diff options
| author | Martin Basti <mbasti@redhat.com> | 2014-08-21 18:08:10 +0200 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2014-09-05 12:11:39 +0200 |
| commit | d0130195a91eae5734be5438d997c8e2918eaebd (patch) | |
| tree | 18065afa8eed4c2934773c2bfef6b57528146e49 | |
| parent | 155126b524f990facf767171f94d3733663602f8 (diff) | |
| download | freeipa-d0130195a91eae5734be5438d997c8e2918eaebd.tar.gz freeipa-d0130195a91eae5734be5438d997c8e2918eaebd.tar.xz freeipa-d0130195a91eae5734be5438d997c8e2918eaebd.zip | |
DNS fix NS record coexistence validator
NS can coexistent only with A, AAAA, DS, NS record
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Kosek <mkosek@redhat.com>
| -rw-r--r-- | ipalib/plugins/dns.py | 23 |
1 files changed, 17 insertions, 6 deletions
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index bd761a0d1..daa0ec396 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -2894,11 +2894,23 @@ class dnsrecord(LDAPObject): error=_('only one DNAME record is allowed per name ' '(RFC 6672, section 2.4)')) # DNAME must not coexist with CNAME, but this is already checked earlier - if rrattrs.get('nsrecord') and not keys[1].is_empty(): - raise errors.ValidationError(name='dnamerecord', - error=_('DNAME record is not allowed to coexist with an ' - 'NS record except when located in a zone root ' - 'record (RFC 6672, section 2.3)')) + + # NS record validation + # NS record can coexist only with A, AAAA, DS, and other NS records (except zone apex) + # RFC 2181 section 6.1, + allowed_records = ['AAAA', 'A', 'DS', 'NS'] + nsrecords = rrattrs.get('nsrecord') + if nsrecords and not self.is_pkey_zone_record(*keys): + for r_type in _record_types: + if (r_type not in allowed_records + and rrattrs.get('%srecord' % r_type.lower()) + ): + raise errors.ValidationError( + name='nsrecord', + error=_('NS record is not allowed to coexist with an ' + '%(type)s record except when located in a ' + 'zone root record (RFC 2181, section 6.1)') % + {'type': r_type}) def check_record_type_dependencies(self, keys, rrattrs): # Test that all record type dependencies are satisfied @@ -2914,7 +2926,6 @@ class dnsrecord(LDAPObject): error=_('DS record requires to coexist with an ' 'NS record (RFC 4592 section 4.6, RFC 4035 section 2.4)')) - def _entry2rrsets(self, entry_attrs, dns_name, dns_domain): '''Convert entry_attrs to a dictionary {rdtype: rrset}. |