bad things will happen (i.e. external DNS resolution will not work) if configured DNS forwarders are not standard compliant, i.e. EDNS or DNSSEC support is not enabled.

For this reason I'm proposing to add explicit check to IPA installer and possibly even to dnsconfig-mod/dnszone-mod commands so forwarders can be tested before putting them in effect.

This check should detect failures soon and prevent surprises where IPA installs itself but DNS resolution doesn't work for some domains etc.

Please voice your concerns ASAP.

Petr^2 Spacek
import sys

import dns.resolver

def test_forwarder(ip_addr):
    """Test DNS forwarder properties.

     True if forwarder works as expected and supports DNSSEC.
     False if forwarder does not support DNSSEC.
     None if forwarder does not respond.
    res = dns.resolver.Resolver()
    res.nameservers = [ip_addr]

    # enable Authenticated Data + Checking Disabled flags
    res.set_flags(dns.flags.AD | dns.flags.CD)

    # enable EDNS v0 + enable DNSSEC-Ok flag
    res.use_edns(0, dns.flags.DO, 0)

    # DNS root has to be signed
        ans = res.query('.', 'NS')
    except dns.exception.DNSException as e:
        print 'DNS forwarder %s does not work: %s: %s' % (ip_addr,
                type(e).__name__, e)
        return None

        ans.response.find_rrset(ans.response.answer, dns.name.root,
                dns.rdataclass.IN, dns.rdatatype.RRSIG, dns.rdatatype.NS)
    except KeyError:
        print 'DNS forwarder %s does not return DNSSEC signatures in answers.' % ip_addr
        print 'Please fix forwarder configuration to enable DNSSEC support.'
        print '(For BIND 9 add directive "dnssec-enable yes;" to "options {}")'

        print '(debug) Received DNS response:'
        print ans.response
        return False

    return True

print test_forwarder(sys.argv[1])
Freeipa-devel mailing list

Reply via email to