On 05/14/2014 12:50 PM, Petr Viktorin wrote:
On 04/30/2014 10:00 AM, thierry bordaz wrote:
On 04/29/2014 10:07 PM, Martin Kosek wrote:
On 04/29/2014 08:17 PM, Simo Sorce wrote:
On Tue, 2014-04-29 at 20:00 +0200, Petr Viktorin wrote:
This adds the "idnsSecInlineSigning" attribute and related option.

https://fedorahosted.org/freeipa/ticket/3801

Simo, is adding a MAY attribute to an existing objectClass okay?


Not unheard of, however in the past we discovered some schema
replication issues that may have an impact, let's make sure DS team
also
agrees this is not going to cause issue.

From a purely functional pov a MAY attribute will not break any stored
object, so it is fine.

Simo.

Adding Thierry to the CC list to evaluate the risks, he was already
involved in fixing related issue in the DS for a similar Dogtag schema
extension.
Hello,

    When an instance in the topology contains schema extensions like new
    MAY attribute, this extension would be propagated to all instances
    by replication (no need to copy/merge schema files). This was the
    purpose of https://fedorahosted.org/389/ticket/47721. So it is fine
    to add new MAY/MUST attribute or new attribute/objectclasses.

    During a replication session, a master will check what schema
    definitions (objectclasses/attributes) of the replica extends its
    own schema. If such definitions exist the supplier add/replace them
    in its schema and its user99.ldif file. In your case if a replica
    contains a new allowed attribute (e.g. 'idnsSecInlineSigning') but
    not the supplier then the supplier 'learns it' (during a replication
    session it initiated) and so an entry containing that new attribute
    can be updated on the supplier as well.
    There is a similar mechanism, when a replica receives a schema that
    contains new definitions, it 'learns' them.

    The fix for 47721 is introduced in 389-ds 1.3.2.17 and after.
    It was tested with mixing 1.3.2.17 instance with legacy versions
    (1.3.1, 1,3.0..), and the schema on both side converged to a common
    one. This, whatever if the extensions are present on both side.
    A limitation is that a legacy instance (not having the fix), must
    have a replica agreements to/from an instance with the fix.

    regards
    thierry


Thanks. This means the patch is good for review.
I've just rebased it slightly.

Another rebase in VERSION was necessary.
Still looking for a review.



--
PetrĀ³
From 3370cb86e874c0898d3160ac98ddc4da739ea65b Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Tue, 29 Apr 2014 19:42:41 +0200
Subject: [PATCH] dns: Add idnsSecInlineSigning attribute, add --dnssec option
 to zone

