Re: [Freeipa-devel] [PATCH 0261-0262] Support run-time changes in idnsSecInlineSigning attribute

[Petr Spacek]

On 17.6.2014 16:41, Tomas Hozza wrote:

- Original Message -

>Hello,
>
>This patch set allows you to change DNSSEC zone configuration at run-time.
>
>--
>Petr^2  Spacek
>

Looks good.

ACK.


This is delayed push notice:
5cede8e6f666aeec48aa47ba18a143f2037216f8

--
Petr^2 Spacek

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0261-0262] Support run-time changes in idnsSecInlineSigning attribute

[Tomas Hozza]

- Original Message -
> Hello,
> 
> This patch set allows you to change DNSSEC zone configuration at run-time.
> 
> --
> Petr^2 Spacek
> 

Looks good.

ACK.

Regards,
-- 
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience

PGP: 1D9F3C2D
Red Hat Inc.   http://cz.redhat.com

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH 0261-0262] Support run-time changes in idnsSecInlineSigning attribute

[Petr Spacek]

Hello,

This patch set allows you to change DNSSEC zone configuration at run-time.

--
Petr^2 Spacek
From 080f922b0920105def25f19c28da1d448406ccce Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Wed, 4 Jun 2014 21:25:15 +0200
Subject: [PATCH] Delete old database & journal files during zone loading.

This prevents inline-signed zones from failing to receive updates from
LDAP mysteriously.

https://fedorahosted.org/bind-dyndb-ldap/ticket/56

Signed-off-by: Petr Spacek 
---
 src/ldap_helper.c | 17 -
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/src/ldap_helper.c b/src/ldap_helper.c
index 2eb9c4d63d05486799b90ce4d23cf3fb26c6ca17..3a0ac6ddea237fcd74c146bad7400b516422ff27 100644
--- a/src/ldap_helper.c
+++ b/src/ldap_helper.c
@@ -782,12 +782,14 @@ delete_bind_zone(dns_zt_t *zt, dns_zone_t **zonep) {
 	return result;
 }
 
-isc_result_t
+static isc_result_t ATTR_NONNULLS
 cleanup_zone_files(dns_zone_t *zone) {
 	isc_result_t result;
 	isc_boolean_t failure = ISC_FALSE;
 	const char *filename = NULL;
 	dns_zone_t *raw = NULL;
+	int namelen;
+	char bck_filename[PATH_MAX];
 
 	dns_zone_getraw(zone, &raw);
 	if (raw != NULL) {
@@ -804,6 +806,17 @@ cleanup_zone_files(dns_zone_t *zone) {
 	result = fs_file_remove(filename);
 	failure = failure || (result != ISC_R_SUCCESS);
 
+	/* Taken from dns_journal_open() from bind-9.9.4-P2:
+	 * Journal backup file name ends with ".jbk" instead of ".jnl". */
+	namelen = strlen(filename);
+	if (namelen > 4 && strcmp(filename + namelen - 4, ".jnl") == 0)
+		namelen -= 4;
+	CHECK(isc_string_printf(bck_filename, sizeof(bck_filename),
+"%.*s.jbk", namelen, filename));
+	CHECK(fs_file_remove(bck_filename));
+
+cleanup:
+	failure = failure || (result != ISC_R_SUCCESS);
 	if (failure == ISC_TRUE)
 		dns_zone_log(zone, ISC_LOG_ERROR,
 			 "unable to remove files, expect problems");
@@ -946,6 +959,7 @@ create_zone(ldap_instance_t * const inst, const char * const dn,
 
 	if (want_secure == ISC_FALSE) {
 		CHECK(dns_zonemgr_managezone(inst->zmgr, raw));
+		CHECK(cleanup_zone_files(raw));
 	} else {
 		CHECK(dns_zone_create(&secure, inst->mctx));
 		CHECK(dns_zone_setorigin(secure, name));
@@ -957,6 +971,7 @@ create_zone(ldap_instance_t * const inst, const char * const dn,
 		CHECK(dns_zone_link(secure, raw));
 		dns_zone_rekey(secure, ISC_TRUE);
 		CHECK(configure_paths(inst->mctx, inst, secure, ISC_TRUE));
+		CHECK(cleanup_zone_files(secure));
 	}
 
 	sync_state_get(inst->sctx, &sync_state);
-- 
1.9.3

From d89284fc0aafe001e5ce1599d04dac62f48ad108 Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Wed, 4 Jun 2014 22:39:46 +0200
Subject: [PATCH] Support run-time changes in idnsSecInlineSigning attribute.

https://fedorahosted.org/bind-dyndb-ldap/ticket/56

Signed-off-by: Petr Spacek 
---
 src/ldap_helper.c   | 92 +
 src/zone_register.c | 24 --
 src/zone_register.h |  7 ++--
 3 files changed, 91 insertions(+), 32 deletions(-)

diff --git a/src/ldap_helper.c b/src/ldap_helper.c
index 3a0ac6ddea237fcd74c146bad7400b516422ff27..deda6955a215441a40857d78273fb8042275385e 100644
--- a/src/ldap_helper.c
+++ b/src/ldap_helper.c
@@ -293,6 +293,11 @@ static isc_result_t parse_rdata(isc_mem_t *mctx, ldap_entry_t *entry,
 		dns_name_t *origin, const char *rdata_text,
 		dns_rdata_t **rdatap) ATTR_NONNULLS ATTR_CHECKRESULT;
 static isc_result_t
+ldap_parse_master_zoneentry(ldap_entry_t * const entry, dns_db_t * const olddb,
+			ldap_instance_t *const inst,
+			isc_task_t *const task)
+			ATTR_NONNULL(1,3,4) ATTR_CHECKRESULT;
+static isc_result_t
 ldap_parse_rrentry(isc_mem_t *mctx, ldap_entry_t *entry, dns_name_t *origin,
 		   const char *fake_mname, ldapdb_rdatalist_t *rdatalist) ATTR_NONNULLS ATTR_CHECKRESULT;
 
@@ -926,8 +931,9 @@ cleanup:
  */
 static isc_result_t ATTR_NONNULLS ATTR_CHECKRESULT
 create_zone(ldap_instance_t * const inst, const char * const dn,
-	dns_name_t * const name, const isc_boolean_t want_secure,
-	dns_zone_t ** const rawp, dns_zone_t ** const securep)
+	dns_name_t * const name, dns_db_t * const ldapdb,
+	const isc_boolean_t want_secure, dns_zone_t ** const rawp,
+	dns_zone_t ** const securep)
 {
 	isc_result_t result;
 	dns_zone_t *raw = NULL;
@@ -987,7 +993,7 @@ create_zone(ldap_instance_t * const inst, const char * const dn,
 		}
 	}
 
-	CHECK(zr_add_zone(inst->zone_register, raw, secure, dn));
+	CHECK(zr_add_zone(inst->zone_register, ldapdb, raw, secure, dn));
 
 	*rawp = raw;
 	*securep = secure;
@@ -2192,11 +2198,6 @@ zone_sync_apex(const ldap_instance_t * const inst,
 		  * => do nothing. */
 	}
 
-	/* New zone has to have at least SOA record and NS record. */
-	if (new_zone == ISC_TRUE
-	&& (*data_changed == ISC_FALSE || soa_tuple == NULL))
-		result = DNS_R_BADZONE;
-
 cleanup:
 	if (soa_tuple_alloc == ISC_TRUE && soa_tuple != NULL)
 		dns_difftuple_free(&soa_tuple);
@@ -2208,10 +2209,54 @@ cleanup:
 	return result;
 }
 
-/* Parse th