From d0130195a91eae5734be5438d997c8e2918eaebd Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Thu, 21 Aug 2014 18:08:10 +0200 Subject: DNS fix NS record coexistence validator NS can coexistent only with A, AAAA, DS, NS record Reviewed-By: Petr Spacek Reviewed-By: Martin Kosek --- ipalib/plugins/dns.py | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index bd761a0d1..daa0ec396 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -2894,11 +2894,23 @@ class dnsrecord(LDAPObject): error=_('only one DNAME record is allowed per name ' '(RFC 6672, section 2.4)')) # DNAME must not coexist with CNAME, but this is already checked earlier - if rrattrs.get('nsrecord') and not keys[1].is_empty(): - raise errors.ValidationError(name='dnamerecord', - error=_('DNAME record is not allowed to coexist with an ' - 'NS record except when located in a zone root ' - 'record (RFC 6672, section 2.3)')) + + # NS record validation + # NS record can coexist only with A, AAAA, DS, and other NS records (except zone apex) + # RFC 2181 section 6.1, + allowed_records = ['AAAA', 'A', 'DS', 'NS'] + nsrecords = rrattrs.get('nsrecord') + if nsrecords and not self.is_pkey_zone_record(*keys): + for r_type in _record_types: + if (r_type not in allowed_records + and rrattrs.get('%srecord' % r_type.lower()) + ): + raise errors.ValidationError( + name='nsrecord', + error=_('NS record is not allowed to coexist with an ' + '%(type)s record except when located in a ' + 'zone root record (RFC 2181, section 6.1)') % + {'type': r_type}) def check_record_type_dependencies(self, keys, rrattrs): # Test that all record type dependencies are satisfied @@ -2914,7 +2926,6 @@ class dnsrecord(LDAPObject): error=_('DS record requires to coexist with an ' 'NS record (RFC 4592 section 4.6, RFC 4035 section 2.4)')) - def _entry2rrsets(self, entry_attrs, dns_name, dns_domain): '''Convert entry_attrs to a dictionary {rdtype: rrset}. -- cgit