diff options
author | Martin Basti <mbasti@redhat.com> | 2014-08-20 15:14:12 +0200 |
---|---|---|
committer | Petr Viktorin <pviktori@dhcp-31-13.brq.redhat.com> | 2014-09-05 12:29:29 +0200 |
commit | 16ecbb150732720883fd5bfafed21d26e406855a (patch) | |
tree | 37c3c511f07cca8cf245363f4199ed6d9b091abc | |
parent | 7e76bba5123d5acaf4f26927b3909a095a0a5f07 (diff) | |
download | freeipa-16ecbb150732720883fd5bfafed21d26e406855a.tar.gz freeipa-16ecbb150732720883fd5bfafed21d26e406855a.tar.xz freeipa-16ecbb150732720883fd5bfafed21d26e406855a.zip |
FIX DNS wildcard records (RFC4592)
Make validation more strict
* DS, NS, DNAME owners should not be a wildcard domanin name
* zone name should not be a wildcard domain name
Ticket: https://fedorahosted.org/freeipa/ticket/4488
Reviewed-By: Petr Spacek <pspacek@redhat.com>
-rw-r--r-- | ipalib/plugins/dns.py | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index daa0ec396..75611a615 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -489,6 +489,14 @@ def _hostname_validator(ugettext, value): return None +def _no_wildcard_validator(ugettext, value): + """Disallow usage of wildcards as RFC 4592 section 4 recommends + """ + assert isinstance(value, DNSName) + if value.is_wild(): + return _('should not be a wildcard domain name (RFC 4592 section 4)') + return None + def is_forward_record(zone, str_address): addr = netaddr.IPAddress(str_address) if addr.version == 4: @@ -1731,6 +1739,7 @@ class DNSZoneBase(LDAPObject): takes_params = ( DNSNameParam('idnsname', + _no_wildcard_validator, # RFC 4592 section 4 only_absolute=True, cli_name='name', label=_('Zone name'), @@ -2627,6 +2636,19 @@ class dnsrecord(LDAPObject): error=unicode(_('out-of-zone data: record name must ' 'be a subdomain of the zone or a ' 'relative name'))) + # dissallowed wildcard (RFC 4592 section 4) + no_wildcard_rtypes = ['DNAME', 'DS', 'NS'] + if (keys[-1].is_wild() and + any(entry_attrs.get('%srecord' % r.lower()) + for r in no_wildcard_rtypes) + ): + raise errors.ValidationError( + name='idnsname', + error=(_('owner of %(types)s records ' + 'should not be a wildcard domain name (RFC 4592 section 4)') % + {'types': ', '.join(no_wildcard_rtypes)} + ) + ) def _ptrrecord_pre_callback(self, ldap, dn, entry_attrs, *keys, **options): assert isinstance(dn, DN) |