[Freeipa-devel] [PATCHES 0109-0110] DNS: fix DS record validation
Martin Kosek
mkosek at redhat.com
Fri Sep 5 10:13:56 UTC 2014
On 09/04/2014 01:11 PM, Petr Spacek wrote:
> On 4.9.2014 13:02, Martin Basti wrote:
>> On 04/09/14 11:46, Petr Spacek wrote:
>>> On 3.9.2014 16:42, Martin Basti wrote:
>>>> On 02/09/14 17:16, Petr Spacek wrote:
>>>>> On 20.8.2014 19:26, Martin Basti wrote:
>>>>>> Part of DNSSEC
>>>>>> Patches attached.
>>>>>
>>>>> NACK
>>>>>
>>>>> # ipa dnsrecord-add ipa.example. ds '--ds-rec=1 2 3 4'
>>>>> ipa: ERROR: invalid 'dsrecord': DS record requires to coexist with an NS
>>>>> record (RFC 4529, section 4.6)
>>>>>
>>>>> RFC number is incorrect. IMHO it should also reference 'RFC 4035 section
>>>>> 2.4'.
>>>>>
>>>>> Also, there is one hole:
>>>>> Current code allows you to add DS RR to existing NS and then to remove NS.
>>>>>
>>>>> Let me know if adding a check to -del is too hard, maybe we can live without
>>>>> it...
>>>>>
>>>> dnsrecord-del validation added
>>>>
>>>> Updated patch attached
>>>>
>>>> Required in ipa 4.1 but this could be pushed to 4.0.x too
>>>
>>> It almost works ... almost. I'm not sure if the problem is in your patch or
>>> in existing code:
>>>
>>> [root at vm-035 git]# ipa dnsrecord-add ipa.example ds --ds-rec='1 2 3 4'
>>> Record name: ds
>>> DS record: 1 2 3 4
>>> NS record: vm-035.idm.lab.eng.brq.redhat.com.
>>>
>>> [root at vm-035 git]# ipa dnsrecord-mod ipa.example ds --ns-rec=
>>> ipa: ERROR: invalid 'dsrecord': DS record requires to coexist with an NS
>>> record (RFC 4592 section 4.6, RFC 4035 section 2.4)
>>>
>>> [root at vm-035 git]# ipa dnsrecord-mod ipa.example ds --ds-rec=
>>> Record name: ds
>>> NS record: vm-035.idm.lab.eng.brq.redhat.com.
>>>
>>> [root at vm-035 git]# ipa dnsrecord-mod ipa.example ds --ns-rec=
>>> ipa: ERROR: an internal error has occurred
>>>
>>> # tail /var/log/httpd/error_log
>>>
>>> ipa: ERROR: non-public: TypeError: dnsrecord_mod.validate_output() =>
>>> PrimaryKey.validate():
>>> output['value']: need <class 'ipapython.dnsutil.DNSName'>; got <type
>>> 'list'>: [<DNS name ds>]
>>> Traceback (most recent call last):
>>> File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 348,
>>> in wsgi_execute
>>> result = self.Command[name](*args, **options)
>>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 451, in
>>> __call__
>>> self.validate_output(ret, options['version'])
>>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 944, in
>>> validate_output
>>> o.validate(self, value, version)
>>> File "/usr/lib/python2.7/site-packages/ipalib/output.py", line 126, in
>>> validate
>>> types[0], type(value), value))
>>> TypeError: dnsrecord_mod.validate_output() => PrimaryKey.validate():
>>> output['value']: need <class 'ipapython.dnsutil.DNSName'>; got <type
>>> 'list'>: [<DNS name ds>]
>>> ipa: INFO: [jsonserver_session] admin at IPA.EXAMPLE: dnsrecord_mod(<DNS name
>>> ipa.example.>, <DNS name ds>, nsrecord=None, rights=False, structured=False,
>>> all=False, raw=False, version=u'2.102'): TypeError
>>>
>> This bug is not related with the patches.
>> Error is raised when you try to delete the last record in RRset using
>> dnsrecord-mod --any-rec=""
>
> Okay, functional ACK. Please send a separate patch for this problem or at least
> open a ticket and describe what is wrong with it.
>
> It can be pushed if Python gurus are okay with the code.
>
> Thank you!
>
Ok, LGTM. Pushed to master, ipa-4-1.
Martin
More information about the Freeipa-devel
mailing list