[Freeipa-devel] [PATCHES 0109-0110] DNS: fix DS record validation

Wed, 20 Aug 2014 10:27:39 -0700 

Part of DNSSEC
Patches attached.

--
Martin Basti


From f5e3b504911a1729546e45f33d2008e7ab1c421d Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Wed, 20 Aug 2014 18:51:25 +0200
Subject: [PATCH 1/2] DNSSEC: fix DS record validation

Part of: https://fedorahosted.org/freeipa/ticket/3801
---
 ipalib/plugins/dns.py | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index c301e0fb20381c89ed059266992d25dadb19a6bc..f134f2c67b222876103da1c8bbaa009208f3c163 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -2610,6 +2610,14 @@ class dnsrecord(LDAPObject):
                            doc=_('Parse all raw DNS records and return them in a structured way'),
                            )
 
+    def _dsrecord_pre_callback(self, ldap, dn, entry_attrs, *keys, **options):
+        assert isinstance(dn, DN)
+        dsrecords = entry_attrs.get('dsrecord')
+        if dsrecords and self.is_pkey_zone_record(*keys):
+            raise errors.ValidationError(
+                name='dsrecord',
+                error=unicode(_('DS record must not be in zone apex (RFC 4035 section 2.4)')))
+
     def _nsrecord_pre_callback(self, ldap, dn, entry_attrs, *keys, **options):
         assert isinstance(dn, DN)
         nsrecords = entry_attrs.get('nsrecord')
@@ -2917,6 +2925,17 @@ class dnsrecord(LDAPObject):
                                   'NS record except when located in a zone root '
                                   'record (RFC 6672, section 2.3)'))
 
+        # DS record validation
+        dsrecords = rrattrs.get('dsrecord')
+        nsrecords = rrattrs.get('nsrecord')
+        # DS record cannot be in zone apex, checked in pre-callback validators
+        if dsrecords and not nsrecords:
+            raise errors.ValidationError(
+                name='dsrecord',
+                error=_('DS record requires to coexist with an '
+                         'NS record (RFC 4529, section 4.6)'))
+
+
     def _entry2rrsets(self, entry_attrs, dns_name, dns_domain):
         '''Convert entry_attrs to a dictionary {rdtype: rrset}.
 
-- 
1.8.3.1


From 15ea9a3e9b69fb49fa802199f959d3fe479c2153 Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Wed, 20 Aug 2014 18:53:49 +0200
Subject: [PATCH 2/2] Tests: DNS dsrecord validation

Part of: https://fedorahosted.org/freeipa/ticket/3801
---
 ipatests/test_xmlrpc/test_dns_plugin.py | 61 +++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)

diff --git a/ipatests/test_xmlrpc/test_dns_plugin.py b/ipatests/test_xmlrpc/test_dns_plugin.py
index f4111b0086f49f80e34be0e879d247cd9a89007e..6b9cbe2d57b8e528a0d83974429c6e9d1b2b77e7 100644
--- a/ipatests/test_xmlrpc/test_dns_plugin.py
+++ b/ipatests/test_xmlrpc/test_dns_plugin.py
@@ -147,6 +147,12 @@ dlv_dn = DN(('idnsname', dlv), zone1_dn)
 
 dlvrec = u'60485 5 1 2BB183AF5F22588179A53B0A98631FAD1A292118'
 
+ds = u'ds'
+ds_dnsname = DNSName(ds)
+ds_dn = DN(('idnsname', ds), zone1_dn)
+
+ds_rec = u'0 0 0 00'
+
 tlsa = u'tlsa'
 tlsa_dnsname = DNSName(tlsa)
 tlsa_dn = DN(('idnsname', tlsa), zone1_dn)
@@ -1323,6 +1329,61 @@ class test_dns(Declarative):
 
 
         dict(
+            desc='Try to add DS record to zone %r apex, using dnsrecord_add' % (zone1),
+            command=('dnsrecord_add', [zone1, zone1_absolute], {'dsrecord': ds_rec}),
+            expected=errors.ValidationError(
+                name="dsrecord",
+                error=u'DS record must not be in zone apex (RFC 4035 section 2.4)'
+            ),
+        ),
+
+
+        dict(
+            desc='Try to add DS record %r without NS record in RRset, using dnsrecord_add' % (ds),
+            command=('dnsrecord_add', [zone1, ds], {'dsrecord': ds_rec}),
+            expected=errors.ValidationError(
+                name="dsrecord",
+                error=u'DS record requires to coexist with an NS record (RFC 4529, section 4.6)'
+            ),
+        ),
+
+
+        dict(
+            desc='Add NS record to %r using dnsrecord_add' % (ds),
+            command=('dnsrecord_add', [zone1, ds],
+                     {'nsrecord': zone1_ns}),
+            expected={
+                'value': ds_dnsname,
+                'summary': None,
+                'result': {
+                    'objectclass': objectclasses.dnsrecord,
+                    'dn': ds_dn,
+                    'idnsname': [ds_dnsname],
+                    'nsrecord': [zone1_ns],
+                },
+            },
+        ),
+
+
+        dict(
+            desc='Add DS record to %r using dnsrecord_add' % (ds),
+            command=('dnsrecord_add', [zone1, ds],
+                     {'dsrecord': ds_rec}),
+            expected={
+                'value': ds_dnsname,
+                'summary': None,
+                'result': {
+                    'objectclass': objectclasses.dnsrecord,
+                    'dn': ds_dn,
+                    'idnsname': [ds_dnsname],
+                    'nsrecord': [zone1_ns],
+                    'dsrecord': [ds_rec],
+                },
+            },
+        ),
+
+
+        dict(
             desc='Delete record %r in zone %r' % (dlv, zone1),
             command=('dnsrecord_del', [zone1, dlv], {'del_all': True}),
             expected={
-- 
1.8.3.1


_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to