[Freeipa-devel] [PATCHES 0109-0110] DNS: fix DS record validation

Petr Spacek pspacek at redhat.com
Thu Sep 4 09:46:47 UTC 2014 

On 3.9.2014 16:42, Martin Basti wrote:
> On 02/09/14 17:16, Petr Spacek wrote:
>> On 20.8.2014 19:26, Martin Basti wrote:
>>> Part of DNSSEC
>>> Patches attached.
>>
>> NACK
>>
>> # ipa dnsrecord-add ipa.example. ds '--ds-rec=1 2 3 4'
>> ipa: ERROR: invalid 'dsrecord': DS record requires to coexist with an NS
>> record (RFC 4529, section 4.6)
>>
>> RFC number is incorrect. IMHO it should also reference 'RFC 4035 section 2.4'.
>>
>> Also, there is one hole:
>> Current code allows you to add DS RR to existing NS and then to remove NS.
>>
>> Let me know if adding a check to -del is too hard, maybe we can live without
>> it...
>>
> dnsrecord-del validation added
>
> Updated patch attached
>
> Required in ipa 4.1 but this could be pushed to 4.0.x  too

It almost works ... almost. I'm not sure if the problem is in your patch or in 
existing code:

[root at vm-035 git]# ipa dnsrecord-add ipa.example ds --ds-rec='1 2 3 4'
   Record name: ds
   DS record: 1 2 3 4
   NS record: vm-035.idm.lab.eng.brq.redhat.com.

[root at vm-035 git]# ipa dnsrecord-mod ipa.example ds --ns-rec=
ipa: ERROR: invalid 'dsrecord': DS record requires to coexist with an NS 
record (RFC 4592 section 4.6, RFC 4035 section 2.4)

[root at vm-035 git]# ipa dnsrecord-mod ipa.example ds --ds-rec=
   Record name: ds
   NS record: vm-035.idm.lab.eng.brq.redhat.com.

[root at vm-035 git]# ipa dnsrecord-mod ipa.example ds --ns-rec=
ipa: ERROR: an internal error has occurred

# tail /var/log/httpd/error_log

ipa: ERROR: non-public: TypeError: dnsrecord_mod.validate_output() => 
PrimaryKey.validate():
   output['value']: need <class 'ipapython.dnsutil.DNSName'>; got <type 
'list'>: [<DNS name ds>]
Traceback (most recent call last):
   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 348, 
in wsgi_execute
     result = self.Command[name](*args, **options)
   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 451, in 
__call__
     self.validate_output(ret, options['version'])
   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 944, in 
validate_output
     o.validate(self, value, version)
   File "/usr/lib/python2.7/site-packages/ipalib/output.py", line 126, in validate
     types[0], type(value), value))
TypeError: dnsrecord_mod.validate_output() => PrimaryKey.validate():
   output['value']: need <class 'ipapython.dnsutil.DNSName'>; got <type 
'list'>: [<DNS name ds>]
ipa: INFO: [jsonserver_session] admin at IPA.EXAMPLE: dnsrecord_mod(<DNS name 
ipa.example.>, <DNS name ds>, nsrecord=None, rights=False, structured=False, 
all=False, raw=False, version=u'2.102'): TypeError

-- 
Petr^2 Spacek

More information about the Freeipa-devel mailing list