[Freeipa-devel] [PATCHES 0109-0110] DNS: fix DS record validation

Petr Spacek pspacek at redhat.com
Thu Sep 4 11:11:13 UTC 2014 

On 4.9.2014 13:02, Martin Basti wrote:
> On 04/09/14 11:46, Petr Spacek wrote:
>> On 3.9.2014 16:42, Martin Basti wrote:
>>> On 02/09/14 17:16, Petr Spacek wrote:
>>>> On 20.8.2014 19:26, Martin Basti wrote:
>>>>> Part of DNSSEC
>>>>> Patches attached.
>>>>
>>>> NACK
>>>>
>>>> # ipa dnsrecord-add ipa.example. ds '--ds-rec=1 2 3 4'
>>>> ipa: ERROR: invalid 'dsrecord': DS record requires to coexist with an NS
>>>> record (RFC 4529, section 4.6)
>>>>
>>>> RFC number is incorrect. IMHO it should also reference 'RFC 4035 section
>>>> 2.4'.
>>>>
>>>> Also, there is one hole:
>>>> Current code allows you to add DS RR to existing NS and then to remove NS.
>>>>
>>>> Let me know if adding a check to -del is too hard, maybe we can live without
>>>> it...
>>>>
>>> dnsrecord-del validation added
>>>
>>> Updated patch attached
>>>
>>> Required in ipa 4.1 but this could be pushed to 4.0.x  too
>>
>> It almost works ... almost. I'm not sure if the problem is in your patch or
>> in existing code:
>>
>> [root at vm-035 git]# ipa dnsrecord-add ipa.example ds --ds-rec='1 2 3 4'
>>   Record name: ds
>>   DS record: 1 2 3 4
>>   NS record: vm-035.idm.lab.eng.brq.redhat.com.
>>
>> [root at vm-035 git]# ipa dnsrecord-mod ipa.example ds --ns-rec=
>> ipa: ERROR: invalid 'dsrecord': DS record requires to coexist with an NS
>> record (RFC 4592 section 4.6, RFC 4035 section 2.4)
>>
>> [root at vm-035 git]# ipa dnsrecord-mod ipa.example ds --ds-rec=
>>   Record name: ds
>>   NS record: vm-035.idm.lab.eng.brq.redhat.com.
>>
>> [root at vm-035 git]# ipa dnsrecord-mod ipa.example ds --ns-rec=
>> ipa: ERROR: an internal error has occurred
>>
>> # tail /var/log/httpd/error_log
>>
>> ipa: ERROR: non-public: TypeError: dnsrecord_mod.validate_output() =>
>> PrimaryKey.validate():
>>   output['value']: need <class 'ipapython.dnsutil.DNSName'>; got <type
>> 'list'>: [<DNS name ds>]
>> Traceback (most recent call last):
>>   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 348,
>> in wsgi_execute
>>     result = self.Command[name](*args, **options)
>>   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 451, in
>> __call__
>>     self.validate_output(ret, options['version'])
>>   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 944, in
>> validate_output
>>     o.validate(self, value, version)
>>   File "/usr/lib/python2.7/site-packages/ipalib/output.py", line 126, in
>> validate
>>     types[0], type(value), value))
>> TypeError: dnsrecord_mod.validate_output() => PrimaryKey.validate():
>>   output['value']: need <class 'ipapython.dnsutil.DNSName'>; got <type
>> 'list'>: [<DNS name ds>]
>> ipa: INFO: [jsonserver_session] admin at IPA.EXAMPLE: dnsrecord_mod(<DNS name
>> ipa.example.>, <DNS name ds>, nsrecord=None, rights=False, structured=False,
>> all=False, raw=False, version=u'2.102'): TypeError
>>
> This bug is not related with the patches.
> Error is raised when you try to delete the last record in RRset using
> dnsrecord-mod --any-rec=""

Okay, functional ACK. Please send a separate patch for this problem or at 
least open a ticket and describe what is wrong with it.

It can be pushed if Python gurus are okay with the code.

Thank you!

-- 
Petr^2 Spacek

More information about the Freeipa-devel mailing list