Hello,
bad things will happen (i.e. external DNS resolution will not work) if
configured DNS forwarders are not standard compliant, i.e. EDNS or DNSSEC
support is not enabled.
For this reason I'm proposing to add explicit check to IPA installer and
possibly even to dnsconfig-mod/dnszone-mod commands so forwarders are be
tested before putting them in effect.
This check should detect failures soon and prevent surprises where IPA
installs itself but DNS resolution doesn't work for some domains etc.
Instructions for attached patch/script:
# ./dnssec_test.py 127.127.127.127
-> Will (likely) time-out, print a warning and return None
- This should be a reason to abort installation because forwarder doesn't work
at all.
# ./dnssec_test.py 10.1.2.3
- Result depends on your local resolver.
- In RH's network it will print a scary warning message and return False
because internal forwarder doesn't support DNSSEC.
- Should be a reason to abort installation. (This could be overridden by
--force switch but then "dnssec-validation" option in /etc/named.conf has to
be set to "no" otherwise IPA DNS will not work properly.)
(I would rather force people to flip the switch in named.conf on forwarder so
this could be a hidden option.)
# ./dnssec_test.py 199.7.83.42
-> Should return True - forwarder works and DNSSEC is supported
- Installation should continue.
Please voice your concerns ASAP.
--
Petr^2 Spacek
import sys
import dns.resolver
def test_forwarder(ip_addr):
"""Test DNS forwarder properties.
:returns:
True if forwarder works as expected and supports DNSSEC.
False if forwarder does not support DNSSEC.
None if forwarder does not respond.
"""
res = dns.resolver.Resolver()
res.nameservers = [ip_addr]
# enable Authenticated Data + Checking Disabled flags
res.set_flags(dns.flags.AD | dns.flags.CD)
# enable EDNS v0 + enable DNSSEC-Ok flag
res.use_edns(0, dns.flags.DO, 0)
# DNS root has to be signed
try:
ans = res.query('.', 'NS')
except dns.exception.DNSException as e:
print 'DNS forwarder %s does not work: %s: %s' % (ip_addr,
type(e).__name__, e)
return None
try:
ans.response.find_rrset(ans.response.answer, dns.name.root,
dns.rdataclass.IN, dns.rdatatype.RRSIG, dns.rdatatype.NS)
except KeyError:
print 'DNS forwarder %s does not return DNSSEC signatures in answers.' % ip_addr
print 'Please fix forwarder configuration to enable DNSSEC support.'
print '(For BIND 9 add directive "dnssec-enable yes;" to "options {}")'
print '(debug) Received DNS response:'
print ans.response
return False
return True
print test_forwarder(sys.argv[1])
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel