DNSSEC: validate forwarders

Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
author: Martin Basti <mbasti@redhat.com> 2014-10-16 16:27:00 +0200
committer: Martin Kosek <mkosek@redhat.com> 2014-10-21 12:23:03 +0200
commit: ca030a089f9e45a5dae5f6fb5993f4cc714f1ab2 (patch)
tree: f99b61a736b118ce42773cc1d9ab8769b28a6a79 /ipalib/plugins/dns.py
parent: 30bc3a55cf816cc5114ddbd102afa8b52f598dec (diff)
download: freeipa-ca030a089f9e45a5dae5f6fb5993f4cc714f1ab2.tar.gz
freeipa-ca030a089f9e45a5dae5f6fb5993f4cc714f1ab2.tar.xz
freeipa-ca030a089f9e45a5dae5f6fb5993f4cc714f1ab2.zip
1 files changed, 33 insertions, 1 deletions
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index df42c6bfe..7fafd0d26 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -43,7 +43,7 @@ from ipalib.util import (normalize_zonemgr,
                          get_dns_forward_zone_update_policy,
                          get_dns_reverse_zone_update_policy,
                          get_reverse_zone_default, REVERSE_DNS_ZONES,
-                         normalize_zone)
+                         normalize_zone, validate_dnssec_forwarder)
 from ipapython.ipautil import CheckedIPAddress, is_host_resolvable
 from ipapython.dnsutil import DNSName
 
@@ -3882,9 +3882,41 @@ class dnsconfig(LDAPObject):
 class dnsconfig_mod(LDAPUpdate):
     __doc__ = _('Modify global DNS configuration.')
 
+    def interactive_prompt_callback(self, kw):
+        if kw.get('idnsforwarders', False):
+            self.Backend.textui.print_plain("Server will check forwarder(s).")
+            self.Backend.textui.print_plain("This may take some time, please wait ...")
+
     def execute(self, *keys, **options):
+        # test dnssec forwarders
+        non_dnssec_forwarders = []
+        not_responding_forwarders = []
+        for forwarder in options.get('idnsforwarders', []):
+            dnssec_status = validate_dnssec_forwarder(forwarder)
+            if dnssec_status is None:
+                not_responding_forwarders.append(forwarder)
+            elif dnssec_status is False:
+                non_dnssec_forwarders.append(forwarder)
+
         result = super(dnsconfig_mod, self).execute(*keys, **options)
         self.obj.postprocess_result(result)
+
+        # add messages
+        for forwarder in not_responding_forwarders:
+            messages.add_message(
+                options['version'],
+                result, messages.DNSServerNotRespondingWarning(
+                    server=forwarder,
+                )
+            )
+        for forwarder in non_dnssec_forwarders:
+            messages.add_message(
+                options['version'],
+                result, messages.DNSServerDoesNotSupportDNSSECWarning(
+                    server=forwarder,
+                )
+            )
+
         return result
author	Martin Basti <mbasti@redhat.com>	2014-10-16 16:27:00 +0200
committer	Martin Kosek <mkosek@redhat.com>	2014-10-21 12:23:03 +0200
commit	ca030a089f9e45a5dae5f6fb5993f4cc714f1ab2 (patch)
tree	f99b61a736b118ce42773cc1d9ab8769b28a6a79 /ipalib/plugins/dns.py
parent	30bc3a55cf816cc5114ddbd102afa8b52f598dec (diff)
download	freeipa-ca030a089f9e45a5dae5f6fb5993f4cc714f1ab2.tar.gz freeipa-ca030a089f9e45a5dae5f6fb5993f4cc714f1ab2.tar.xz freeipa-ca030a089f9e45a5dae5f6fb5993f4cc714f1ab2.zip