On 9.5.2016 16:25, Petr Spacek wrote:
> Hello,
> 
> following patch should cover most misleading warnings produced by new code
> handling empty zones.
> 
> If it is okay I will release version 9.0 with it.
> 
> Please review it ASAP. Thank you very much!

... and here are patches :-)

-- 
Petr^2 Spacek
From 058810cfb88aca05dfdaee59760c715377b2d7d7 Mon Sep 17 00:00:00 2001
From: Petr Spacek <pspa...@redhat.com>
Date: Mon, 9 May 2016 15:35:37 +0200
Subject: [PATCH] Do not log warning about empty zones which are already
 disabled or unloaded.

https://fedorahosted.org/bind-dyndb-ldap/ticket/160
---
 src/empty_zones.c | 39 ++++++++++++++++++++++++++++++++++++---
 src/empty_zones.h |  9 ++++++++-
 2 files changed, 44 insertions(+), 4 deletions(-)

diff --git a/src/empty_zones.c b/src/empty_zones.c
index 3d5f0329599d170c4d79bc821737fd1f282b6664..fe3a4b93a655f65c4de727fd2936b7cb4a6aa72f 100644
--- a/src/empty_zones.c
+++ b/src/empty_zones.c
@@ -6,6 +6,7 @@
 
 #include <dns/name.h>
 #include <dns/zone.h>
+#include <dns/zt.h>
 
 #include "empty_zones.h"
 #include "util.h"
@@ -151,6 +152,8 @@ empty_zone_search_next(empty_zone_search_t *iter) {
 	isc_buffer_t buffer;
 	int order;
 	unsigned int nlabels;
+	dns_zone_t *zone = NULL;
+	isc_boolean_t isempty;
 
 	REQUIRE(iter != NULL);
 	REQUIRE(iter->nextidx < sizeof(empty_zones));
@@ -174,6 +177,20 @@ empty_zone_search_next(empty_zone_search_t *iter) {
 			/* empty zone and domain in question are not related */
 			continue;
 		} else {
+			/* verify if the zone exists and is empty */
+			result = dns_zt_find(iter->zonetable, &iter->ezname,
+					     0, NULL, &zone);
+			if (result == ISC_R_SUCCESS)
+				isempty = zone_isempty(zone);
+			else if (result == DNS_R_PARTIALMATCH
+				 || result == ISC_R_NOTFOUND)
+				isempty = ISC_FALSE;
+			else
+				goto cleanup;
+			if (zone != NULL)
+				dns_zone_detach(&zone);
+			if (isempty == ISC_FALSE)
+				continue;
 			++iter->nextidx;
 			CLEANUP_WITH(ISC_R_SUCCESS);
 		}
@@ -185,19 +202,32 @@ cleanup:
 	return result;
 };
 
+/**
+ * Invalidate iterator and detach its internal pointers.
+ */
+void
+empty_zone_search_stop(empty_zone_search_t *iter) {
+	REQUIRE(iter != NULL);
+
+	if (iter->zonetable)
+		dns_zt_detach(&iter->zonetable);
+}
 
 /**
  * Start search for qname among automatic empty zones.
+ * The search must be finished by calling empty_zone_search_stop().
  *
  * @param[in]  qname  Name to compare with list of automatic empty zones.
+ * @param[in]  ztable Zone table for affected view.
  * @param[out] iter   Intermediate state which must be passed to subsequent
  * 		      empty_zone_search_next() call. At the same time,
  * 		      the structure contains name of first matching
  * 		      automatic empty zone and relation between names.
  * @returns @see empty_zone_search_next
  */
 isc_result_t
-empty_zone_search_init(empty_zone_search_t *iter, dns_name_t *qname) {
+empty_zone_search_init(empty_zone_search_t *iter, dns_name_t *qname,
+                       dns_zt_t *ztable) {
 	isc_result_t result;
 
 	REQUIRE(iter != NULL);
@@ -210,7 +240,9 @@ empty_zone_search_init(empty_zone_search_t *iter, dns_name_t *qname) {
 	iter->nextidx = 0;
 	iter->namerel = dns_namereln_none;
 
-	CHECK(empty_zone_search_next(iter));
+	dns_zt_attach(ztable, &iter->zonetable);
+
+	return empty_zone_search_next(iter);
 
 cleanup:
 	return result;
@@ -275,7 +307,7 @@ empty_zone_handle_conflicts(dns_name_t *name, dns_zt_t *zonetable,
 	char name_char[DNS_NAME_FORMATSIZE];
 	char ezname_char[DNS_NAME_FORMATSIZE];
 
-	for (result = empty_zone_search_init(&eziter, name);
+	for (result = empty_zone_search_init(&eziter, name, zonetable);
 	     result == ISC_R_SUCCESS;
 	     result = empty_zone_search_next(&eziter))
 	{
@@ -309,6 +341,7 @@ empty_zone_handle_conflicts(dns_name_t *name, dns_zt_t *zonetable,
 		result = ISC_R_SUCCESS;
 
 cleanup:
+	empty_zone_search_stop(&eziter);
 	return result;
 }
 
diff --git a/src/empty_zones.h b/src/empty_zones.h
index 513f95d87c97d5db975d8686d48c7efecf3a0c16..27129427c1c17b72c2c6e0268352a18480f4ec8e 100644
--- a/src/empty_zones.h
+++ b/src/empty_zones.h
@@ -1,21 +1,28 @@
 #include <isc/event.h>
 
