diff options
author | Martin Kosek <mkosek@redhat.com> | 2012-06-04 17:53:34 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2012-06-05 08:41:46 +0200 |
commit | c06cbb12ac2080e75578645b5e74adf7496de1fa (patch) | |
tree | 021a48a1886b192f444e0384ad0aee432f17b2b7 /ipalib/plugins/dns.py | |
parent | 7d9abecbb6b2779e074616ca5563714d165bb49b (diff) | |
download | freeipa-c06cbb12ac2080e75578645b5e74adf7496de1fa.tar.gz freeipa-c06cbb12ac2080e75578645b5e74adf7496de1fa.tar.xz freeipa-c06cbb12ac2080e75578645b5e74adf7496de1fa.zip |
Fill new DNS zone update policy by default
For security reasons, dynamic updates are not enabled for new DNS
zones. In order to enable the dynamic zone securely, user needs to
allow dynamic updates and create a zone update policy.
The policy is not easy to construct for regular users, we should
rather fill it by default and let users just switch the policy
on or off.
https://fedorahosted.org/freeipa/ticket/2441
Diffstat (limited to 'ipalib/plugins/dns.py')
-rw-r--r-- | ipalib/plugins/dns.py | 18 |
1 files changed, 15 insertions, 3 deletions
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index 1bf75427..a4826279 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -32,7 +32,8 @@ from ipalib.parameters import Flag, Bool, Int, Decimal, Str, StrEnum, Any from ipalib.plugins.baseldap import * from ipalib import _, ngettext from ipalib.util import (validate_zonemgr, normalize_zonemgr, - validate_hostname, validate_dns_label, validate_domain_name) + validate_hostname, validate_dns_label, validate_domain_name, + get_dns_forward_zone_update_policy, get_dns_reverse_zone_update_policy) from ipapython.ipautil import valid_ip, CheckedIPAddress, is_host_resolvable from ldap import explode_dn @@ -75,8 +76,11 @@ EXAMPLES: --admin-email=admin@example.com Modify the zone to allow dynamic updates for hosts own records in realm EXAMPLE.COM: - ipa dnszone-mod example.com --dynamic-update=TRUE \\ - --update-policy="grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA;" + ipa dnszone-mod example.com --dynamic-update=TRUE + + This is the equivalent of: + ipa dnszone-mod example.com --dynamic-update=TRUE \\ + --update-policy="grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA; grant EXAMPLE.COM krb5-self * SSHFP;" Modify the zone to allow zone transfers for local network only: ipa dnszone-mod example.com --allow-transfer=10.0.0.0/8 @@ -1510,6 +1514,12 @@ def dns_container_exists(ldap): return False return True +def default_zone_update_policy(zone): + if zone_is_reverse(zone): + return get_dns_reverse_zone_update_policy(api.env.realm, zone) + else: + return get_dns_forward_zone_update_policy(api.env.realm) + class dnszone(LDAPObject): """ DNS Zone, container for resource records. @@ -1611,6 +1621,8 @@ class dnszone(LDAPObject): cli_name='update_policy', label=_('BIND update policy'), doc=_('BIND update policy'), + default_from=lambda idnsname: default_zone_update_policy(idnsname), + autofill=True ), Bool('idnszoneactive?', cli_name='zone_active', |