Patches attached. Ticket: https://fedorahosted.org/freeipa/ticket/4488
-- Martin Basti
From f8e26732ed07466c9fb19d921154b444c393f829 Mon Sep 17 00:00:00 2001 From: Martin Basti <[email protected]> Date: Wed, 20 Aug 2014 15:14:12 +0200 Subject: [PATCH 1/2] FIX DNS wildcard records (RFC4592) Make validation more strict * DS, NS, CNAME, DNAME owners should not be a wildcard domanin name * zone name should not be a wildcard domain name Ticket: https://fedorahosted.org/freeipa/ticket/4488 --- ipalib/plugins/dns.py | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index fdcccb0b74a2b044a1ad917d22d2fe9696d7584c..c301e0fb20381c89ed059266992d25dadb19a6bc 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -489,6 +489,14 @@ def _hostname_validator(ugettext, value): return None +def _no_wildcard_validator(ugettext, value): + """Disallow usage of wildcards as RFC 4592 recommends + """ + assert isinstance(value, DNSName) + if value.is_wild(): + return _('should not be a wildcard domain name (RFC 4592)') + return None + def is_forward_record(zone, str_address): addr = netaddr.IPAddress(str_address) if addr.version == 4: @@ -1731,6 +1739,7 @@ class DNSZoneBase(LDAPObject): takes_params = ( DNSNameParam('idnsname', + _no_wildcard_validator, # RFC 4592 section 4 only_absolute=True, cli_name='name', label=_('Zone name'), @@ -2619,6 +2628,19 @@ class dnsrecord(LDAPObject): error=unicode(_('out-of-zone data: record name must ' 'be a subdomain of the zone or a ' 'relative name'))) + # dissallowed wildcard (RFC 4592) + no_wildcard_rtypes = ['CNAME', 'DNAME', 'DS', 'NS'] + if (keys[-1].is_wild() and + any(entry_attrs.get('%srecord' % r.lower()) + for r in no_wildcard_rtypes) + ): + raise errors.ValidationError( + name='idnsname', + error=(_('owner of %(types)s records ' + 'should not be a wildcard domain name (RFC 4592)') % + {'types': ', '.join(no_wildcard_rtypes)} + ) + ) def _ptrrecord_pre_callback(self, ldap, dn, entry_attrs, *keys, **options): assert isinstance(dn, DN) -- 1.8.3.1
From 1b991efa650c8e286f4cce55285a2325c043ec0e Mon Sep 17 00:00:00 2001 From: Martin Basti <[email protected]> Date: Wed, 20 Aug 2014 17:26:34 +0200 Subject: [PATCH 2/2] Tests: DNS wildcard records Ticket: https://fedorahosted.org/freeipa/ticket/4488 --- ipatests/test_xmlrpc/test_dns_plugin.py | 58 ++++++++++++++++++++++++++++++++- 1 file changed, 57 insertions(+), 1 deletion(-) diff --git a/ipatests/test_xmlrpc/test_dns_plugin.py b/ipatests/test_xmlrpc/test_dns_plugin.py index 50b4d2ec7bf4d55f7d138f45993184f1bf7790bd..f4111b0086f49f80e34be0e879d247cd9a89007e 100644 --- a/ipatests/test_xmlrpc/test_dns_plugin.py +++ b/ipatests/test_xmlrpc/test_dns_plugin.py @@ -263,6 +263,7 @@ zone_findtest_forward = u'forward.find.test.' zone_findtest_forward_dnsname = DNSName(zone_findtest_forward) zone_findtest_forward_dn = DN(('idnsname', zone_findtest_forward), api.env.container_dns, api.env.basedn) +zone_fw_wildcard = u'*.wildcardforwardzone.test.' class test_dns(Declarative): @@ -289,7 +290,8 @@ class test_dns(Declarative): revzone3_classless1, revzone3_classless2, idnzone1, revidnzone1, zone_findtest_master], {'continue': True}), - ('dnsforwardzone_del', [fwzone1, zone_findtest_forward], + ('dnsforwardzone_del', [fwzone1, zone_findtest_forward, + zone_fw_wildcard], {'continue': True}), ('dnsconfig_mod', [], {'idnsforwarders' : None, 'idnsforwardpolicy' : None, @@ -2736,6 +2738,50 @@ class test_dns(Declarative): dict( + desc='Try to add NS record to wildcard owner %r in zone %r' % (wildcard_rec1, zone1), + command=('dnsrecord_add', [zone1, wildcard_rec1], {'nsrecord': zone2_ns, 'force': True}), + expected=errors.ValidationError( + name='idnsname', + error=(u'owner of CNAME, DNAME, DS, NS records ' + 'should not be a wildcard domain name (RFC 4592)') + ) + ), + + + dict( + desc='Try to add CNAME record to wildcard owner %r in zone %r' % (wildcard_rec1, zone1), + command=('dnsrecord_add', [zone1, wildcard_rec1], {'cnamerecord': u'cname.test.'}), + expected=errors.ValidationError( + name='idnsname', + error=(u'owner of CNAME, DNAME, DS, NS records ' + 'should not be a wildcard domain name (RFC 4592)') + ) + ), + + + dict( + desc='Try to add DNAME record to wildcard owner %r in zone %r' % (wildcard_rec1, zone1), + command=('dnsrecord_add', [zone1, wildcard_rec1], {'dnamerecord': u'dname.test.'}), + expected=errors.ValidationError( + name='idnsname', + error=(u'owner of CNAME, DNAME, DS, NS records ' + 'should not be a wildcard domain name (RFC 4592)') + ) + ), + + + dict( + desc='Try to add DS record to wildcard owner %r in zone %r' % (wildcard_rec1, zone1), + command=('dnsrecord_add', [zone1, wildcard_rec1], {'dsrecord': u'0 0 0 00'}), + expected=errors.ValidationError( + name='idnsname', + error=(u'owner of CNAME, DNAME, DS, NS records ' + 'should not be a wildcard domain name (RFC 4592)') + ) + ), + + + dict( desc='Add A denormalized record in zone %r' % (idnzone1), command=('dnsrecord_add', [idnzone1, u'gro\xdf'], {'arecord': u'172.16.0.1'}), expected=errors.ConversionError(name='name', @@ -2744,6 +2790,16 @@ class test_dns(Declarative): dict( + desc='Try to create forward zone %r with wildcard domain name' % zone_fw_wildcard, + command=( + 'dnsforwardzone_add', [zone_fw_wildcard], {'idnsforwardpolicy': u'none'} + ), + expected=errors.ValidationError(name='name', + error=u'should not be a wildcard domain name (RFC 4592)') + ), + + + dict( desc='Try to create forward zone %r without forwarders with default "(first)" policy' % fwzone1, command=( 'dnsforwardzone_add', [fwzone1], {} -- 1.8.3.1
_______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
