Re: [Freeipa-devel] [PATCHES 0109-0110] DNS: fix DS record validation

Thu, 04 Sep 2014 04:03:43 -0700 

On 04/09/14 11:46, Petr Spacek wrote:

On 3.9.2014 16:42, Martin Basti wrote:

On 02/09/14 17:16, Petr Spacek wrote:

On 20.8.2014 19:26, Martin Basti wrote:

Part of DNSSEC
Patches attached.


NACK

# ipa dnsrecord-add ipa.example. ds '--ds-rec=1 2 3 4'

ipa: ERROR: invalid 'dsrecord': DS record requires to coexist with 
an NS

record (RFC 4529, section 4.6)


RFC number is incorrect. IMHO it should also reference 'RFC 4035 
section 2.4'.


Also, there is one hole:

Current code allows you to add DS RR to existing NS and then to 
remove NS.



Let me know if adding a check to -del is too hard, maybe we can live 
without

it...


dnsrecord-del validation added

Updated patch attached

Required in ipa 4.1 but this could be pushed to 4.0.x  too



It almost works ... almost. I'm not sure if the problem is in your 
patch or in existing code:


[root@vm-035 git]# ipa dnsrecord-add ipa.example ds --ds-rec='1 2 3 4'
  Record name: ds
  DS record: 1 2 3 4
  NS record: vm-035.idm.lab.eng.brq.redhat.com.

[root@vm-035 git]# ipa dnsrecord-mod ipa.example ds --ns-rec=

ipa: ERROR: invalid 'dsrecord': DS record requires to coexist with an 
NS record (RFC 4592 section 4.6, RFC 4035 section 2.4)


[root@vm-035 git]# ipa dnsrecord-mod ipa.example ds --ds-rec=
  Record name: ds
  NS record: vm-035.idm.lab.eng.brq.redhat.com.

[root@vm-035 git]# ipa dnsrecord-mod ipa.example ds --ns-rec=
ipa: ERROR: an internal error has occurred

# tail /var/log/httpd/error_log


ipa: ERROR: non-public: TypeError: dnsrecord_mod.validate_output() => 
PrimaryKey.validate():
  output['value']: need <class 'ipapython.dnsutil.DNSName'>; got <type 
'list'>: [<DNS name ds>]

Traceback (most recent call last):

  File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 
348, in wsgi_execute

    result = self.Command[name](*args, **options)

  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 
451, in __call__

    self.validate_output(ret, options['version'])

  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 
944, in validate_output

    o.validate(self, value, version)

  File "/usr/lib/python2.7/site-packages/ipalib/output.py", line 126, 
in validate

    types[0], type(value), value))
TypeError: dnsrecord_mod.validate_output() => PrimaryKey.validate():

  output['value']: need <class 'ipapython.dnsutil.DNSName'>; got <type 
'list'>: [<DNS name ds>]
ipa: INFO: [jsonserver_session] [email protected]: dnsrecord_mod(<DNS 
name ipa.example.>, <DNS name ds>, nsrecord=None, rights=False, 
structured=False, all=False, raw=False, version=u'2.102'): TypeError



This bug is not related with the patches.

Error is raised when you try to delete the last record in RRset using 
dnsrecord-mod --any-rec=""


--
Martin Basti

_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel






















					Reply via email to