diff options
Diffstat (limited to 'ipaserver')
| -rw-r--r-- | ipaserver/install/bindinstance.py | 8 | ||||
| -rw-r--r-- | ipaserver/install/plugins/Makefile.am | 1 | ||||
| -rw-r--r-- | ipaserver/install/plugins/dns.py | 65 |
3 files changed, 72 insertions, 2 deletions
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 2fa12565..9dc12e27 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -214,7 +214,9 @@ def add_zone(name, zonemgr=None, dns_backup=None, ns_hostname=None, ns_ip_addres idnssoarname=unicode(zonemgr), ip_address=unicode(ns_ip_address), idnsallowdynupdate=True, - idnsupdatepolicy=unicode(update_policy)) + idnsupdatepolicy=unicode(update_policy), + idnsallowquery=u'any', + idnsallowtransfer=u'none',) except (errors.DuplicateEntry, errors.EmptyModlist): pass @@ -252,7 +254,9 @@ def add_reverse_zone(zone, ns_hostname=None, ns_ip_address=None, idnssoamname=unicode(ns_main+'.'), idnsallowdynupdate=True, ip_address=unicode(ns_ip_address), - idnsupdatepolicy=unicode(update_policy)) + idnsupdatepolicy=unicode(update_policy), + idnsallowquery=u'any', + idnsallowtransfer=u'none',) except (errors.DuplicateEntry, errors.EmptyModlist): pass diff --git a/ipaserver/install/plugins/Makefile.am b/ipaserver/install/plugins/Makefile.am index cfa84c36..e3b2e989 100644 --- a/ipaserver/install/plugins/Makefile.am +++ b/ipaserver/install/plugins/Makefile.am @@ -6,6 +6,7 @@ app_PYTHON = \ baseupdate.py \ fix_replica_memberof.py \ rename_managed.py \ + dns.py \ updateclient.py \ $(NULL) diff --git a/ipaserver/install/plugins/dns.py b/ipaserver/install/plugins/dns.py new file mode 100644 index 00000000..6d72db43 --- /dev/null +++ b/ipaserver/install/plugins/dns.py @@ -0,0 +1,65 @@ +# Authors: +# Martin Kosek <mkosek@redhat.com> +# +# Copyright (C) 2012 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +from ipaserver.install.plugins import MIDDLE +from ipaserver.install.plugins.baseupdate import PostUpdate +from ipaserver.install.plugins import baseupdate +from ipalib import api, errors + +class update_dnszone_acls(PostUpdate): + """ + Set AllowQuery and AllowTransfer ACLs in all zones that may be configured + in an upgraded FreeIPA instance. + + Upgrading to new version of bind-dyndb-ldap and having these ACLs empty + would result in a leak of potentially sensitive DNS information as + zone transfers are enabled for all hosts if not disabled in named.conf + or LDAP. + + This plugin disables the zone transfer by default so that it needs to be + explicitly enabled by FreeIPA Administrator. + """ + order=MIDDLE + + def execute(self, **options): + ldap = self.obj.backend + + try: + zones = api.Command.dnszone_find()['result'] + except errors.NotFound: + self.log.info('No DNS zone to update found') + return (False, False, []) + + for zone in zones: + update = {} + if not zone.get('idnsallowquery'): + # allow query from any client by default + update['idnsallowquery'] = u'any;' + + if not zone.get('idnsallowtransfer'): + # do not open zone transfers by default + update['idnsallowtransfer'] = u'none;' + + if update: + api.Command.dnszone_mod(zone[u'idnsname'][0], **update) + + + return (False, False, []) + +api.register(update_dnszone_acls) |