On 23.4.2014 18:14, Petr Spacek wrote:
This patch set configures secure zones according to policies in LDAP.
Patch 246 v2 fixes incorrect ATTR_NONNULLS usage which causes segfaults when
compiled with -O0.
Patch 246 v2 obsoletes patch 253.
--
Petr^2 Spacek
From d6afefff7b677c59eccfb2c7f4951c4a334ea725 Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Wed, 23 Apr 2014 18:04:55 +0200
Subject: [PATCH] Move secure zone configuration from create_zone() to
zone_master_reconfigure().
https://fedorahosted.org/bind-dyndb-ldap/ticket/56
Signed-off-by: Petr Spacek pspa...@redhat.com
---
src/ldap_helper.c | 51 ++-
1 file changed, 34 insertions(+), 17 deletions(-)
diff --git a/src/ldap_helper.c b/src/ldap_helper.c
index 91866f7735483efe0b27fd3d6f7a549948e809c5..31aa25848c7f45f585b9c1aad0f86faefa87396f 100644
--- a/src/ldap_helper.c
+++ b/src/ldap_helper.c
@@ -949,20 +949,6 @@ create_zone(ldap_instance_t * const inst, const char * const dn,
CHECK(dns_zone_setdbtype(secure, 1, rbt_argv));
CHECK(dns_zonemgr_managezone(inst-zmgr, secure));
CHECK(dns_zone_link(secure, raw));
-
- /* Magic constants are taken from zoneconf.c */
- dns_zone_setsigvalidityinterval(secure, 2592000); /* sig-validity-interval */
- dns_zone_setsigresigninginterval(secure, 648000); /* re-sign */
- dns_zone_setsignatures(secure, 10); /* sig-signing-signatures */
- dns_zone_setnodes(secure, 10); /* sig-signing-nodes */
- dns_zone_setprivatetype(secure, 65534); /* sig-signing-type */
- dns_zone_setoption(secure, DNS_ZONEOPT_UPDATECHECKKSK,
- ISC_TRUE); /* update-check-ksk */
- dns_zone_setrefreshkeyinterval(secure, 60); /* dnssec-loadkeys-interval */
- /* auto-dnssec = maintain */
- dns_zone_setkeyopt(secure, DNS_ZONEKEY_ALLOW, ISC_TRUE);
- dns_zone_setkeyopt(secure, DNS_ZONEKEY_MAINTAIN, ISC_TRUE);
-
dns_zone_rekey(secure, ISC_TRUE);
CHECK(configure_paths(inst-mctx, inst, secure, ISC_TRUE));
}
@@ -1879,9 +1865,9 @@ cleanup:
* @param[in] raw Raw zone backed by LDAP database. In-line secure zone
* will be reconfigured as necessary.
*/
-static isc_result_t ATTR_NONNULLS ATTR_CHECKRESULT
+static isc_result_t ATTR_NONNULL(1,2,3,5) ATTR_CHECKRESULT
zone_master_reconfigure(ldap_entry_t *entry, settings_set_t *zone_settings,
- dns_zone_t *raw, isc_task_t *task) {
+ dns_zone_t *raw, dns_zone_t *secure, isc_task_t *task) {
isc_result_t result;
const char *dn = NULL;
ldap_valuelist_t values;
@@ -1952,6 +1938,37 @@ zone_master_reconfigure(ldap_entry_t *entry, settings_set_t *zone_settings,
result = ISC_R_SUCCESS;
}
+ if (secure != NULL) {
+ /* notifications should be sent from secure zone only */
+ dns_zone_setnotifytype(raw, dns_notifytype_no);
+
+ /* Magic constants are taken from zoneconf.c */
+ /* sig-validity-interval */
+ dns_zone_setsigvalidityinterval(secure, 2592000);
+
+ /* re-sign */
+ dns_zone_setsigresigninginterval(secure, 648000);
+
+ /* sig-signing-signatures */
+ dns_zone_setsignatures(secure, 10);
+
+ /* sig-signing-nodes */
+ dns_zone_setnodes(secure, 10);
+
+ /* sig-signing-type */
+ dns_zone_setprivatetype(secure, 65534);
+
+ /* update-check-ksk */
+ dns_zone_setoption(secure, DNS_ZONEOPT_UPDATECHECKKSK, ISC_TRUE);
+
+ /* dnssec-loadkeys-interval */
+ CHECK(dns_zone_setrefreshkeyinterval(secure, 60));
+
+ /* auto-dnssec = maintain */
+ dns_zone_setkeyopt(secure, DNS_ZONEKEY_ALLOW, ISC_TRUE);
+ dns_zone_setkeyopt(secure, DNS_ZONEKEY_MAINTAIN, ISC_TRUE);
+ }
+
cleanup:
return result;
}
@@ -2161,7 +2178,7 @@ ldap_parse_master_zoneentry(ldap_entry_t *entry, ldap_instance_t *inst,
}
CHECK(zr_get_zone_settings(inst-zone_register, name, zone_settings));
- CHECK(zone_master_reconfigure(entry, zone_settings, raw, task));
+ CHECK(zone_master_reconfigure(entry, zone_settings, raw, secure, task));
sync_state_get(inst-sctx, sync_state);
if (new_zone == ISC_TRUE sync_state == sync_finished)
--
1.9.0
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel