During work on DNSSEC we found a wrong validation of NS records
Patch 0113 fixes an error in tests caused by bind-dyndb-ldap bug
https://fedorahosted.org/bind-dyndb-ldap/ticket/123
Patches attached.
--
Martin Basti
From 625b69151f3ff7d8fb18e62b2cc9542fc03b7c17 Mon Sep 17 00:00:00 2001
From: Martin Basti <[email protected]>
Date: Thu, 21 Aug 2014 18:08:10 +0200
Subject: [PATCH 1/3] DNS fix NS record coexistence validator
NS can coexistent only with A, AAAA, DS, NS record
---
ipalib/plugins/dns.py | 21 ++++++++++++++++-----
1 file changed, 16 insertions(+), 5 deletions(-)
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index c7a6ae1baac595eb7344bafaf6b893820b691871..24b303d8405aa3b4a6e0474e75d0e46e6949860d 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -2919,11 +2919,6 @@ class dnsrecord(LDAPObject):
error=_('only one DNAME record is allowed per name '
'(RFC 6672, section 2.4)'))
# DNAME must not coexist with CNAME, but this is already checked earlier
- if rrattrs.get('nsrecord') and not keys[1].is_empty():
- raise errors.ValidationError(name='dnamerecord',
- error=_('DNAME record is not allowed to coexist with an '
- 'NS record except when located in a zone root '
- 'record (RFC 6672, section 2.3)'))
# DS record validation
dsrecords = rrattrs.get('dsrecord')
@@ -2935,6 +2930,22 @@ class dnsrecord(LDAPObject):
error=_('DS record requires to coexist with an '
'NS record (RFC 4529, section 4.6)'))
+ # NS record validation
+ # NS record can coexist only with A, AAAA, DS, and other NS records (except zone apex)
+ # RFC 2181 section 6.1,
+ allowed_records = ['AAAA', 'A', 'DS', 'NS']
+ if nsrecords and not self.is_pkey_zone_record(*keys):
+ for r_type in _record_types:
+ if (r_type not in allowed_records
+ and rrattrs.get('%srecord' % r_type.lower())
+ ):
+ raise errors.ValidationError(
+ name='nsrecord',
+ error=_('NS record is not allowed to coexist with an '
+ '%(type)s record except when located in a '
+ 'zone root record (RFC 2181, section 6.1)') %
+ {'type': r_type})
+
def _entry2rrsets(self, entry_attrs, dns_name, dns_domain):
'''Convert entry_attrs to a dictionary {rdtype: rrset}.
--
1.8.3.1
From 161daf7b0561119300db048112b9b8021c5dcf6c Mon Sep 17 00:00:00 2001
From: Martin Basti <[email protected]>
Date: Thu, 21 Aug 2014 18:09:22 +0200
Subject: [PATCH 2/3] Test: DNS NS validation
---
ipatests/test_xmlrpc/test_dns_plugin.py | 33 +++++++++++++++++----------------
1 file changed, 17 insertions(+), 16 deletions(-)
diff --git a/ipatests/test_xmlrpc/test_dns_plugin.py b/ipatests/test_xmlrpc/test_dns_plugin.py
index 97e567d29237ad647a71f804e20c52ac0700421a..d2d5b3c0ce8c6d7ab714af15d3c95aa846f72313 100644
--- a/ipatests/test_xmlrpc/test_dns_plugin.py
+++ b/ipatests/test_xmlrpc/test_dns_plugin.py
@@ -123,6 +123,10 @@ name1_dn = DN(('idnsname',name1), zone1_dn)
name1_renamed = u'testdnsres-renamed'
name1_renamed_dnsname = DNSName(name1_renamed)
+name_ns = u'testdnsres-ns'
+name_ns_dnsname = DNSName(name_ns)
+name_ns_dn = DN(('idnsname',name_ns), zone1_dn)
+
revname1 = u'80'
revname1_dnsname = DNSName(revname1)
revname1_ip = revzone1_ipprefix + revname1
@@ -1168,9 +1172,10 @@ class test_dns(Declarative):
desc='Try to add NS record to %r using dnsrecord_add' % (dname),
command=('dnsrecord_add', [zone1, dname],
{'nsrecord': u'%s.%s.' % (name1, zone1)}),
- expected=errors.ValidationError(name='dnamerecord',
- error=u'DNAME record is not allowed to coexist with an NS '
- u'record except when located in a zone root record (RFC 6672, section 2.3)'),
+ expected=errors.ValidationError(name='nsrecord',
+ error=u'NS record is not allowed to coexist with an DNAME '
+ u'record except when located in a zone root record '
+ '(RFC 2181, section 6.1'),
),
dict(
@@ -1245,32 +1250,29 @@ class test_dns(Declarative):
dict(
- desc='Try to add unresolvable absolute NS record to %r using dnsrecord_add' % (name1),
- command=('dnsrecord_add', [zone1, name1], {'nsrecord': absnxname}),
+ desc='Try to add unresolvable absolute NS record to %r using dnsrecord_add' % (name_ns),
+ command=('dnsrecord_add', [zone1, name_ns], {'nsrecord': absnxname}),
expected=errors.NotFound(reason=u"Nameserver '%s' does not have a corresponding A/AAAA record" % absnxname),
),
dict(
- desc='Try to add unresolvable relative NS record to %r using dnsrecord_add' % (name1),
