Patch attached. https://fedorahosted.org/freeipa/ticket/5421
From 5e1ff605e30e0b72bf43d90cd72397ba08e68bd3 Mon Sep 17 00:00:00 2001 From: Martin Basti <mba...@redhat.com> Date: Wed, 4 Nov 2015 16:09:21 +0100 Subject: [PATCH] Use absolute domain in detection of A/AAAA records
Python dns resolver append configured domain to queries which may lead to false positive answer. Exmaple: resolving "ipa.example.com" may return records for "ipa.example.com.example.com" if domain is configured as "example.com" https://fedorahosted.org/freeipa/ticket/5421 --- ipapython/ipautil.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index 4acdd1a98818bf311a8fef103e7219cc62a28ec1..f04e1a87a8d93486852c5733d97b6ed49c7a7cd7 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -911,6 +911,8 @@ def bind_port_responder(port, socket_type=socket.SOCK_STREAM, socket_timeout=Non raise last_socket_error # pylint: disable=E0702 def is_host_resolvable(fqdn): + if not fqdn.endswith("."): + fqdn = fqdn + "." for rdtype in (rdatatype.A, rdatatype.AAAA): try: resolver.query(fqdn, rdtype) -- 2.4.3
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code