Hello,
bad things will happen (i.e. external DNS resolution will not work) if
configured DNS forwarders are not standard compliant, i.e. EDNS or DNSSEC
support is not enabled.
For this reason I'm proposing to add explicit check to IPA installer and
possibly even to dnsconfig-mod/dnszone-mod commands so forwarders can be
tested before putting them in effect.
This check should detect failures soon and prevent surprises where IPA
installs itself but DNS resolution doesn't work for some domains etc.
Please voice your concerns ASAP.
--
Petr^2 Spacek
import sys
import dns.resolver
def test_forwarder(ip_addr):
"""Test DNS forwarder properties.
:returns:
True if forwarder works as expected and supports DNSSEC.
False if forwarder does not support DNSSEC.
None if forwarder does not respond.
"""
res = dns.resolver.Resolver()
res.nameservers = [ip_addr]
# enable Authenticated Data + Checking Disabled flags
res.set_flags(dns.flags.AD | dns.flags.CD)
# enable EDNS v0 + enable DNSSEC-Ok flag
res.use_edns(0, dns.flags.DO, 0)
# DNS root has to be signed
try:
ans = res.query('.', 'NS')
except dns.exception.DNSException as e:
print 'DNS forwarder %s does not work: %s: %s' % (ip_addr,
type(e).__name__, e)
return None
try:
ans.response.find_rrset(ans.response.answer, dns.name.root,
dns.rdataclass.IN, dns.rdatatype.RRSIG, dns.rdatatype.NS)
except KeyError:
print 'DNS forwarder %s does not return DNSSEC signatures in answers.' % ip_addr
print 'Please fix forwarder configuration to enable DNSSEC support.'
print '(For BIND 9 add directive "dnssec-enable yes;" to "options {}")'
print '(debug) Received DNS response:'
print ans.response
return False
return True
print test_forwarder(sys.argv[1])
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