- command=('dnsrecord_add', [zone1, name1], {'nsrecord': relnxname}),
+ desc='Try to add unresolvable relative NS record to %r using dnsrecord_add' % (name_ns),
+ command=('dnsrecord_add', [zone1, name_ns], {'nsrecord': relnxname}),
expected=errors.NotFound(reason=u"Nameserver '%s.%s.' does not "
"have a corresponding A/AAAA record" % (relnxname, zone1)),
),
dict(
- desc='Add unresolvable NS record with --force to %r using dnsrecord_add' % (name1),
- command=('dnsrecord_add', [zone1, name1], {'nsrecord': absnxname,
+ desc='Add unresolvable NS record with --force to %r using dnsrecord_add' % (name_ns),
+ command=('dnsrecord_add', [zone1, name_ns], {'nsrecord': absnxname,
'force' : True}),
expected={
- 'value': name1_dnsname,
+ 'value': name_ns_dnsname,
'summary': None,
'result': {
'objectclass': objectclasses.dnsrecord,
- 'dn': name1_dn,
- 'idnsname': [name1_dnsname],
- 'arecord': [arec3],
- 'kxrecord': [u'1 foo-1'],
- 'txtrecord': [u'foo bar'],
+ 'dn': name_ns_dn,
+ 'idnsname': [name_ns_dnsname],
'nsrecord': [absnxname],
},
},
@@ -1294,7 +1296,6 @@ class test_dns(Declarative):
'arecord': [arec3],
'kxrecord': [u'1 foo-1'],
'txtrecord': [u'foo bar'],
- 'nsrecord': [absnxname],
},
},
),
--
1.8.3.1
From df72d4e8f8f73afb8a6195e99f19ba7c96176782 Mon Sep 17 00:00:00 2001
From: Martin Basti <[email protected]>
Date: Thu, 21 Aug 2014 19:11:27 +0200
Subject: [PATCH 3/3] Fix DNS record rename test
bind-dyndb-ldap's bug caused test failure
https://fedorahosted.org/bind-dyndb-ldap/ticket/123
Owners with NS record works with the bug
---
ipatests/test_xmlrpc/test_dns_plugin.py | 29 ++++++++++++++---------------
1 file changed, 14 insertions(+), 15 deletions(-)
diff --git a/ipatests/test_xmlrpc/test_dns_plugin.py b/ipatests/test_xmlrpc/test_dns_plugin.py
index d2d5b3c0ce8c6d7ab714af15d3c95aa846f72313..4085871ec4ebe2e03e6fee2460f159da2c3bf855 100644
--- a/ipatests/test_xmlrpc/test_dns_plugin.py
+++ b/ipatests/test_xmlrpc/test_dns_plugin.py
@@ -120,12 +120,12 @@ revzone3_classless2_permission_dn = DN(('cn', revzone3_classless2_permission),
name1 = u'testdnsres'
name1_dnsname = DNSName(name1)
name1_dn = DN(('idnsname',name1), zone1_dn)
-name1_renamed = u'testdnsres-renamed'
-name1_renamed_dnsname = DNSName(name1_renamed)
name_ns = u'testdnsres-ns'
name_ns_dnsname = DNSName(name_ns)
name_ns_dn = DN(('idnsname',name_ns), zone1_dn)
+name_ns_renamed = u'testdnsres-ns-renamed'
+name_ns_renamed_dnsname = DNSName(name_ns_renamed)
revname1 = u'80'
revname1_dnsname = DNSName(revname1)
@@ -1175,7 +1175,7 @@ class test_dns(Declarative):
expected=errors.ValidationError(name='nsrecord',
error=u'NS record is not allowed to coexist with an DNAME '
u'record except when located in a zone root record '
- '(RFC 2181, section 6.1'),
+ '(RFC 2181, section 6.1)'),
),
dict(
@@ -1280,34 +1280,33 @@ class test_dns(Declarative):
dict(
desc='Try to to rename DNS zone %r root record' % (zone1),
- command=('dnsrecord_mod', [zone1, u'@'], {'rename': name1_renamed,}),
+ command=('dnsrecord_mod', [zone1, u'@'], {'rename': u'renamed-zone',}),
expected=errors.ValidationError(name='rename',
error=u'DNS zone root record cannot be renamed')
),
+
dict(
- desc='Rename DNS record %r to %r' % (name1, name1_renamed),
- command=('dnsrecord_mod', [zone1, name1], {'rename': name1_renamed,}),
+ desc='Rename DNS record %r to %r' % (name_ns, name_ns_renamed),
+ command=('dnsrecord_mod', [zone1, name_ns], {'rename': name_ns_renamed,}),
expected={
- 'value': name1_dnsname,
+ 'value': name_ns_dnsname,
'summary': None,
'result': {
- 'idnsname': [name1_renamed_dnsname],
- 'arecord': [arec3],
- 'kxrecord': [u'1 foo-1'],
- 'txtrecord': [u'foo bar'],
+ 'idnsname': [name_ns_renamed_dnsname],
+ 'nsrecord': [absnxname],
},
},
),
dict(
- desc='Delete record %r in zone %r' % (name1_renamed, zone1),
- command=('dnsrecord_del', [zone1, name1_renamed],
+ desc='Delete record %r in zone %r' % (name1, zone1),
+ command=('dnsrecord_del', [zone1, name1],
{'del_all': True}),
expected={
- 'value': [name1_renamed_dnsname],
- 'summary': u'Deleted record "%s"' % name1_renamed,
+ 'value': [name1_dnsname],
+ 'summary': u'Deleted record "%s"' % name1,
'result': {'failed': []},
},
),
--
1.8.3.1
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