Part of the work for: https://fedorahosted.org/freeipa/ticket/3801
---
 API.txt                     | 9 ++++++---
 VERSION                     | 4 ++--
 install/share/60ipadns.ldif | 3 ++-
 ipalib/plugins/dns.py       | 8 +++++++-
 4 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/API.txt b/API.txt
index 1ea93e9dd403c3fe1a8ca6b047d6fee72220a862..caee61a22fcbf1395fcec55e9d5f5b23c4269523 100644
--- a/API.txt
+++ b/API.txt
@@ -1070,7 +1070,7 @@ command: dnsrecord_show
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: PrimaryKey('value', None, None)
 command: dnszone_add
-args: 1,24,3
+args: 1,25,3
 arg: Str('idnsname', attribute=True, cli_name='name', multivalue=False, primary_key=True, required=True)
 option: Str('addattr*', cli_name='addattr', exclude='webui')
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
@@ -1083,6 +1083,7 @@ command: dnszone_add
 option: Str('idnsallowtransfer', attribute=True, autofill=True, cli_name='allow_transfer', default=u'none;', multivalue=False, required=False)
 option: Str('idnsforwarders', attribute=True, cli_name='forwarder', csv=True, multivalue=True, required=False)
 option: StrEnum('idnsforwardpolicy', attribute=True, cli_name='forward_policy', multivalue=False, required=False, values=(u'only', u'first', u'none'))
+option: Bool('idnssecinlinesigning', attribute=True, cli_name='dnssec', default=False, multivalue=False, required=False)
 option: Int('idnssoaexpire', attribute=True, autofill=True, cli_name='expire', default=1209600, maxvalue=2147483647, minvalue=0, multivalue=False, required=True)
 option: Int('idnssoaminimum', attribute=True, autofill=True, cli_name='minimum', default=3600, maxvalue=2147483647, minvalue=0, multivalue=False, required=True)
 option: Str('idnssoamname', attribute=True, cli_name='name_server', multivalue=False, required=True)
@@ -1129,7 +1130,7 @@ command: dnszone_enable
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: PrimaryKey('value', None, None)
 command: dnszone_find
-args: 1,26,4
+args: 1,27,4
 arg: Str('criteria?', noextrawhitespace=False)
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: StrEnum('dnsclass', attribute=True, autofill=False, cli_name='class', multivalue=False, query=True, required=False, values=(u'IN', u'CS', u'CH', u'HS'))
@@ -1142,6 +1143,7 @@ command: dnszone_find
 option: Str('idnsforwarders', attribute=True, autofill=False, cli_name='forwarder', csv=True, multivalue=True, query=True, required=False)
 option: StrEnum('idnsforwardpolicy', attribute=True, autofill=False, cli_name='forward_policy', multivalue=False, query=True, required=False, values=(u'only', u'first', u'none'))
 option: Str('idnsname', attribute=True, autofill=False, cli_name='name', multivalue=False, primary_key=True, query=True, required=False)
+option: Bool('idnssecinlinesigning', attribute=True, autofill=False, cli_name='dnssec', default=False, multivalue=False, query=True, required=False)
 option: Int('idnssoaexpire', attribute=True, autofill=False, cli_name='expire', default=1209600, maxvalue=2147483647, minvalue=0, multivalue=False, query=True, required=False)
 option: Int('idnssoaminimum', attribute=True, autofill=False, cli_name='minimum', default=3600, maxvalue=2147483647, minvalue=0, multivalue=False, query=True, required=False)
 option: Str('idnssoamname', attribute=True, autofill=False, cli_name='name_server', multivalue=False, query=True, required=False)
@@ -1162,7 +1164,7 @@ command: dnszone_find
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: Output('truncated', <type 'bool'>, None)
 command: dnszone_mod
-args: 1,25,3
+args: 1,26,3
 arg: Str('idnsname', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True)
 option: Str('addattr*', cli_name='addattr', exclude='webui')
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
@@ -1176,6 +1178,7 @@ command: dnszone_mod
 option: Str('idnsallowtransfer', attribute=True, autofill=False, cli_name='allow_transfer', default=u'none;', multivalue=False, required=False)
 option: Str('idnsforwarders', attribute=True, autofill=False, cli_name='forwarder', csv=True, multivalue=True, required=False)
 option: StrEnum('idnsforwardpolicy', attribute=True, autofill=False, cli_name='forward_policy', multivalue=False, required=False, values=(u'only', u'first', u'none'))
+option: Bool('idnssecinlinesigning', attribute=True, autofill=False, cli_name='dnssec', default=False, multivalue=False, required=False)
