diff options
author | Martin Basti <mbasti@redhat.com> | 2015-04-22 15:29:21 +0200 |
---|---|---|
committer | Petr Vobornik <pvoborni@redhat.com> | 2015-06-11 13:12:31 +0200 |
commit | 9aa6124b39267148c4c1b9a8ee4209fb859b9c42 (patch) | |
tree | e92fce6095a192fae928e4ba64b022d68878ab6e /ipalib/plugins | |
parent | c9cbb1493a8c9e10020c7f2104a345cd43535259 (diff) | |
download | freeipa-9aa6124b39267148c4c1b9a8ee4209fb859b9c42.tar.gz freeipa-9aa6124b39267148c4c1b9a8ee4209fb859b9c42.tar.xz freeipa-9aa6124b39267148c4c1b9a8ee4209fb859b9c42.zip |
DNSSEC: Improve global forwarders validation
Validation now provides more detailed information and less false
positives failures.
https://fedorahosted.org/freeipa/ticket/4657
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Diffstat (limited to 'ipalib/plugins')
-rw-r--r-- | ipalib/plugins/dns.py | 63 |
1 files changed, 36 insertions, 27 deletions
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index f589ab5b7..c9dc1e547 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -43,7 +43,10 @@ from ipalib.util import (normalize_zonemgr, get_dns_forward_zone_update_policy, get_dns_reverse_zone_update_policy, get_reverse_zone_default, REVERSE_DNS_ZONES, - normalize_zone, validate_dnssec_forwarder) + normalize_zone, validate_dnssec_global_forwarder, + DNSSECSignatureMissingError, UnresolvableRecordError, + EDNS0UnsupportedError) + from ipapython.ipautil import CheckedIPAddress, is_host_resolvable from ipapython.dnsutil import DNSName @@ -4261,41 +4264,47 @@ class dnsconfig_mod(LDAPUpdate): __doc__ = _('Modify global DNS configuration.') def interactive_prompt_callback(self, kw): + + # show informative message on client side + # server cannot send messages asynchronous if kw.get('idnsforwarders', False): - self.Backend.textui.print_plain("Server will check forwarder(s).") - self.Backend.textui.print_plain("This may take some time, please wait ...") + self.Backend.textui.print_plain( + _("Server will check DNS forwarder(s).")) + self.Backend.textui.print_plain( + _("This may take some time, please wait ...")) def execute(self, *keys, **options): # test dnssec forwarders - non_dnssec_forwarders = [] - not_responding_forwarders = [] forwarders = options.get('idnsforwarders') - if forwarders: - for forwarder in forwarders: - dnssec_status = validate_dnssec_forwarder(forwarder) - if dnssec_status is None: - not_responding_forwarders.append(forwarder) - elif dnssec_status is False: - non_dnssec_forwarders.append(forwarder) result = super(dnsconfig_mod, self).execute(*keys, **options) self.obj.postprocess_result(result) - # add messages - for forwarder in not_responding_forwarders: - messages.add_message( - options['version'], - result, messages.DNSServerNotRespondingWarning( - server=forwarder, - ) - ) - for forwarder in non_dnssec_forwarders: - messages.add_message( - options['version'], - result, messages.DNSServerDoesNotSupportDNSSECWarning( - server=forwarder, - ) - ) + if forwarders: + for forwarder in forwarders: + try: + validate_dnssec_global_forwarder(forwarder, log=self.log) + except DNSSECSignatureMissingError as e: + messages.add_message( + options['version'], + result, messages.DNSServerDoesNotSupportDNSSECWarning( + server=forwarder, error=e, + ) + ) + except EDNS0UnsupportedError as e: + messages.add_message( + options['version'], + result, messages.DNSServerDoesNotSupportEDNS0Warning( + server=forwarder, error=e, + ) + ) + except UnresolvableRecordError as e: + messages.add_message( + options['version'], + result, messages.DNSServerValidationWarning( + server=forwarder, error=e + ) + ) return result |