[Freeipa-devel] [PATCHES 0109-0110] DNS: fix DS record validation

Martin Basti mbasti at redhat.com
Thu Sep 4 11:02:48 UTC 2014 

On 04/09/14 11:46, Petr Spacek wrote:
> On 3.9.2014 16:42, Martin Basti wrote:
>> On 02/09/14 17:16, Petr Spacek wrote:
>>> On 20.8.2014 19:26, Martin Basti wrote:
>>>> Part of DNSSEC
>>>> Patches attached.
>>>
>>> NACK
>>>
>>> # ipa dnsrecord-add ipa.example. ds '--ds-rec=1 2 3 4'
>>> ipa: ERROR: invalid 'dsrecord': DS record requires to coexist with 
>>> an NS
>>> record (RFC 4529, section 4.6)
>>>
>>> RFC number is incorrect. IMHO it should also reference 'RFC 4035 
>>> section 2.4'.
>>>
>>> Also, there is one hole:
>>> Current code allows you to add DS RR to existing NS and then to 
>>> remove NS.
>>>
>>> Let me know if adding a check to -del is too hard, maybe we can live 
>>> without
>>> it...
>>>
>> dnsrecord-del validation added
>>
>> Updated patch attached
>>
>> Required in ipa 4.1 but this could be pushed to 4.0.x  too
>
> It almost works ... almost. I'm not sure if the problem is in your 
> patch or in existing code:
>
> [root at vm-035 git]# ipa dnsrecord-add ipa.example ds --ds-rec='1 2 3 4'
>   Record name: ds
>   DS record: 1 2 3 4
>   NS record: vm-035.idm.lab.eng.brq.redhat.com.
>
> [root at vm-035 git]# ipa dnsrecord-mod ipa.example ds --ns-rec=
> ipa: ERROR: invalid 'dsrecord': DS record requires to coexist with an 
> NS record (RFC 4592 section 4.6, RFC 4035 section 2.4)
>
> [root at vm-035 git]# ipa dnsrecord-mod ipa.example ds --ds-rec=
>   Record name: ds
>   NS record: vm-035.idm.lab.eng.brq.redhat.com.
>
> [root at vm-035 git]# ipa dnsrecord-mod ipa.example ds --ns-rec=
> ipa: ERROR: an internal error has occurred
>
> # tail /var/log/httpd/error_log
>
> ipa: ERROR: non-public: TypeError: dnsrecord_mod.validate_output() => 
> PrimaryKey.validate():
>   output['value']: need <class 'ipapython.dnsutil.DNSName'>; got <type 
> 'list'>: [<DNS name ds>]
> Traceback (most recent call last):
>   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 
> 348, in wsgi_execute
>     result = self.Command[name](*args, **options)
>   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 
> 451, in __call__
>     self.validate_output(ret, options['version'])
>   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 
> 944, in validate_output
>     o.validate(self, value, version)
>   File "/usr/lib/python2.7/site-packages/ipalib/output.py", line 126, 
> in validate
>     types[0], type(value), value))
> TypeError: dnsrecord_mod.validate_output() => PrimaryKey.validate():
>   output['value']: need <class 'ipapython.dnsutil.DNSName'>; got <type 
> 'list'>: [<DNS name ds>]
> ipa: INFO: [jsonserver_session] admin at IPA.EXAMPLE: dnsrecord_mod(<DNS 
> name ipa.example.>, <DNS name ds>, nsrecord=None, rights=False, 
> structured=False, all=False, raw=False, version=u'2.102'): TypeError
>
This bug is not related with the patches.
Error is raised when you try to delete the last record in RRset using 
dnsrecord-mod --any-rec=""

-- 
Martin Basti

More information about the Freeipa-devel mailing list