diff options
author | Martin Basti <mbasti@redhat.com> | 2014-10-16 16:27:00 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2014-10-21 12:23:03 +0200 |
commit | ca030a089f9e45a5dae5f6fb5993f4cc714f1ab2 (patch) | |
tree | f99b61a736b118ce42773cc1d9ab8769b28a6a79 /ipalib/util.py | |
parent | 30bc3a55cf816cc5114ddbd102afa8b52f598dec (diff) | |
download | freeipa-ca030a089f9e45a5dae5f6fb5993f4cc714f1ab2.tar.gz freeipa-ca030a089f9e45a5dae5f6fb5993f4cc714f1ab2.tar.xz freeipa-ca030a089f9e45a5dae5f6fb5993f4cc714f1ab2.zip |
DNSSEC: validate forwarders
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417
Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
Diffstat (limited to 'ipalib/util.py')
-rw-r--r-- | ipalib/util.py | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/ipalib/util.py b/ipalib/util.py index a5eff582f..fcb2bab96 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -27,6 +27,7 @@ import time import socket import re import decimal +import dns import netaddr from types import NoneType from weakref import WeakKeyDictionary @@ -553,3 +554,37 @@ def validate_hostmask(ugettext, hostmask): netaddr.IPNetwork(hostmask) except (ValueError, AddrFormatError): return _('invalid hostmask') + + +def validate_dnssec_forwarder(ip_addr): + """Test DNS forwarder properties. + + :returns: + True if forwarder works as expected and supports DNSSEC. + False if forwarder does not support DNSSEC. + None if forwarder does not respond. + """ + ip_addr = str(ip_addr) + res = dns.resolver.Resolver() + res.nameservers = [ip_addr] + res.lifetime = 10 # wait max 10 seconds for reply + + # enable Authenticated Data + Checking Disabled flags + res.set_flags(dns.flags.AD | dns.flags.CD) + + # enable EDNS v0 + enable DNSSEC-Ok flag + res.use_edns(0, dns.flags.DO, 0) + + # DNS root has to be signed + try: + ans = res.query('.', 'NS') + except DNSException: + return None + + try: + ans.response.find_rrset(ans.response.answer, dns.name.root, + dns.rdataclass.IN, dns.rdatatype.RRSIG, dns.rdatatype.NS) + except KeyError: + return False + + return True |