview);
+
result = setting_update_from_ldap_entry("dyn_update", zone_settings,
"idnsAllowDynUpdate", entry, task);
if (result != ISC_R_SUCCESS && result != ISC_R_IGNORE)
@@ -1920,17 +1926,17 @@ zone_master_reconfigure(ldap_entry_t *entry, settings_set_t *zone_settings,
log_debug(2, "Setting allow-query for %p: %s", raw, dn);
result = ldap_entry_getvalues(entry, "idnsAllowQuery", &values);
if (result == ISC_R_SUCCESS) {
- CHECK(configure_zone_acl(mctx, raw, &dns_zone_setqueryacl,
+ CHECK(configure_zone_acl(mctx, inview, &dns_zone_setqueryacl,
HEAD(values)->value, acl_type_query));
} else {
log_debug(2, "allow-query not set");
dns_zone_clearqueryacl(raw);
}
log_debug(2, "Setting allow-transfer for %p: %s", raw, dn);
result = ldap_entry_getvalues(entry, "idnsAllowTransfer", &values);
if (result == ISC_R_SUCCESS) {
- CHECK(configure_zone_acl(mctx, raw, &dns_zone_setxfracl,
+ CHECK(configure_zone_acl(mctx, inview, &dns_zone_setxfracl,
HEAD(values)->value, acl_type_transfer));
} else {
log_debug(2, "allow-transfer not set");
@@ -1970,6 +1976,8 @@ zone_master_reconfigure(ldap_entry_t *entry, settings_set_t *zone_settings,
}
cleanup:
+ if (inview != NULL)
+ dns_zone_detach(&inview);
return result;
}
--
1.9.0
From f7d10dc4d305985d326c8c40492b64a6b9306ba3 Mon Sep 17 00:00:00 2001
From: Petr Spacek <pspa...@redhat.com>
Date: Wed, 23 Apr 2014 18:08:44 +0200
Subject: [PATCH] Cleanup logging in zone_master_reconfigure().
Signed-off-by: Petr Spacek <pspa...@redhat.com>
---
src/ldap_helper.c | 21 ++++++++++++++-------
1 file changed, 14 insertions(+), 7 deletions(-)
diff --git a/src/ldap_helper.c b/src/ldap_helper.c
index 23e32928382226662098b5643a3c24b683113b19..2b4ba1936e3b9c934cb64259f199c62ef6a2e496 100644
--- a/src/ldap_helper.c
+++ b/src/ldap_helper.c
@@ -1869,7 +1869,6 @@ static isc_result_t ATTR_NONNULLS ATTR_CHECKRESULT
zone_master_reconfigure(ldap_entry_t *entry, settings_set_t *zone_settings,
dns_zone_t *raw, dns_zone_t *secure, isc_task_t *task) {
isc_result_t result;
- const char *dn = NULL;
ldap_valuelist_t values;
isc_mem_t *mctx = NULL;
isc_boolean_t ssu_changed;
@@ -1880,7 +1879,6 @@ zone_master_reconfigure(ldap_entry_t *entry, settings_set_t *zone_settings,
REQUIRE(raw != NULL);
REQUIRE(task != NULL);
- dn = entry->dn;
mctx = dns_zone_getmctx(raw);
if (secure != NULL)
@@ -1908,38 +1906,47 @@ zone_master_reconfigure(ldap_entry_t *entry, settings_set_t *zone_settings,
isc_boolean_t ssu_enabled;
const char *ssu_policy = NULL;
- log_debug(2, "Setting SSU table for %p: %s", raw, dn);
CHECK(setting_get_bool("dyn_update", zone_settings, &ssu_enabled));
if (ssu_enabled) {
/* Get the update policy and update the zone with it. */
CHECK(setting_get_str("update_policy", zone_settings,
&ssu_policy));
+ dns_zone_log(raw, ISC_LOG_DEBUG(2),
+ "setting update-policy to '%s'",
+ ssu_policy);
CHECK(configure_zone_ssutable(raw, ssu_policy));
} else {
/* Empty policy will prevent the update from reaching
* LDAP driver and error will be logged. */
+ dns_zone_log(raw, ISC_LOG_DEBUG(2),
+ "update-policy is not set");
CHECK(configure_zone_ssutable(raw, ""));
}
}
/* Fetch allow-query and allow-transfer ACLs */
- log_debug(2, "Setting allow-query for %p: %s", raw, dn);
result = ldap_entry_getvalues(entry, "idnsAllowQuery", &values);
if (result == ISC_R_SUCCESS) {
+ dns_zone_log(inview, ISC_LOG_DEBUG(2),
+ "setting allow-query to '%s'",
+ HEAD(values)->value);
CHECK(configure_zone_acl(mctx, inview, &dns_zone_setqueryacl,
HEAD(values)->value, acl_type_query));
} else {
- log_debug(2, "allow-query not set");
+ dns_zone_log(inview, ISC_LOG_DEBUG(2), "allow-query is not set");
dns_zone_clearqueryacl(raw);
}
- log_debug(2, "Setting allow-transfer for %p: %s", raw, dn);
result = ldap_entry_getvalues(entry, "idnsAllowTransfer", &values);
if (result == ISC_R_SUCCESS) {
+ dns_zone_log(inview, ISC_LOG_DEBUG(2),
+ "setting allow-transfer to '%s'",
+ HEAD(values)->value);
CHECK(configure_zone_acl(mctx, inview, &dns_zone_setxfracl,
HEAD(values)->value, acl_type_transfer));
} else {
- log_debug(2, "allow-transfer not set");
+ dns_zone_log(inview, ISC_LOG_DEBUG(2),
+ "allow-transfer is not set");
dns_zone_clearxfracl(raw);
result = ISC_R_SUCCESS;
}
--
1.9.0
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
