Re: [Freeipa-devel] [PATCH 0078-0079] DNSSEC: Add TLSA record
On Mon, 2014-06-30 at 18:07 +0200, Petr Vobornik wrote: On 27.6.2014 14:55, Martin Basti wrote: On Thu, 2014-06-26 at 13:57 +0200, Petr Vobornik wrote: On 25.6.2014 14:35, Martin Basti wrote: On Wed, 2014-06-25 at 14:31 +0200, Martin Basti wrote: Ticket https://fedorahosted.org/freeipa/ticket/4328#comment:12 Patches attached. Note: ACI will be updated in another patch which fix ACIs in DNS plugin Patches are here What are patch 0078's dependencies? I'm missing necessary blobs.. (current master). Also it requires rebase because of today's pushes to master (VERSION conflict). Rebased patch attached Patch 0078-2: Just nitpicks. 1. The LDAP attribute type description should be changed to something more meaningful. the DNS-Based Authentication of Named Entities - Transport Layer Security Protocol, RFC 6698 is the complete effort. It does not say anything about the TLSA record itself. I suggest: TLSA certificate association, RFC 6698 which is used in chapter 2 of RFC 6698. This is synced with bind-dyndb-ldap, I use the same description. 2. Nitpick: Not a proper alphabetic order ;) -u'TSIG', u'TXT', +u'TSIG', u'TLSA', u'TXT', Fixed Patch 0079: 3. A js-lint warning: /dns.js(1140): lint warning: extra comma is not recommended in array initializers ] ^ Just remove the comma on line 1139. To check it, run: `jsl -nofilelisting -nologo -nosummary -conf jsl.conf` in install/ui directory Fixed Updated patches attached. -- Martin^2 Basti From cd3c3bd992175422596d75ff7fe3b63a25877f1a Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Wed, 25 Jun 2014 12:36:59 +0200 Subject: [PATCH 1/2] DNSSEC: add TLSA record type Ticket: https://fedorahosted.org/freeipa/ticket/4328 --- ACI.txt | 4 +-- API.txt | 20 --- VERSION | 4 +-- install/share/60ipadns.ldif | 3 ++- ipalib/plugins/dns.py | 59 + 5 files changed, 66 insertions(+), 24 deletions(-) diff --git a/ACI.txt b/ACI.txt index 22b10e3dd9f22ca76a757506f6a0851b18030549..d75f6ea4f9994a1b38cae492161cccb65f4b3191 100644 --- a/ACI.txt +++ b/ACI.txt @@ -39,11 +39,11 @@ aci: (targetattr = idnsallowsyncptr || idnsforwarders || idnsforwardpolicy || i dn: cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (target = ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl permission:System: Add DNS Entries;allow (add) groupdn = ldap:///cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example;) dn: cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example -aci: (targetattr = a6record || record || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || txtrecord)(target = ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl permission:System: Read DNS Entries;allow (compare,read,search) groupdn = ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example;) +aci: (targetattr = a6record || record || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord)(target = ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl permission:System: Read DNS Entries;allow (compare,read,search) groupdn = ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example;) dn: cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (target = ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl permission:System: Remove DNS Entries;allow (delete) groupdn = ldap:///cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example;) dn: cn=System: Update DNS
Re: [Freeipa-devel] [PATCH 0078-0079] DNSSEC: Add TLSA record
On 1.7.2014 10:11, Martin Basti wrote: On Mon, 2014-06-30 at 18:07 +0200, Petr Vobornik wrote: On 27.6.2014 14:55, Martin Basti wrote: On Thu, 2014-06-26 at 13:57 +0200, Petr Vobornik wrote: On 25.6.2014 14:35, Martin Basti wrote: On Wed, 2014-06-25 at 14:31 +0200, Martin Basti wrote: Ticket https://fedorahosted.org/freeipa/ticket/4328#comment:12 Patches attached. Note: ACI will be updated in another patch which fix ACIs in DNS plugin Patches are here What are patch 0078's dependencies? I'm missing necessary blobs.. (current master). Also it requires rebase because of today's pushes to master (VERSION conflict). Rebased patch attached Patch 0078-2: Just nitpicks. 1. The LDAP attribute type description should be changed to something more meaningful. the DNS-Based Authentication of Named Entities - Transport Layer Security Protocol, RFC 6698 is the complete effort. It does not say anything about the TLSA record itself. I suggest: TLSA certificate association, RFC 6698 which is used in chapter 2 of RFC 6698. This is synced with bind-dyndb-ldap, I use the same description. 2. Nitpick: Not a proper alphabetic order ;) -u'TSIG', u'TXT', +u'TSIG', u'TLSA', u'TXT', Fixed Patch 0079: 3. A js-lint warning: /dns.js(1140): lint warning: extra comma is not recommended in array initializers ] ^ Just remove the comma on line 1139. To check it, run: `jsl -nofilelisting -nologo -nosummary -conf jsl.conf` in install/ui directory Fixed Updated patches attached. ACK and pushed to master: * 12cb31575ca84d8084687c9906e5824462bd33ec DNSSEC: add TLSA record type * 8e911fcabc2c07cce42e32554cf8c9bcc6a544f5 DNSSEC: WebUI: add TLSA record -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0078-0079] DNSSEC: Add TLSA record
