diff options
Diffstat (limited to 'ipalib')
| -rw-r--r-- | ipalib/messages.py | 17 | ||||
| -rw-r--r-- | ipalib/plugins/dns.py | 26 |
2 files changed, 43 insertions, 0 deletions
diff --git a/ipalib/messages.py b/ipalib/messages.py index c760e9d37..e863bdd49 100644 --- a/ipalib/messages.py +++ b/ipalib/messages.py @@ -378,6 +378,23 @@ class FailedToRemoveHostDNSRecords(PublicMessage): "(%(reason)s)") +class DNSForwardPolicyConflictWithEmptyZone(PublicMessage): + """ + **13021** Forward zone 1.10.in-addr.arpa with policy "first" + will not forward anything because BIND automatically prefers + empty zone "10.in-addr.arpa.". + """ + + errno = 13021 + type = "warning" + format = _( + "Forwarding policy conflicts with some automatic empty zones. " + "Queries for zones specified by RFC 6303 will ignore " + "forwarding and recursion and always result in NXDOMAIN answers. " + "To override this behavior use forward policy 'only'." + ) + + def iter_messages(variables, base): """Return a tuple with all subclasses """ diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index fdca0936f..51f5099b7 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -66,6 +66,7 @@ from ipalib.util import (normalize_zonemgr, from ipapython.dn import DN from ipapython.ipautil import CheckedIPAddress, check_zone_overlap from ipapython.dnsutil import DNSName +from ipapython.dnsutil import related_to_auto_empty_zone if six.PY3: unicode = str @@ -2079,6 +2080,20 @@ def _add_warning_fw_zone_is_not_effective(api, result, fwzone, version): ) +def _add_warning_fw_policy_conflict_aez(result, fwzone, **options): + """Warn if forwarding policy conflicts with an automatic empty zone.""" + fwd_policy = result['result'].get(u'idnsforwardpolicy', + dnsforwardzone.default_forward_policy) + if ( + fwd_policy != [u'only'] + and related_to_auto_empty_zone(DNSName(fwzone)) + ): + messages.add_message( + options['version'], result, + messages.DNSForwardPolicyConflictWithEmptyZone() + ) + + class DNSZoneBase(LDAPObject): """ Base class for DNS Zone @@ -4418,7 +4433,13 @@ class dnsconfig_mod(LDAPUpdate): result = super(dnsconfig_mod, self).execute(*keys, **options) self.obj.postprocess_result(result) + # this check makes sense only when resulting forwarders are non-empty + if result['result'].get('idnsforwarders'): + fwzone = DNSName('.') + _add_warning_fw_policy_conflict_aez(result, fwzone, **options) + if forwarders: + # forwarders were changed for forwarder in forwarders: try: validate_dnssec_global_forwarder(forwarder, log=self.log) @@ -4559,6 +4580,7 @@ class dnsforwardzone(DNSZoneBase): ) ) + @register() class dnsforwardzone_add(DNSZoneBase_add): __doc__ = _('Create new DNS forward zone.') @@ -4589,8 +4611,10 @@ class dnsforwardzone_add(DNSZoneBase_add): return dn def execute(self, *keys, **options): + fwzone = keys[-1] result = super(dnsforwardzone_add, self).execute(*keys, **options) self.obj._warning_fw_zone_is_not_effective(result, *keys, **options) + _add_warning_fw_policy_conflict_aez(result, fwzone, **options) if options.get('idnsforwarders'): self.obj._warning_if_forwarders_do_not_work( result, True, *keys, **options) @@ -4646,7 +4670,9 @@ class dnsforwardzone_mod(DNSZoneBase_mod): return dn def execute(self, *keys, **options): + fwzone = keys[-1] result = super(dnsforwardzone_mod, self).execute(*keys, **options) + _add_warning_fw_policy_conflict_aez(result, fwzone, **options) if options.get('idnsforwarders'): self.obj._warning_if_forwarders_do_not_work(result, False, *keys, **options) |