Hello,
Improve error logging for zones with idnsAllowDynUpdate == FALSE.
Zones with dynamic updates disabled are re-configured with empty
update policy string, so the update is refused by BIND and
an error is logged.
--
Petr Spacek
From 88a472349aec5216467aa1e30a35b8689b1cd439 Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Tue, 16 Apr 2013 10:49:11 +0200
Subject: [PATCH] Improve error logging for zones with idnsAllowDynUpdate ==
FALSE.
Zones with dynamic updates disabled are re-configured with empty
update policy string, so the update is refused by BIND and
an error is logged.
Signed-off-by: Petr Spacek pspa...@redhat.com
---
src/ldap_helper.c | 48 ++--
src/settings.c| 7 +++
2 files changed, 33 insertions(+), 22 deletions(-)
diff --git a/src/ldap_helper.c b/src/ldap_helper.c
index 70833b2e25ef15f89a9e5ffc4ec776ebbade1d86..d6061f247db625326ce09e75b1c7ca5c1f259ba5 100644
--- a/src/ldap_helper.c
+++ b/src/ldap_helper.c
@@ -1242,6 +1242,7 @@ ldap_parse_master_zoneentry(ldap_entry_t *entry, ldap_instance_t *inst)
isc_boolean_t unlock = ISC_FALSE;
isc_boolean_t publish = ISC_FALSE;
isc_boolean_t published = ISC_FALSE;
+ isc_boolean_t ssu_changed;
isc_task_t *task = inst-task;
isc_uint32_t ldap_serial;
isc_uint32_t zr_serial; /* SOA serial value from in-memory zone register */
@@ -1311,25 +1312,35 @@ ldap_parse_master_zoneentry(ldap_entry_t *entry, ldap_instance_t *inst)
idnsAllowDynUpdate, entry, inst-task);
if (result != ISC_R_SUCCESS result != ISC_R_IGNORE)
goto cleanup;
+ ssu_changed = (result == ISC_R_SUCCESS);
result = setting_update_from_ldap_entry(sync_ptr, zone_settings,
idnsAllowSyncPTR, entry, inst-task);
if (result != ISC_R_SUCCESS result != ISC_R_IGNORE)
goto cleanup;
- log_debug(2, Setting SSU table for %p: %s, zone, dn);
- /* Get the update policy and update the zone with it. */
- result = ldap_entry_getvalues(entry, idnsUpdatePolicy, values);
- if (result == ISC_R_SUCCESS)
- CHECK(configure_zone_ssutable(zone, HEAD(values)-value));
- else
- /* We need to declare zone as 'dynamic'
- * for dns_zone_isdynamic() to prevent unwanted
- * zone_postload() calls and warnings about serial and so on.
- *
- * Created SSU table contains no rules =
- * dns_ssutable_checkrules() will return deny. */
- CHECK(configure_zone_ssutable(zone, ));
+ result = setting_update_from_ldap_entry(update_policy, zone_settings,
+ idnsUpdatePolicy, entry, inst-task);
+ if (result != ISC_R_SUCCESS result != ISC_R_IGNORE)
+ goto cleanup;
+
+ if (result == ISC_R_SUCCESS || ssu_changed) {
+ isc_boolean_t ssu_enabled;
+ const char *ssu_policy = NULL;
+
+ log_debug(2, Setting SSU table for %p: %s, zone, dn);
+ CHECK(setting_get_bool(dyn_update, zone_settings, ssu_enabled));
+ if (ssu_enabled) {
+ /* Get the update policy and update the zone with it. */
+ CHECK(setting_get_str(update_policy, zone_settings,
+ ssu_policy));
+ CHECK(configure_zone_ssutable(zone, ssu_policy));
+ } else {
+ /* Empty policy will prevent the update from reaching
+ * LDAP driver and error will be logged. */
+ CHECK(configure_zone_ssutable(zone, ));
+ }
+ }
/* Fetch allow-query and allow-transfer ACLs */
log_debug(2, Setting allow-query for %p: %s, zone, dn);
@@ -2869,13 +2880,6 @@ modify_ldap_common(dns_name_t *owner, ldap_instance_t *ldap_inst,
CLEANUP_WITH(DNS_R_NOTAUTH);
}
- CHECK(setting_get_bool(dyn_update, zone_settings, zone_dyn_update));
- if (!zone_dyn_update) {
- log_debug(3, dynamic update is not allowed in zone '%s',
- zone_dn);
- CLEANUP_WITH(DNS_R_REFUSED);
- }
-
if (rdlist-type == dns_rdatatype_soa mod_op == LDAP_MOD_DELETE)
CLEANUP_WITH(ISC_R_SUCCESS);
@@ -2991,8 +2995,8 @@ modify_ldap_common(dns_name_t *owner, ldap_instance_t *ldap_inst,
CHECK(setting_get_bool(dyn_update, zone_settings, zone_dyn_update));
if (!zone_dyn_update) {
- log_debug(3, dynamic update is not allowed in zone
- '%s', zone_dn);
+ log_error(dynamic update is not allowed in zone
+ '%s', zone_dn);
CLEANUP_WITH(ISC_R_NOPERM);
}
diff --git a/src/settings.c b/src/settings.c
index 8ced5fe9bff4beb70e8a6f5e8880aa34eae7c045..1f718d82788ed307dd0ecdb43570d7ce32395941 100644
--- a/src/settings.c
+++ b/src/settings.c
@@ -67,6 +67,13 @@ static const setting_t settings_default[] = {
{ ldap_hostname, default_string() },
{ sync_ptr, default_boolean(ISC_FALSE) },
{ dyn_update, default_boolean(ISC_FALSE) },
+ /* Empty string as default update_policy declares zone as 'dynamic'
+ * for dns_zone_isdynamic() to prevent unwanted
+ * zone_postload() calls and warnings about serial and so on.
+ *
+ * SSU table defined by empty string contains no rules =
+ * dns_ssutable_checkrules() will return deny. */
+ { update_policy, default_string() },
{ serial_autoincrement, default_boolean(ISC_FALSE) },
{ verbose_checks,