 option: Int('idnssoaexpire', attribute=True, autofill=False, cli_name='expire', default=1209600, maxvalue=2147483647, minvalue=0, multivalue=False, required=False)
 option: Int('idnssoaminimum', attribute=True, autofill=False, cli_name='minimum', default=3600, maxvalue=2147483647, minvalue=0, multivalue=False, required=False)
 option: Str('idnssoamname', attribute=True, autofill=False, cli_name='name_server', multivalue=False, required=False)
diff --git a/VERSION b/VERSION
index 87e67cf7ac1dcac333980ae7ed5b41921d48c966..e11c9cc3b6c8fc25e9aed5a65604e48d518e159b 100644
--- a/VERSION
+++ b/VERSION
@@ -89,5 +89,5 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=86
-# Last change: npmccallum - Only specify the ipatokenuniqueid default in the add operation
+IPA_API_VERSION_MINOR=87
+# Last change: pviktori - --dnssec option for dnszone
diff --git a/install/share/60ipadns.ldif b/install/share/60ipadns.ldif
index d16ac6165f343e1485d6436526914babb89fc5a9..aaa1b311001fb849aff6cf476924ca341830f732 100644
--- a/install/share/60ipadns.ldif
+++ b/install/share/60ipadns.ldif
@@ -49,7 +49,8 @@ dn: cn=schema
 attributeTypes: ( 2.16.840.1.113730.3.8.5.15 NAME 'idnsForwarders' DESC 'list of forwarders' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v2' )
 attributeTypes: ( 2.16.840.1.113730.3.8.5.16 NAME 'idnsZoneRefresh' DESC 'zone refresh interval' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v2' )
 attributeTypes: ( 2.16.840.1.113730.3.8.5.17 NAME 'idnsPersistentSearch' DESC 'allow persistent searches' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v2' )
+attributeTypes: ( 2.16.840.1.113730.3.8.5.18 NAME 'idnsSecInlineSigning' DESC 'allow inline DNSSEC signing' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4' )
 objectClasses: ( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC 'dns Record, usually a host' SUP top STRUCTURAL MUST idnsName MAY ( idnsAllowDynUpdate $ dNSTTL $ dNSClass $ aRecord $ aAAARecord $ a6Record $ nSRecord $ cNAMERecord $ pTRRecord $ sRVRecord $ tXTRecord $ mXRecord $ mDRecord $ hInfoRecord $ mInfoRecord $ aFSDBRecord $ SigRecord $ KeyRecord $ LocRecord $ nXTRecord $ nAPTRRecord $ kXRecord $ certRecord $ dNameRecord $ dSRecord $ sSHFPRecord $ rRSIGRecord $ nSECRecord ) )
-objectClasses: ( 2.16.840.1.113730.3.8.6.1 NAME 'idnsZone' DESC 'Zone class' SUP idnsRecord STRUCTURAL MUST ( idnsZoneActive $ idnsSOAmName $ idnsSOArName $ idnsSOAserial $ idnsSOArefresh $ idnsSOAretry $ idnsSOAexpire $ idnsSOAminimum ) MAY ( idnsUpdatePolicy $ idnsAllowQuery $ idnsAllowTransfer $ idnsAllowSyncPTR $ idnsForwardPolicy $ idnsForwarders ) )
+objectClasses: ( 2.16.840.1.113730.3.8.6.1 NAME 'idnsZone' DESC 'Zone class' SUP idnsRecord STRUCTURAL MUST ( idnsZoneActive $ idnsSOAmName $ idnsSOArName $ idnsSOAserial $ idnsSOArefresh $ idnsSOAretry $ idnsSOAexpire $ idnsSOAminimum ) MAY ( idnsUpdatePolicy $ idnsAllowQuery $ idnsAllowTransfer $ idnsAllowSyncPTR $ idnsForwardPolicy $ idnsForwarders $ idnsSecInlineSigning ) )
 objectClasses: ( 2.16.840.1.113730.3.8.6.2 NAME 'idnsConfigObject' DESC 'DNS global config options' STRUCTURAL MAY ( idnsForwardPolicy $ idnsForwarders $ idnsAllowSyncPTR $ idnsZoneRefresh $ idnsPersistentSearch ) )
 objectClasses: ( 2.16.840.1.113730.3.8.12.18 NAME 'ipaDNSZone' SUP top AUXILIARY MUST idnsName MAY managedBy X-ORIGIN 'IPA v3' )
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index 23b3ad456fbe56e0380bf4ae77c443a89f883f09..515baeeaeb17e96672084d99a1f3169b6033c447 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -1569,7 +1569,7 @@ class dnszone(LDAPObject):
         'idnsname', 'idnszoneactive', 'idnssoamname', 'idnssoarname',
         'idnssoaserial', 'idnssoarefresh', 'idnssoaretry', 'idnssoaexpire',
         'idnssoaminimum', 'idnsallowquery', 'idnsallowtransfer',
-        'idnsforwarders', 'idnsforwardpolicy'
+        'idnsforwarders', 'idnsforwardpolicy', 'idnssecinlinesigning',
     ] + _record_attributes
     label = _('DNS Zones')
     label_singular = _('DNS Zone')
@@ -1722,6 +1722,12 @@ class dnszone(LDAPObject):
             label=_('Allow PTR sync'),
             doc=_('Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone'),
         ),
+        Bool('idnssecinlinesigning?',
+            cli_name='dnssec',
+            default=False,
+            label=_('Allow in-line DNSSEC signing'),
+            doc=_('Allow inline DNSSEC signing of records in the zone'),
+        ),
     )
 
     def get_dn(self, *keys, **options):
-- 
1.9.0

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to