Use absolute domain in detection of A/AAAA records

Python dns resolver append configured domain to queries which may lead
to false positive answer.

Exmaple: resolving "ipa.example.com" may return records for
"ipa.example.com.example.com" if domain is configured as "example.com"

https://fedorahosted.org/freeipa/ticket/5421

Reviewed-By: Petr Spacek <pspacek@redhat.com>

2 files changed, 5 insertions, 6 deletions

diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index 36e37ed5b..830a70fa5 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -4189,16 +4189,12 @@ class dns_resolve(Command):
 
     takes_args = (
         Str('hostname',
-            label=_('Hostname'),
+            label=_('Hostname (FQDN)'),
         ),
     )
 
     def execute(self, *args, **options):
         query=args[0]
-        if query.find(api.env.domain) == -1 and query.find('.') == -1:
-            query = '%s.%s.' % (query, api.env.domain)
-        if query[-1] != '.':
-            query = query + '.'
 
         if not is_host_resolvable(query):
             raise errors.NotFound(
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index a5545688d..4551ea5c4 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -49,6 +49,7 @@ from ipapython import ipavalidate
 from ipapython import config
 from ipaplatform.paths import paths
 from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
 
 SHARE_DIR = paths.USR_SHARE_IPA_DIR
 PLUGINS_SHARE_DIR = paths.IPA_PLUGINS
@@ -911,9 +912,11 @@ def bind_port_responder(port, socket_type=socket.SOCK_STREAM, socket_timeout=Non
         raise last_socket_error # pylint: disable=E0702
 
 def is_host_resolvable(fqdn):
+    if not isinstance(fqdn, DNSName):
+        fqdn = DNSName(fqdn)
     for rdtype in (rdatatype.A, rdatatype.AAAA):
         try:
-            resolver.query(fqdn, rdtype)
+            resolver.query(fqdn.make_absolute(), rdtype)
         except DNSException:
             continue
         else: