On 27.11.2013 16:34, Petr Spacek wrote:
Hello,
Do not load invalid zones.
Without this patch, it was possible to load an invalid zone without
proper SOA or NS records because the fake SOA and NS records allowed
checks in dns_zone_load() to pass.
With this patch, no fake SOA or NS records are created and
dns_zone_load() is not called before end of the initial synchronization.
See the function ldapdb_associate() in ldap_driver.c and it's comments.
Patch 207 v2 fixes reconnecting to LDAP.
dns_db_detachnode() call in update_record() function was moved to the cleanup
section - this is workaround for ISC bug #35080.
This patch should go to master branch.
--
Petr^2 Spacek
From b3c3bb20ce89c667527f5aba41dc2709630cd6c0 Mon Sep 17 00:00:00 2001
From: Petr Spacek
Date: Wed, 27 Nov 2013 16:25:30 +0100
Subject: [PATCH] Do not load invalid zones.
Without this patch, it was possible to load an invalid zone without
proper SOA or NS records because the fake SOA and NS records allowed
checks in dns_zone_load() to pass.
With this patch, no fake SOA or NS records are created and
dns_zone_load() is not called before end of the initial synchronization.
See the function ldapdb_associate() in ldap_driver.c and it's comments.
Signed-off-by: Petr Spacek
---
src/ldap_driver.c | 124 ++--
src/ldap_driver.h | 16 -
src/ldap_helper.c | 179 +---
src/ldap_helper.h | 9 ++-
src/syncrepl.c | 4 +-
src/types.h | 3 +
src/zone_register.c | 15 -
src/zone_register.h | 2 -
8 files changed, 215 insertions(+), 137 deletions(-)
diff --git a/src/ldap_driver.c b/src/ldap_driver.c
index 56db0bf6595d3a8815504d05eb2b509ea03f6c62..96dba87609260101da4c5dba7c7a07cf0d382070 100644
--- a/src/ldap_driver.c
+++ b/src/ldap_driver.c
@@ -65,7 +65,7 @@
#define VALID_LDAPDB(ldapdb) \
((ldapdb) != NULL && (ldapdb)->common.impmagic == LDAPDB_MAGIC)
-typedef struct {
+struct ldapdb {
dns_db_t common;
isc_refcount_t refs;
ldap_instance_t *ldap_inst;
@@ -91,7 +91,7 @@ typedef struct {
* The purpose is to detect moment when the new version is closed.
* That is the right time for unlocking newversion_lock. */
dns_dbversion_t *newversion;
-} ldapdb_t;
+};
dns_db_t * ATTR_NONNULLS
ldapdb_get_rbtdb(dns_db_t *db) {
@@ -908,83 +908,57 @@ dns_ns_buildrdata(dns_name_t *origin, dns_name_t *ns_name,
&ns, &rdatabuf));
}
-/*
- * Create an SOA record for a newly-created zone
+/**
+ * Associate a pre-existing LDAP DB instance with a new DNS zone.
+ *
+ * @warning This is a hack.
+ *
+ * Normally, an empty database is created by dns_db_create() call during
+ * dns_zone_load().
+ *
+ * In our case, we need to create and populate databases on-the-fly
+ * as we process data from LDAP.
+ * We create an empty LDAP DB (which encapsulates internal RBT DB)
+ * for each zone when the zone is being added to zone_register.
+ *
+ * The database in zone register is modified on-the-fly and subsequent
+ * dns_db_create() call associates this populated database with the DNS zone.
+ *
+ * This allows us to call dns_zone_load() later when all the data are in place,
+ * so dns_zone_load() can be postponed until synchronization state sync_finish
+ * is reached.
+ *
+ * @param[in] argv [0] is database instance name
*/
-static isc_result_t ATTR_NONNULLS
-add_soa(isc_mem_t *mctx, dns_name_t *origin, dns_db_t *db) {
+isc_result_t
+ldapdb_associate(isc_mem_t *mctx, dns_name_t *name, dns_dbtype_t type,
+ dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
+ void *driverarg, dns_db_t **dbp) {
+
isc_result_t result;
- dns_rdata_t rdata_soa = DNS_RDATA_INIT;
- dns_rdata_t rdata_ns = DNS_RDATA_INIT;
- unsigned char buf_soa[DNS_SOA_BUFFERSIZE];
- unsigned char buf_ns[DNS_SOA_BUFFERSIZE];
- dns_fixedname_t ns_name;
- dns_fixedname_t m_name;
- dns_dbversion_t *ver = NULL;
- dns_difftuple_t *tp_soa = NULL;
- dns_difftuple_t *tp_ns = NULL;
- dns_diff_t diff;
+ ldap_instance_t *ldap_inst = NULL;
+ zone_register_t *zr = NULL;
- dns_diff_init(mctx, &diff);
- result = dns_db_newversion(db, &ver);
- if (result != ISC_R_SUCCESS) {
- log_error_r("add_soa:dns_db_newversion");
- goto failure;
- }
+ UNUSED(driverarg); /* Currently we don't need any data */
- /* Build SOA record */
- dns_fixedname_init(&m_name);
- dns_name_fromstring(dns_fixedname_name(&m_name), "pspacek.brq.redhat.com.", 0, mctx);
- result = dns_soa_buildrdata(dns_fixedname_name(&m_name), dns_rootname, dns_rdataclass_in,
-0, 0, 0, 0, 0, buf_soa, &rdata_soa);
- if (result != ISC_R_SUCCESS) {
- log_error_r("add_soa:dns_soa_buildrdata");
- goto failure;
- }
+ REQUIRE(ISCAPI_MCTX_VALID(mctx));
+ REQUIRE(argc == LDAP_DB_ARGC);
+ REQUIRE(type == LDAP_DB_TYPE);
+ REQUIRE(rdclass == LDAP_DB_RDATACLASS);
+ REQUIRE(dbp != NULL && *dbp == NULL);
- result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, origin, 3600,
- &rdata_soa, &tp_soa);
- if (resu
