Re: [Freeipa-devel] [PATCH 0107-0108] Fix DNS wildcard validation

Martin Basti Wed, 03 Sep 2014 05:41:13 -0700

On 02/09/14 17:33, Petr Spacek wrote:

On 21.8.2014 10:58, Martin Basti wrote:
On 21/08/14 08:43, Petr Spacek wrote:
On 20.8.2014 17:37, Martin Basti wrote:
+        # dissallowed wildcard (RFC 4592)
+        no_wildcard_rtypes = ['CNAME', 'DNAME', 'DS', 'NS']
NACK
http://tools.ietf.org/html/rfc4592#section-4.3 doesn't forbid CNAMEwithwildcard owner name. This subsection is is just a "note" forimplementers
about proper wildcard handling.

Sorry :-)
Thank you!

Updated patches attached.
# ipa dnsrecord-add  ipa.example. '*' --ns-rec='ns'
ipa: ERROR: invalid 'idnsname': owner of DNAME, DS, NS records shouldnot be a wildcard domain name (RFC 4592)
It would be nice to have more specific reference to RFC: 'RFC 4592section 4'.
CondACK: It can be pushed if you amend the error message.

Updated patch attached.
Please push to branches: ipa 4.0.x, 4.1, master

--
Martin Basti

From 4911277dc84f29359f308f3df4a7a9aa29600bc9 Mon Sep 17 00:00:00 2001
From: Martin Basti <[email protected]>
Date: Wed, 20 Aug 2014 15:14:12 +0200
Subject: [PATCH 1/2] FIX DNS wildcard records (RFC4592)

Make validation more strict

* DS, NS, DNAME owners should not be a wildcard domanin name
* zone name should not be a wildcard domain name

Ticket: https://fedorahosted.org/freeipa/ticket/4488
---
 ipalib/plugins/dns.py | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index fdcccb0b74a2b044a1ad917d22d2fe9696d7584c..aba30dd3f3ca2f06058a05f5c0350e1a3e8eb2e5 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -489,6 +489,14 @@ def _hostname_validator(ugettext, value):
 
     return None
 
+def _no_wildcard_validator(ugettext, value):
+    """Disallow usage of wildcards as RFC 4592 section 4 recommends
+    """
+    assert isinstance(value, DNSName)
+    if value.is_wild():
+        return _('should not be a wildcard domain name (RFC 4592 section 4)')
+    return None
+
 def is_forward_record(zone, str_address):
     addr = netaddr.IPAddress(str_address)
     if addr.version == 4:
@@ -1731,6 +1739,7 @@ class DNSZoneBase(LDAPObject):
 
     takes_params = (
         DNSNameParam('idnsname',
+            _no_wildcard_validator,  # RFC 4592 section 4
             only_absolute=True,
             cli_name='name',
             label=_('Zone name'),
@@ -2619,6 +2628,19 @@ class dnsrecord(LDAPObject):
                         error=unicode(_('out-of-zone data: record name must '
                                         'be a subdomain of the zone or a '
                                         'relative name')))
+        # dissallowed wildcard (RFC 4592 section 4)
+        no_wildcard_rtypes = ['DNAME', 'DS', 'NS']
+        if (keys[-1].is_wild() and
+            any(entry_attrs.get('%srecord' % r.lower())
+            for r in no_wildcard_rtypes)
+        ):
+            raise errors.ValidationError(
+                name='idnsname',
+                error=(_('owner of %(types)s records '
+                    'should not be a wildcard domain name (RFC 4592 section 4)') %
+                    {'types': ', '.join(no_wildcard_rtypes)}
+                )
+            )
 
     def _ptrrecord_pre_callback(self, ldap, dn, entry_attrs, *keys, **options):
         assert isinstance(dn, DN)
-- 
1.8.3.1

From b896636140c320b93d87f86578a8381fd3fd9091 Mon Sep 17 00:00:00 2001
From: Martin Basti <[email protected]>
Date: Wed, 20 Aug 2014 17:26:34 +0200
Subject: [PATCH 2/2] Tests: DNS wildcard records

