Hello, This patch set configures secure zones according to policies in LDAP.
-- Petr^2 Spacek
From 68a247c0abc6a3ba8c0eb4f849eef2868f85bb82 Mon Sep 17 00:00:00 2001 From: Petr Spacek <pspa...@redhat.com> Date: Wed, 23 Apr 2014 18:04:55 +0200 Subject: [PATCH] Move secure zone configuration from create_zone() to zone_master_reconfigure(). https://fedorahosted.org/bind-dyndb-ldap/ticket/56 Signed-off-by: Petr Spacek <pspa...@redhat.com> --- src/ldap_helper.c | 49 +++++++++++++++++++++++++++++++++---------------- 1 file changed, 33 insertions(+), 16 deletions(-) diff --git a/src/ldap_helper.c b/src/ldap_helper.c index b9afc792862ed6e14b29862ac4d527528aae8e87..c698fd359dd31f12875528ce289cfb801bfaf4f1 100644 --- a/src/ldap_helper.c +++ b/src/ldap_helper.c @@ -949,20 +949,6 @@ create_zone(ldap_instance_t * const inst, const char * const dn, CHECK(dns_zone_setdbtype(secure, 1, rbt_argv)); CHECK(dns_zonemgr_managezone(inst->zmgr, secure)); CHECK(dns_zone_link(secure, raw)); - - /* Magic constants are taken from zoneconf.c */ - dns_zone_setsigvalidityinterval(secure, 2592000); /* sig-validity-interval */ - dns_zone_setsigresigninginterval(secure, 648000); /* re-sign */ - dns_zone_setsignatures(secure, 10); /* sig-signing-signatures */ - dns_zone_setnodes(secure, 10); /* sig-signing-nodes */ - dns_zone_setprivatetype(secure, 65534); /* sig-signing-type */ - dns_zone_setoption(secure, DNS_ZONEOPT_UPDATECHECKKSK, - ISC_TRUE); /* update-check-ksk */ - dns_zone_setrefreshkeyinterval(secure, 60); /* dnssec-loadkeys-interval */ - /* auto-dnssec = maintain */ - dns_zone_setkeyopt(secure, DNS_ZONEKEY_ALLOW, ISC_TRUE); - dns_zone_setkeyopt(secure, DNS_ZONEKEY_MAINTAIN, ISC_TRUE); - dns_zone_rekey(secure, ISC_TRUE); CHECK(configure_paths(inst->mctx, inst, secure, ISC_TRUE)); } @@ -1881,7 +1867,7 @@ cleanup: */ static isc_result_t ATTR_NONNULLS ATTR_CHECKRESULT zone_master_reconfigure(ldap_entry_t *entry, settings_set_t *zone_settings, - dns_zone_t *raw, isc_task_t *task) { + dns_zone_t *raw, dns_zone_t *secure, isc_task_t *task) { isc_result_t result; const char *dn = NULL; ldap_valuelist_t values; @@ -1952,6 +1938,37 @@ zone_master_reconfigure(ldap_entry_t *entry, settings_set_t *zone_settings, result = ISC_R_SUCCESS; } + if (secure != NULL) { + /* notifications should be sent from secure zone only */ + dns_zone_setnotifytype(raw, dns_notifytype_no); + + /* Magic constants are taken from zoneconf.c */ + /* sig-validity-interval */ + dns_zone_setsigvalidityinterval(secure, 2592000); + + /* re-sign */ + dns_zone_setsigresigninginterval(secure, 648000); + + /* sig-signing-signatures */ + dns_zone_setsignatures(secure, 10); + + /* sig-signing-nodes */ + dns_zone_setnodes(secure, 10); + + /* sig-signing-type */ + dns_zone_setprivatetype(secure, 65534); + + /* update-check-ksk */ + dns_zone_setoption(secure, DNS_ZONEOPT_UPDATECHECKKSK, ISC_TRUE); + + /* dnssec-loadkeys-interval */ + CHECK(dns_zone_setrefreshkeyinterval(secure, 