diff options
| author | Petr Spacek <pspacek@redhat.com> | 2015-06-04 17:27:03 +0200 |
|---|---|---|
| committer | Petr Vobornik <pvoborni@redhat.com> | 2015-06-11 16:08:42 +0200 |
| commit | d84680473b079ee3e568465bd04029d2a5f1f9c3 (patch) | |
| tree | c3fbd3855356549d30c3377b59cb0fd40dc17c98 | |
| parent | 056518ab1af36fa4a8d7b4450616145aa0dbfd16 (diff) | |
| download | freeipa-d84680473b079ee3e568465bd04029d2a5f1f9c3.tar.gz freeipa-d84680473b079ee3e568465bd04029d2a5f1f9c3.tar.xz freeipa-d84680473b079ee3e568465bd04029d2a5f1f9c3.zip | |
DNSSEC: Detect zone shadowing with incorrect DNSSEC signatures.
https://fedorahosted.org/freeipa/ticket/4657
Reviewed-By: Martin Basti <mbasti@redhat.com>
| -rw-r--r-- | ipalib/messages.py | 2 | ||||
| -rw-r--r-- | ipalib/util.py | 26 |
2 files changed, 15 insertions, 13 deletions
diff --git a/ipalib/messages.py b/ipalib/messages.py index 84f0a722d..58ae1f3ec 100644 --- a/ipalib/messages.py +++ b/ipalib/messages.py @@ -237,7 +237,7 @@ class DNSSECValidationFailingWarning(PublicMessage): errno = 13010 type = "warning" format = _(u"DNSSEC validation failed: %(error)s.\n" - u"Please verify your DNSSEC signatures or disable DNSSEC " + u"Please verify your DNSSEC configuration or disable DNSSEC " u"validation on all IPA servers.") diff --git a/ipalib/util.py b/ipalib/util.py index 5810c774a..44478a2d1 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -582,8 +582,8 @@ class DNSSECSignatureMissingError(ForwarderValidationError): class DNSSECValidationError(ForwarderValidationError): - format = _("requested record '%(owner)s %(rtype)s' was refused by IPA " - "server %(ip)s because DNSSEC signature is not valid") + format = _("record '%(owner)s %(rtype)s' " + "failed DNSSEC validation on server %(ip)s") def _log_response(log, e): @@ -702,7 +702,7 @@ def validate_dnssec_zone_forwarder_step1(ip_addr, fwzone, log=None, timeout=10): def validate_dnssec_zone_forwarder_step2(ipa_ip_addr, fwzone, log=None, timeout=10): """ - This step must be executed after forwarders is added into LDAP, and only + This step must be executed after forwarders are added into LDAP, and only when we are sure the forwarders work. Query will be send to IPA DNS server, to verify if reply passed, or DNSSEC validation failed. @@ -712,19 +712,17 @@ def validate_dnssec_zone_forwarder_step2(ipa_ip_addr, fwzone, log=None, """ rtype = "SOA" try: - _resolve_record(fwzone, rtype, nameserver_ip=ipa_ip_addr, edns0=True, - timeout=timeout) + ans_cd = _resolve_record(fwzone, rtype, nameserver_ip=ipa_ip_addr, + edns0=True, dnssec=True, flag_cd=True, + timeout=timeout) except DNSException as e: _log_response(log, e) - else: - return try: - _resolve_record(fwzone, rtype, nameserver_ip=ipa_ip_addr, dnssec=True, - flag_cd=True, timeout=timeout) + ans_do = _resolve_record(fwzone, rtype, nameserver_ip=ipa_ip_addr, + edns0=True, dnssec=True, timeout=timeout) except NXDOMAIN as e: # sometimes CD flag is ignored and NXDomain is returned - # this may cause false positive detection _log_response(log, e) raise DNSSECValidationError(owner=fwzone, rtype=rtype, ip=ipa_ip_addr) except DNSException as e: @@ -732,8 +730,12 @@ def validate_dnssec_zone_forwarder_step2(ipa_ip_addr, fwzone, log=None, raise UnresolvableRecordError(owner=fwzone, rtype=rtype, ip=ipa_ip_addr, error=e) else: - # record is not DNSSEC valid, because it can be received with CD flag - # only + if (ans_do.canonical_name == ans_cd.canonical_name + and ans_do.rrset == ans_cd.rrset): + return + # records received with and without CD flag are not equivalent: + # this might be caused by an DNSSEC validation failure in cases where + # existing zone id being 'shadowed' by another zone on forwarder raise DNSSECValidationError(owner=fwzone, rtype=rtype, ip=ipa_ip_addr) |