summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMartin Basti <mbasti@redhat.com>2014-08-20 15:14:12 +0200
committerPetr Viktorin <pviktori@dhcp-31-13.brq.redhat.com>2014-09-05 12:29:29 +0200
commit16ecbb150732720883fd5bfafed21d26e406855a (patch)
tree37c3c511f07cca8cf245363f4199ed6d9b091abc
parent7e76bba5123d5acaf4f26927b3909a095a0a5f07 (diff)
downloadfreeipa-16ecbb150732720883fd5bfafed21d26e406855a.tar.gz
freeipa-16ecbb150732720883fd5bfafed21d26e406855a.tar.xz
freeipa-16ecbb150732720883fd5bfafed21d26e406855a.zip
FIX DNS wildcard records (RFC4592)
Make validation more strict * DS, NS, DNAME owners should not be a wildcard domanin name * zone name should not be a wildcard domain name Ticket: https://fedorahosted.org/freeipa/ticket/4488 Reviewed-By: Petr Spacek <pspacek@redhat.com>
-rw-r--r--ipalib/plugins/dns.py22
1 files changed, 22 insertions, 0 deletions
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index daa0ec396..75611a615 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -489,6 +489,14 @@ def _hostname_validator(ugettext, value):
return None
+def _no_wildcard_validator(ugettext, value):
+ """Disallow usage of wildcards as RFC 4592 section 4 recommends
+ """
+ assert isinstance(value, DNSName)
+ if value.is_wild():
+ return _('should not be a wildcard domain name (RFC 4592 section 4)')
+ return None
+
def is_forward_record(zone, str_address):
addr = netaddr.IPAddress(str_address)
if addr.version == 4:
@@ -1731,6 +1739,7 @@ class DNSZoneBase(LDAPObject):
takes_params = (
DNSNameParam('idnsname',
+ _no_wildcard_validator, # RFC 4592 section 4
only_absolute=True,
cli_name='name',
label=_('Zone name'),
@@ -2627,6 +2636,19 @@ class dnsrecord(LDAPObject):
error=unicode(_('out-of-zone data: record name must '
'be a subdomain of the zone or a '
'relative name')))
+ # dissallowed wildcard (RFC 4592 section 4)
+ no_wildcard_rtypes = ['DNAME', 'DS', 'NS']
+ if (keys[-1].is_wild() and
+ any(entry_attrs.get('%srecord' % r.lower())
+ for r in no_wildcard_rtypes)
+ ):
+ raise errors.ValidationError(
+ name='idnsname',
+ error=(_('owner of %(types)s records '
+ 'should not be a wildcard domain name (RFC 4592 section 4)') %
+ {'types': ', '.join(no_wildcard_rtypes)}
+ )
+ )
def _ptrrecord_pre_callback(self, ldap, dn, entry_attrs, *keys, **options):
assert isinstance(dn, DN)