60)); + + /* auto-dnssec = maintain */ + dns_zone_setkeyopt(secure, DNS_ZONEKEY_ALLOW, ISC_TRUE); + dns_zone_setkeyopt(secure, DNS_ZONEKEY_MAINTAIN, ISC_TRUE); + } + cleanup: return result; } @@ -2162,7 +2179,7 @@ ldap_parse_master_zoneentry(ldap_entry_t *entry, ldap_instance_t *inst, } CHECK(zr_get_zone_settings(inst->zone_register, &name, &zone_settings)); - CHECK(zone_master_reconfigure(entry, zone_settings, raw, task)); + CHECK(zone_master_reconfigure(entry, zone_settings, raw, secure, task)); sync_state_get(inst->sctx, &sync_state); if (new_zone == ISC_TRUE && sync_state == sync_finished) -- 1.9.0
From c6b16f1a183af69740de2c2f1369abd13c28a2ea Mon Sep 17 00:00:00 2001 From: Petr Spacek <pspa...@redhat.com> Date: Wed, 23 Apr 2014 18:08:05 +0200 Subject: [PATCH] Follow query/transfer/update policies for secure zones. https://fedorahosted.org/bind-dyndb-ldap/ticket/56 Signed-off-by: Petr Spacek <pspa...@redhat.com> --- src/ldap_helper.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/src/ldap_helper.c b/src/ldap_helper.c index c698fd359dd31f12875528ce289cfb801bfaf4f1..23e32928382226662098b5643a3c24b683113b19 100644 --- a/src/ldap_helper.c +++ b/src/ldap_helper.c @@ -1873,15 +1873,21 @@ zone_master_reconfigure(ldap_entry_t *entry, settings_set_t *zone_settings, ldap_valuelist_t values; isc_mem_t *mctx = NULL; isc_boolean_t ssu_changed; + dns_zone_t *inview = NULL; REQUIRE(entry != NULL); REQUIRE(zone_settings != NULL); REQUIRE(raw != NULL); REQUIRE(task != NULL); dn = entry->dn; mctx = dns_zone_getmctx(raw); + if (secure != NULL) + dns_zone_attach(secure, &inview); + else + dns_zone_attach(raw, &inview); + result = setting_update_from_ldap_entry("dyn_update", zone_settings, "idnsAllowDynUpdate", entry, task); if (result != ISC_R_SUCCESS && result != ISC_R_IGNORE) @@ -1920,17 +1926,17 @@ zone_master_reconfigure(ldap_entry_t *entry, settings_set_t *zone_settings, log_debug(2, "Setting allow-query for %p: %s", raw, dn); result = ldap_entry_getvalues(entry, "idnsAllowQuery", &values); if (result == ISC_R_SUCCESS) { - CHECK(configure_zone_acl(mctx, raw, &dns_zone_setqueryacl, + CHECK(configure_zone_acl(mctx, inview, &dns_zone_setqueryacl, HEAD(values)->value, acl_type_query)); } else { log_debug(2, "allow-query not set"); dns_zone_clearqueryacl(raw); } log_debug(2, "Setting allow-transfer for %p: %s", raw, dn); result = ldap_entry_getvalues(entry, "idnsAllowTransfer", &values); if (result == ISC_R_SUCCESS) { - CHECK(configure_zone_acl(mctx, raw, &dns_zone_setxfracl, + CHECK(configure_zone_acl(mctx, inview, &dns_zone_setxfracl, HEAD(values)->value, acl_type_transfer)); } else { log_debug(2, "allow-transfer not set"); @@ -1970,6 +1976,8 @@ zone_master_reconfigure(ldap_entry_t *entry, settings_set_t *zone_settings, } cleanup: + if (inview != NULL) + dns_zone_detach(&inview); return result; } -- 1.9.0