On 27.6.2014 14:55, Martin Basti wrote: On Thu, 2014-06-26 at 13:57 +0200, Petr Vobornik wrote: On 25.6.2014 14:35, Martin Basti wrote: On Wed, 2014-06-25 at 14:31 +0200, Martin Basti wrote: Ticket https://fedorahosted.org/freeipa/ticket/4328#comment:12 Patches attached. Note: ACI will be updated in another patch which fix ACIs in DNS plugin Patches are here What are patch 0078's dependencies? I'm missing necessary blobs.. (current master). Also it requires rebase because of today's pushes to master (VERSION conflict). Rebased patch attached Patch 0078-2: Just nitpicks. 1. The LDAP attribute type description should be changed to something more meaningful. the DNS-Based Authentication of Named Entities - Transport Layer Security Protocol, RFC 6698 is the complete effort. It does not say anything about the TLSA record itself. I suggest: TLSA certificate association, RFC 6698 which is used in chapter 2 of RFC 6698. 2. Nitpick: Not a proper alphabetic order ;) -u'TSIG', u'TXT', +u'TSIG', u'TLSA', u'TXT', Patch 0079: 3. A js-lint warning: /dns.js(1140): lint warning: extra comma is not recommended in array initializers ] ^ Just remove the comma on line 1139. To check it, run: `jsl -nofilelisting -nologo -nosummary -conf jsl.conf` in install/ui directory -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0078-0079] DNSSEC: Add TLSA record
On Thu, 2014-06-26 at 13:57 +0200, Petr Vobornik wrote: On 25.6.2014 14:35, Martin Basti wrote: On Wed, 2014-06-25 at 14:31 +0200, Martin Basti wrote: Ticket https://fedorahosted.org/freeipa/ticket/4328#comment:12 Patches attached. Note: ACI will be updated in another patch which fix ACIs in DNS plugin Patches are here What are patch 0078's dependencies? I'm missing necessary blobs.. (current master). Also it requires rebase because of today's pushes to master (VERSION conflict). Rebased patch attached -- Martin^2 Basti From c20ad47dc8bc72e2a60b7fda8c513b3eb53ceccb Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Wed, 25 Jun 2014 12:36:59 +0200 Subject: [PATCH] DNSSEC: add TLSA record type Ticket: https://fedorahosted.org/freeipa/ticket/4328 --- ACI.txt | 4 +-- API.txt | 20 --- VERSION | 4 +-- install/share/60ipadns.ldif | 3 ++- ipalib/plugins/dns.py | 59 + 5 files changed, 66 insertions(+), 24 deletions(-) diff --git a/ACI.txt b/ACI.txt index 22b10e3dd9f22ca76a757506f6a0851b18030549..d75f6ea4f9994a1b38cae492161cccb65f4b3191 100644 --- a/ACI.txt +++ b/ACI.txt @@ -39,11 +39,11 @@ aci: (targetattr = idnsallowsyncptr || idnsforwarders || idnsforwardpolicy || i dn: cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (target = ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl permission:System: Add DNS Entries;allow (add) groupdn = ldap:///cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example;) dn: cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example -aci: (targetattr = a6record || record || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || txtrecord)(target = ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl permission:System: Read DNS Entries;allow (compare,read,search) groupdn = ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example;) +aci: (targetattr = a6record || record || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord)(target = ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl permission:System: Read DNS Entries;allow (compare,read,search) groupdn = ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example;) dn: cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (target = ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl permission:System: Remove DNS Entries;allow (delete) groupdn = ldap:///cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example;) dn: cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example -aci: (targetattr = a6record || record || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || txtrecord)(target = ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl permission:System: Update DNS Entries;allow (write) groupdn = ldap:///cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example;) +aci: (targetattr = a6record || record || afsdbrecord