+#include <dns/types.h>
+
 #include "util.h"
 
 extern const char *empty_zones[];
 
 typedef struct empty_zone_search {
 	DECLARE_BUFFERED_NAME(qname);
 	DECLARE_BUFFERED_NAME(ezname);
 	unsigned int nextidx;
 	dns_namereln_t namerel;
+	dns_zt_t *zonetable;
 } empty_zone_search_t;
 
 isc_result_t
 empty_zone_search_next(empty_zone_search_t *iter) ATTR_NONNULLS ATTR_CHECKRESULT;
 
+void
+empty_zone_search_stop(empty_zone_search_t *iter) ATTR_NONNULLS;
+
 isc_result_t
-empty_zone_search_init(empty_zone_search_t *iter, dns_name_t *qname) ATTR_NONNULLS ATTR_CHECKRESULT;
+empty_zone_search_init(empty_zone_search_t *iter, dns_name_t *qname,
+		       dns_zt_t *ztable) ATTR_NONNULLS ATTR_CHECKRESULT;
 
 isc_result_t
 empty_zone_handle_conflicts(dns_name_t *name, dns_zt_t *zonetable,
-- 
2.5.5

From 87f01b88377427053d29375a142b8dbcb1a9a122 Mon Sep 17 00:00:00 2001
From: Petr Spacek <pspa...@redhat.com>
Date: Mon, 9 May 2016 16:13:54 +0200
Subject: [PATCH] Document new empty zone handling mechanism.

https://fedorahosted.org/bind-dyndb-ldap/ticket/160
---
 README | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/README b/README
index 72505b42fb622b3582bbbba26c922462a0ded003..5e5561dfb0d3e8727b2f9a241703e3584bdfaf4c 100644
--- a/README
+++ b/README
@@ -211,6 +211,18 @@ Attributes:
 	Absolute name of DNS zone. It is recommended to use names with trailing
 	period, e.g. "example.com."
 
+Forward zones may conflict with automatic empty zones (defined in RFC 6303)
+because empty zones are authoritative and thus have higher priority
+than forwarding.
+Bind-dyndb-ldap will automatically unload empty zones which are super/sub
+domains of a forward zones if the forwarding policy is "only".
+A warning will be issued (and zone not unloaded) if the policy is "first"
+because this policy does not guarantee that queries will not leak to
+the public Internet.
+
+Unloaded empty zones will not be loaded back even if the forward zone is later
+deleted. The empty zones will be loaded on each BIND reload.
+
 
 5. Configuration
 ================
-- 
2.5.5

From cec465f9b44ea923b06f5545eeaeffd6fe43beb5 Mon Sep 17 00:00:00 2001
From: Petr Spacek <pspa...@redhat.com>
Date: Mon, 9 May 2016 16:20:56 +0200
Subject: [PATCH] Update NEWS for upcoming 9.0 release.

---
 NEWS | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/NEWS b/NEWS
index 86b621620e4809f746a0d731847b4633569ec767..160045bfc072e3560f20c6013b739998eb7c067a 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,12 @@
+9.0
+====
+[1] Automatic empty zones conflicting with forward zones with policy 'only'
+    are now automatically unloaded. Warning is issued if the conflicting
+    forward zone has policy 'first' but the zone is not unloaded.
+    Conflict occurs if empty zone and forward zone are super/sub/equal domains.
+!!! This changes semantics of data in LDAP.
+!!! Users have to upgrade their data manually.
+
 8.0
 ====
 [1] Unknown record types can be stored in LDAP using generic syntax (RFC 3597).
-- 
2.5.5

From 2078b12ddeb171f21a948e4d1bab4fec56f6087d Mon Sep 17 00:00:00 2001
From: Petr Spacek <pspa...@redhat.com>
Date: Mon, 9 May 2016 16:21:11 +0200
Subject: [PATCH] Bump NVR to 9.0.

---
 configure.ac                 | 2 +-
 contrib/bind-dyndb-ldap.spec | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/configure.ac b/configure.ac
index 48f5cb63c3bb5535fe1da56abe7583e15d4b5f92..7ce8e306c76cafc92ba970e63aa40f901776381a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
 AC_PREREQ([2.59])
-AC_INIT([bind-dyndb-ldap], [8.0], [freeipa-devel@redhat.com])
+AC_INIT([bind-dyndb-ldap], [9.0], [freeipa-devel@redhat.com])
 
 AM_INIT_AUTOMAKE([-Wall foreign dist-bzip2])
 
diff --git a/contrib/bind-dyndb-ldap.spec b/contrib/bind-dyndb-ldap.spec
index 97adc5e56cb61693bb018d1162d0e6b15314ce23..ea860aabd7f40f7d4e36db2edabfa4289de2e6b1 100644
--- a/contrib/bind-dyndb-ldap.spec
+++ b/contrib/bind-dyndb-ldap.spec
@@ -1,7 +1,7 @@
 %define VERSION %{version}
 
 Name:           bind-dyndb-ldap
-Version:        8.0
+Version:        9.0
 Release:        0%{?dist}
 Summary:        LDAP back-end plug-in for BIND
 
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to