From f7d10dc4d305985d326c8c40492b64a6b9306ba3 Mon Sep 17 00:00:00 2001 From: Petr Spacek <pspa...@redhat.com> Date: Wed, 23 Apr 2014 18:08:44 +0200 Subject: [PATCH] Cleanup logging in zone_master_reconfigure(). Signed-off-by: Petr Spacek <pspa...@redhat.com> --- src/ldap_helper.c | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/src/ldap_helper.c b/src/ldap_helper.c index 23e32928382226662098b5643a3c24b683113b19..2b4ba1936e3b9c934cb64259f199c62ef6a2e496 100644 --- a/src/ldap_helper.c +++ b/src/ldap_helper.c @@ -1869,7 +1869,6 @@ static isc_result_t ATTR_NONNULLS ATTR_CHECKRESULT zone_master_reconfigure(ldap_entry_t *entry, settings_set_t *zone_settings, dns_zone_t *raw, dns_zone_t *secure, isc_task_t *task) { isc_result_t result; - const char *dn = NULL; ldap_valuelist_t values; isc_mem_t *mctx = NULL; isc_boolean_t ssu_changed; @@ -1880,7 +1879,6 @@ zone_master_reconfigure(ldap_entry_t *entry, settings_set_t *zone_settings, REQUIRE(raw != NULL); REQUIRE(task != NULL); - dn = entry->dn; mctx = dns_zone_getmctx(raw); if (secure != NULL) @@ -1908,38 +1906,47 @@ zone_master_reconfigure(ldap_entry_t *entry, settings_set_t *zone_settings, isc_boolean_t ssu_enabled; const char *ssu_policy = NULL; - log_debug(2, "Setting SSU table for %p: %s", raw, dn); CHECK(setting_get_bool("dyn_update", zone_settings, &ssu_enabled)); if (ssu_enabled) { /* Get the update policy and update the zone with it. */ CHECK(setting_get_str("update_policy", zone_settings, &ssu_policy)); + dns_zone_log(raw, ISC_LOG_DEBUG(2), + "setting update-policy to '%s'", + ssu_policy); CHECK(configure_zone_ssutable(raw, ssu_policy)); } else { /* Empty policy will prevent the update from reaching * LDAP driver and error will be logged. */ + dns_zone_log(raw, ISC_LOG_DEBUG(2), + "update-policy is not set"); CHECK(configure_zone_ssutable(raw, "")); } } /* Fetch allow-query and allow-transfer ACLs */ - log_debug(2, "Setting allow-query for %p: %s", raw, dn); result = ldap_entry_getvalues(entry, "idnsAllowQuery", &values); if (result == ISC_R_SUCCESS) { + dns_zone_log(inview, ISC_LOG_DEBUG(2), + "setting allow-query to '%s'", + HEAD(values)->value); CHECK(configure_zone_acl(mctx, inview, &dns_zone_setqueryacl, HEAD(values)->value, acl_type_query)); } else { - log_debug(2, "allow-query not set"); + dns_zone_log(inview, ISC_LOG_DEBUG(2), "allow-query is not set"); dns_zone_clearqueryacl(raw); } - log_debug(2, "Setting allow-transfer for %p: %s", raw, dn); result = ldap_entry_getvalues(entry, "idnsAllowTransfer", &values); if (result == ISC_R_SUCCESS) { + dns_zone_log(inview, ISC_LOG_DEBUG(2), + "setting allow-transfer to '%s'", + HEAD(values)->value); CHECK(configure_zone_acl(mctx, inview, &dns_zone_setxfracl, HEAD(values)->value, acl_type_transfer)); } else { - log_debug(2, "allow-transfer not set"); + dns_zone_log(inview, ISC_LOG_DEBUG(2), + "allow-transfer is not set"); dns_zone_clearxfracl(raw); result = ISC_R_SUCCESS; } -- 1.9.0
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel