Re: [Freeipa-devel] [PATCHES 0109-0110] DNS: fix DS record validation

Petr Spacek Thu, 04 Sep 2014 04:12:13 -0700

On 4.9.2014 13:02, Martin Basti wrote:

On 04/09/14 11:46, Petr Spacek wrote:

On 3.9.2014 16:42, Martin Basti wrote:

On 02/09/14 17:16, Petr Spacek wrote:

On 20.8.2014 19:26, Martin Basti wrote:

Part of DNSSEC
Patches attached.


NACK

# ipa dnsrecord-add ipa.example. ds '--ds-rec=1 2 3 4'
ipa: ERROR: invalid 'dsrecord': DS record requires to coexist with an NS
record (RFC 4529, section 4.6)

RFC number is incorrect. IMHO it should also reference 'RFC 4035 section
2.4'.

Also, there is one hole:
Current code allows you to add DS RR to existing NS and then to remove NS.

Let me know if adding a check to -del is too hard, maybe we can live without
it...

dnsrecord-del validation added

Updated patch attached

Required in ipa 4.1 but this could be pushed to 4.0.x  too


It almost works ... almost. I'm not sure if the problem is in your patch or
in existing code:

[root@vm-035 git]# ipa dnsrecord-add ipa.example ds --ds-rec='1 2 3 4'
  Record name: ds
  DS record: 1 2 3 4
  NS record: vm-035.idm.lab.eng.brq.redhat.com.

[root@vm-035 git]# ipa dnsrecord-mod ipa.example ds --ns-rec=
ipa: ERROR: invalid 'dsrecord': DS record requires to coexist with an NS
record (RFC 4592 section 4.6, RFC 4035 section 2.4)

[root@vm-035 git]# ipa dnsrecord-mod ipa.example ds --ds-rec=
  Record name: ds
  NS record: vm-035.idm.lab.eng.brq.redhat.com.

[root@vm-035 git]# ipa dnsrecord-mod ipa.example ds --ns-rec=
ipa: ERROR: an internal error has occurred

# tail /var/log/httpd/error_log

ipa: ERROR: non-public: TypeError: dnsrecord_mod.validate_output() =>
PrimaryKey.validate():
  output['value']: need <class 'ipapython.dnsutil.DNSName'>; got <type
'list'>: [<DNS name ds>]
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 348,
in wsgi_execute
    result = self.Command[name](*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 451, in
__call__
    self.validate_output(ret, options['version'])
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 944, in
validate_output
    o.validate(self, value, version)
  File "/usr/lib/python2.7/site-packages/ipalib/output.py", line 126, in
validate
    types[0], type(value), value))
TypeError: dnsrecord_mod.validate_output() => PrimaryKey.validate():
  output['value']: need <class 'ipapython.dnsutil.DNSName'>; got <type
'list'>: [<DNS name ds>]
ipa: INFO: [jsonserver_session] admin@IPA.EXAMPLE: dnsrecord_mod(<DNS name
ipa.example.>, <DNS name ds>, nsrecord=None, rights=False, structured=False,
all=False, raw=False, version=u'2.102'): TypeError

This bug is not related with the patches.
Error is raised when you try to delete the last record in RRset using
dnsrecord-mod --any-rec=""

Okay, functional ACK. Please send a separate patch for this problem or atleast open a ticket and describe what is wrong with it.


It can be pushed if Python gurus are okay with the code.

Thank you!

--
Petr^2 Spacek

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES 0109-0110] DNS: fix DS record validation

Reply via email to