Ticket: https://fedorahosted.org/freeipa/ticket/4488
---
 ipatests/test_xmlrpc/test_dns_plugin.py | 47 ++++++++++++++++++++++++++++++++-
 1 file changed, 46 insertions(+), 1 deletion(-)

diff --git a/ipatests/test_xmlrpc/test_dns_plugin.py b/ipatests/test_xmlrpc/test_dns_plugin.py
index 50b4d2ec7bf4d55f7d138f45993184f1bf7790bd..1876e1440eda6b357810765fe92712d750ce36f3 100644
--- a/ipatests/test_xmlrpc/test_dns_plugin.py
+++ b/ipatests/test_xmlrpc/test_dns_plugin.py
@@ -263,6 +263,7 @@ zone_findtest_forward = u'forward.find.test.'
 zone_findtest_forward_dnsname = DNSName(zone_findtest_forward)
 zone_findtest_forward_dn = DN(('idnsname', zone_findtest_forward), api.env.container_dns, api.env.basedn)
 
+zone_fw_wildcard = u'*.wildcardforwardzone.test.'
 
 class test_dns(Declarative):
 
@@ -289,7 +290,8 @@ class test_dns(Declarative):
                          revzone3_classless1, revzone3_classless2,
                          idnzone1, revidnzone1, zone_findtest_master],
             {'continue': True}),
-        ('dnsforwardzone_del', [fwzone1, zone_findtest_forward],
+        ('dnsforwardzone_del', [fwzone1, zone_findtest_forward,
+                                zone_fw_wildcard],
             {'continue': True}),
         ('dnsconfig_mod', [], {'idnsforwarders' : None,
                                'idnsforwardpolicy' : None,
@@ -2736,6 +2738,39 @@ class test_dns(Declarative):
 
 
         dict(
+            desc='Try to add NS record to wildcard owner %r in zone %r' % (wildcard_rec1, zone1),
+            command=('dnsrecord_add', [zone1, wildcard_rec1], {'nsrecord': zone2_ns, 'force': True}),
+            expected=errors.ValidationError(
+                name='idnsname',
+                error=(u'owner of DNAME, DS, NS records '
+                    'should not be a wildcard domain name (RFC 4592 section 4)')
+            )
+        ),
+
+
+        dict(
+            desc='Try to add DNAME record to wildcard owner %r in zone %r' % (wildcard_rec1, zone1),
+            command=('dnsrecord_add', [zone1, wildcard_rec1], {'dnamerecord': u'dname.test.'}),
+            expected=errors.ValidationError(
+                name='idnsname',
+                error=(u'owner of DNAME, DS, NS records '
+                    'should not be a wildcard domain name (RFC 4592 section 4)')
+            )
+        ),
+
+
+        dict(
+            desc='Try to add DS record to wildcard owner %r in zone %r' % (wildcard_rec1, zone1),
+            command=('dnsrecord_add', [zone1, wildcard_rec1], {'dsrecord': u'0 0 0 00'}),
+            expected=errors.ValidationError(
+                name='idnsname',
+                error=(u'owner of DNAME, DS, NS records '
+                    'should not be a wildcard domain name (RFC 4592 section 4)')
+            )
+        ),
+
+
+        dict(
             desc='Add A denormalized record in zone %r' % (idnzone1),
             command=('dnsrecord_add', [idnzone1, u'gro\xdf'], {'arecord': u'172.16.0.1'}),
             expected=errors.ConversionError(name='name',
@@ -2744,6 +2779,16 @@ class test_dns(Declarative):
 
 
         dict(
+            desc='Try to create forward zone %r with wildcard domain name' % zone_fw_wildcard,
+            command=(
+                'dnsforwardzone_add', [zone_fw_wildcard], {'idnsforwardpolicy': u'none'}
+            ),
+            expected=errors.ValidationError(name='name',
+                                        error=u'should not be a wildcard domain name (RFC 4592 section 4)')
+        ),
+
+
+        dict(
             desc='Try to create forward zone %r without forwarders with default "(first)" policy' % fwzone1,
             command=(
                 'dnsforwardzone_add', [fwzone1], {}
-- 
1.8.3.1

_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0107-0108] Fix DNS wildcard validation

Reply via email to