bad things will happen (i.e. external DNS resolution will not work) if configured DNS forwarders are not standard compliant, i.e. EDNS or DNSSEC support is not enabled.

For this reason I'm proposing to add explicit check to IPA installer and possibly even to dnsconfig-mod/dnszone-mod commands so forwarders are be tested before putting them in effect.

This check should detect failures soon and prevent surprises where IPA installs itself but DNS resolution doesn't work for some domains etc.

Instructions for attached patch/script:
# ./dnssec_test.py
-> Will (likely) time-out, print a warning and return None
- This should be a reason to abort installation because forwarder doesn't work at all.

# ./dnssec_test.py
- Result depends on your local resolver.
- In RH's network it will print a scary warning message and return False because internal forwarder doesn't support DNSSEC. - Should be a reason to abort installation. (This could be overridden by --force switch but then "dnssec-validation" option in /etc/named.conf has to be set to "no" otherwise IPA DNS will not work properly.) (I would rather force people to flip the switch in named.conf on forwarder so this could be a hidden option.)

# ./dnssec_test.py
-> Should return True - forwarder works and DNSSEC is supported
- Installation should continue.

Please voice your concerns ASAP.

Petr^2 Spacek
import sys

import dns.resolver

def test_forwarder(ip_addr):
    """Test DNS forwarder properties.

     True if forwarder works as expected and supports DNSSEC.
     False if forwarder does not support DNSSEC.
     None if forwarder does not respond.
    res = dns.resolver.Resolver()
    res.nameservers = [ip_addr]

    # enable Authenticated Data + Checking Disabled flags
    res.set_flags(dns.flags.AD | dns.flags.CD)

    # enable EDNS v0 + enable DNSSEC-Ok flag
    res.use_edns(0, dns.flags.DO, 0)

    # DNS root has to be signed
        ans = res.query('.', 'NS')
    except dns.exception.DNSException as e:
        print 'DNS forwarder %s does not work: %s: %s' % (ip_addr,
                type(e).__name__, e)
        return None

        ans.response.find_rrset(ans.response.answer, dns.name.root,
                dns.rdataclass.IN, dns.rdatatype.RRSIG, dns.rdatatype.NS)
    except KeyError:
        print 'DNS forwarder %s does not return DNSSEC signatures in answers.' % ip_addr
        print 'Please fix forwarder configuration to enable DNSSEC support.'
        print '(For BIND 9 add directive "dnssec-enable yes;" to "options {}")'

        print '(debug) Received DNS response:'
        print ans.response
        return False

    return True

print test_forwarder(sys.argv[1])
Freeipa-devel mailing list

Reply via email to