From 800c7023241fd6182da300cf120870072e6ca602 Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Wed, 4 Nov 2015 16:09:21 +0100
Subject: Use absolute domain in detection of A/AAAA records

Python dns resolver append configured domain to queries which may lead
to false positive answer.

Exmaple: resolving "ipa.example.com" may return records for
"ipa.example.com.example.com" if domain is configured as "example.com"

https://fedorahosted.org/freeipa/ticket/5421

Reviewed-By: Petr Spacek <pspacek@redhat.com>
---
 ipapython/ipautil.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'ipapython')

diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index a5545688d..4551ea5c4 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -49,6 +49,7 @@ from ipapython import ipavalidate
 from ipapython import config
 from ipaplatform.paths import paths
 from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
 
 SHARE_DIR = paths.USR_SHARE_IPA_DIR
 PLUGINS_SHARE_DIR = paths.IPA_PLUGINS
@@ -911,9 +912,11 @@ def bind_port_responder(port, socket_type=socket.SOCK_STREAM, socket_timeout=Non
         raise last_socket_error # pylint: disable=E0702
 
 def is_host_resolvable(fqdn):
+    if not isinstance(fqdn, DNSName):
+        fqdn = DNSName(fqdn)
     for rdtype in (rdatatype.A, rdatatype.AAAA):
         try:
-            resolver.query(fqdn, rdtype)
+            resolver.query(fqdn.make_absolute(), rdtype)
         except DNSException:
             continue
         else:
-- 
cgit