Hello, DNS: Warn if forwarding policy conflicts with automatic empty zones
Forwarding policy "first" or "none" may conflicts with some automatic empty zones. Queries for zones specified by RFC 6303 will ignore forwarding and recursion and always result in NXDOMAIN answers. This is not detected and warned about. Global forwarding is equivalent to forward zone ".". Example: Forward zone 1.10.in-addr.arpa with policy "first" will not forward anything because BIND will automatically prefer automatic empty zone "10.in-addr.arpa." which is authoritative. https://fedorahosted.org/freeipa/ticket/5710 This is last patch in the series so the ticket can be closed when all relevant patches are pushed. -- Petr^2 Spacek
From e0d66e59f1abaf15001903c9341c217f050abf76 Mon Sep 17 00:00:00 2001 From: Petr Spacek <pspa...@redhat.com> Date: Wed, 4 May 2016 10:30:18 +0200 Subject: [PATCH] DNS: Warn if forwarding policy conflicts with automatic empty zones Forwarding policy "first" or "none" may conflicts with some automatic empty zones. Queries for zones specified by RFC 6303 will ignore forwarding and recursion and always result in NXDOMAIN answers. This is not detected and warned about. Global forwarding is equivalent to forward zone ".". Example: Forward zone 1.10.in-addr.arpa with policy "first" will not forward anything because BIND will automatically prefer automatic empty zone "10.in-addr.arpa." which is authoritative. https://fedorahosted.org/freeipa/ticket/5710 --- ipalib/messages.py | 17 +++++++++++++++++ ipalib/plugins/dns.py | 26 ++++++++++++++++++++++++++ 2 files changed, 43 insertions(+) diff --git a/ipalib/messages.py b/ipalib/messages.py index c37cceb3fce677c2ad55cfb81fb47c0bafefc8ea..dc5f9a3ab94c6fa3e6bbe16022fa5c9e1cb0112f 100644 --- a/ipalib/messages.py +++ b/ipalib/messages.py @@ -371,6 +371,23 @@ class FailedToRemoveHostDNSRecords(PublicMessage): "(%(reason)s)") +class DNSForwardPolicyConflictWithEmptyZone(PublicMessage): + """ + **13021** Forward zone 1.10.in-addr.arpa with policy "first" + will not forward anything because BIND automatically prefers + empty zone "10.in-addr.arpa.". + """ + + errno = 13021 + type = "warning" + format = _( + "Forwarding policy conflicts with some automatic empty zones. " + "Queries for zones specified by RFC 6303 will ignore " + "forwarding and recursion and always result in NXDOMAIN answers. " + "To override this behavior use forward policy 'only'." + ) + + def iter_messages(variables, base): """Return a tuple with all subclasses """ diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index d352fbddcff955d1b96fb561d456a93a8c8198e5..0e6b841a06e030ea4242c9392908c6655b021c2b 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -66,6 +66,7 @@ from ipalib.util import (normalize_zonemgr, from ipapython.dn import DN from ipapython.ipautil import CheckedIPAddress, check_zone_overlap from ipapython.dnsutil import DNSName +from ipapython.dnsutil import related_to_auto_empty_zone if six.PY3: unicode = str @@ -1996,6 +1997,20 @@ def _add_warning_fw_zone_is_not_effective(api, result, fwzone, version): ) +def _add_warning_fw_policy_conflict_aez(result, fwzone, **options): + """Warn if forwarding policy conflicts with an automatic empty zone.""" + fwd_policy = result['result'].get(u'idnsforwardpolicy', + dnsforwardzone.default_forward_policy) + if ( + fwd_policy != [u'only'] + and related_to_auto_empty_zone(DNSName(fwzone)) + ): + messages.add_message( + options['version'], result, + messages.DNSForwardPolicyConflictWithEmptyZone() + ) + + class DNSZoneBase(LDAPObject): """ Base class for DNS Zone @@ -4389,7 +4404,13 @@ class dnsconfig_mod(LDAPUpdate): result = super(dnsconfig_mod, self).execute(*keys, **options) self.obj.postprocess_result(result, show_version=False) + # this check makes sense only when resulting forwarders are non-empty + if result['result'].get('idnsforwarders'): + fwzone = DNSName('.') + _add_warning_fw_policy_conflict_aez(result, fwzone, **options) + if forwarders: + # forwarders were changed for forwarder in forwarders: try: validate_dnssec_global_forwarder(forwarder, log=self.log) @@ -4533,6 +4554,7 @@ class dnsforwardzone(DNSZoneBase): ) ) + @register() class dnsforwardzone_add(DNSZoneBase_add): __doc__ = _('Create new DNS forward zone.') @@ -4563,8 +4585,10 @@ class dnsforwardzone_add(DNSZoneBase_add): return dn def execute(self, *keys, **options): + fwzone = keys[-1] result = super(dnsforwardzone_add, self).execute(*keys, **options) self.obj._warning_fw_zone_is_not_effective(result, *keys, **options) + _add_warning_fw_policy_conflict_aez(result, fwzone, **options) if options.get('idnsforwarders'): self.obj._warning_if_forwarders_do_not_work( result, True, *keys, **options) @@ -4620,7 +4644,9 @@ class dnsforwardzone_mod(DNSZoneBase_mod): return dn def execute(self, *keys, **options): + fwzone = keys[-1] result = super(dnsforwardzone_mod, self).execute(*keys, **options) + _add_warning_fw_policy_conflict_aez(result, fwzone, **options) if options.get('idnsforwarders'): self.obj._warning_if_forwarders_do_not_work(result, False, *keys, **options) -- 2.5.5
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
