diff options
Diffstat (limited to 'ipaserver/install/plugins/dns.py')
-rw-r--r-- | ipaserver/install/plugins/dns.py | 65 |
1 files changed, 65 insertions, 0 deletions
diff --git a/ipaserver/install/plugins/dns.py b/ipaserver/install/plugins/dns.py new file mode 100644 index 000000000..6d72db43c --- /dev/null +++ b/ipaserver/install/plugins/dns.py @@ -0,0 +1,65 @@ +# Authors: +# Martin Kosek <mkosek@redhat.com> +# +# Copyright (C) 2012 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +from ipaserver.install.plugins import MIDDLE +from ipaserver.install.plugins.baseupdate import PostUpdate +from ipaserver.install.plugins import baseupdate +from ipalib import api, errors + +class update_dnszone_acls(PostUpdate): + """ + Set AllowQuery and AllowTransfer ACLs in all zones that may be configured + in an upgraded FreeIPA instance. + + Upgrading to new version of bind-dyndb-ldap and having these ACLs empty + would result in a leak of potentially sensitive DNS information as + zone transfers are enabled for all hosts if not disabled in named.conf + or LDAP. + + This plugin disables the zone transfer by default so that it needs to be + explicitly enabled by FreeIPA Administrator. + """ + order=MIDDLE + + def execute(self, **options): + ldap = self.obj.backend + + try: + zones = api.Command.dnszone_find()['result'] + except errors.NotFound: + self.log.info('No DNS zone to update found') + return (False, False, []) + + for zone in zones: + update = {} + if not zone.get('idnsallowquery'): + # allow query from any client by default + update['idnsallowquery'] = u'any;' + + if not zone.get('idnsallowtransfer'): + # do not open zone transfers by default + update['idnsallowtransfer'] = u'none;' + + if update: + api.Command.dnszone_mod(zone[u'idnsname'][0], **update) + + + return (False, False, []) + +api.register(update_dnszone_acls) |