BIND: Setup logging

- allow BIND's logging customization
- preconfig logging with ISC recommendations:
  https://kb.isc.org/docs/aa-01526

Fixes: https://pagure.io/freeipa/issue/8856
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

install/share/Makefile.am

@@ -46,6 +46,7 @@ dist_app_DATA =				\
 	kerberos.ldif			\
 	bind.ipa-ext.conf.template		\
 	bind.ipa-options-ext.conf.template	\
+	bind.ipa-logging-ext.conf.template	\
 	bind.named.conf.template	\
 	bind.openssl.cnf.template	\
 	bind.openssl.cryptopolicy.cnf.template	\

install/share/bind.ipa-logging-ext.conf.template

@@ -0,0 +1,91 @@
+channel named {
+	file "${NAMED_DATA_DIR}named.log" versions 10 size 20M;
+	severity info;
+	print-time yes;
+	print-category yes;
+	print-severity yes;
+};
+
+channel security {
+	file "${NAMED_DATA_DIR}security.log" versions 10 size 20M;
+	severity info;
+	print-time yes;
+	print-severity yes;
+};
+
+channel dnssec {
+	file "${NAMED_DATA_DIR}dnssec.log" versions 10 size 20M;
+	severity info;
+	print-time yes;
+	print-severity yes;
+};
+
+channel resolver {
+	file "${NAMED_DATA_DIR}resolver.log" versions 10 size 20M;
+	severity info;
+	print-time yes;
+	print-severity yes;
+};
+
+channel query_log {
+	file "${NAMED_DATA_DIR}query.log" versions 10 size 80M;
+	severity info;
+	print-time yes;
+	print-severity yes;
+};
+
+channel query_error {
+	file "${NAMED_DATA_DIR}query_errors.log" versions 10 size 20M;
+	severity info;
+	print-time yes;
+	print-severity yes;
+};
+
+channel lame_servers {
+	file "${NAMED_DATA_DIR}lame-servers.log" versions 10 size 20M;
+	severity info;
+	print-time yes;
+	print-severity yes;
+};
+
+channel capacity {
+	file "${NAMED_DATA_DIR}capacity.log" versions 10 size 20M;
+	severity info;
+	print-time yes;
+	print-severity yes;
+};
+
+channel database {
+	file "${NAMED_DATA_DIR}database.log" versions 10 size 20M;
+	severity info;
+	print-time yes;
+	print-severity yes;
+};
+
+channel update {
+	file "${NAMED_DATA_DIR}update.log" versions 10 size 10M;
+	severity info;
+	print-time yes;
+	print-severity yes;
+};
+
+category default        { default_syslog; named; };
+category general        { default_syslog; named; };
+category security       { security; };
+category queries        { query_log; };
+category query-errors   { query_error; };
+category lame-servers   { lame_servers; };
+category dnssec         { dnssec; };
+category edns-disabled  { default_syslog; resolver; };
+category config         { default_syslog; named; };
+category resolver       { resolver; };
+category cname          { resolver; };
+category spill          { capacity; };
+category rate-limit     { capacity; };
+category database       { database; };
+category client         { default_syslog; named; };
+category network        { default_syslog; named; };
+category unmatched      { named; };
+category delegation-only { named; };
+category update         { default_syslog; update; };
+category update-security { default_syslog; update; };

install/share/bind.named.conf.template

@@ -4,6 +4,7 @@
  *
  *
  * - $NAMED_CUSTOM_OPTIONS_CONF (for options)
+ * - $NAMED_LOGGING_OPTIONS_CONF (for logging options)
  * - $NAMED_CUSTOM_CONF (all other settings)
  */
 
@@ -37,6 +38,7 @@ logging {
 		severity dynamic;
 		print-time yes;
 	};
+	include "$NAMED_LOGGING_OPTIONS_CONF";
 };
 
 ${NAMED_ZONE_COMMENT}zone "." IN {

ipaplatform/base/paths.py

@@ -86,12 +86,16 @@ class BasePathNamespace:
     NAMED_CONF = "/etc/named.conf"
     NAMED_CONF_BAK = "/etc/named.conf.ipa-backup"
     NAMED_CUSTOM_CONF = "/etc/named/ipa-ext.conf"
+    NAMED_LOGGING_OPTIONS_CONF = "/etc/named/ipa-logging-ext.conf"
     NAMED_CUSTOM_OPTIONS_CONF = "/etc/named/ipa-options-ext.conf"
     NAMED_CONF_SRC = '/usr/share/ipa/bind.named.conf.template'
     NAMED_CUSTOM_CONF_SRC = '/usr/share/ipa/bind.ipa-ext.conf.template'
     NAMED_CUSTOM_OPTIONS_CONF_SRC = (
         '/usr/share/ipa/bind.ipa-options-ext.conf.template'
     )
+    NAMED_LOGGING_OPTIONS_CONF_SRC = (
+        "/usr/share/ipa/bind.ipa-logging-ext.conf.template"
+    )
     NAMED_VAR_DIR = "/var/named"
     NAMED_KEYTAB = "/etc/named.keytab"
     NAMED_RFC1912_ZONES = "/etc/named.rfc1912.zones"

ipaplatform/debian/paths.py

@@ -36,6 +36,7 @@ class DebianPathNamespace(BasePathNamespace):
     NAMED_CONF_BAK = "/etc/bind/named.conf.ipa-backup"
     NAMED_CUSTOM_CONF = "/etc/bind/ipa-ext.conf"
     NAMED_CUSTOM_OPTIONS_CONF = "/etc/bind/ipa-options-ext.conf"
+    NAMED_LOGGING_OPTIONS_CONF = "/etc/bind/ipa-logging-ext.conf"
     NAMED_VAR_DIR = "/var/cache/bind"
     NAMED_KEYTAB = "/etc/bind/named.keytab"
     NAMED_RFC1912_ZONES = "/etc/bind/named.conf.default-zones"

ipaplatform/fedora_container/paths.py

@@ -20,6 +20,9 @@ class FedoraContainerPathNamespace(FedoraPathNamespace):
     NAMED_CUSTOM_OPTIONS_CONF = data(
         FedoraPathNamespace.NAMED_CUSTOM_OPTIONS_CONF
     )
+    NAMED_LOGGING_OPTIONS_CONF = data(
+        FedoraPathNamespace.NAMED_LOGGING_OPTIONS_CONF
+    )
     NSSWITCH_CONF = data(FedoraPathNamespace.NSSWITCH_CONF)
     PKI_CONFIGURATION = data(FedoraPathNamespace.PKI_CONFIGURATION)
     SAMBA_DIR = data(FedoraPathNamespace.SAMBA_DIR)

ipaplatform/rhel_container/paths.py

@@ -20,6 +20,9 @@ class RHELContainerPathNamespace(RHELPathNamespace):
     NAMED_CUSTOM_OPTIONS_CONF = data(
         RHELPathNamespace.NAMED_CUSTOM_OPTIONS_CONF
     )
+    NAMED_LOGGING_OPTIONS_CONF = data(
+        RHELPathNamespace.NAMED_LOGGING_OPTIONS_CONF
+    )
     NSSWITCH_CONF = data(RHELPathNamespace.NSSWITCH_CONF)
     PKI_CONFIGURATION = data(RHELPathNamespace.PKI_CONFIGURATION)
     SAMBA_DIR = data(RHELPathNamespace.SAMBA_DIR)

ipaplatform/suse/paths.py

@@ -27,6 +27,7 @@ class SusePathNamespace(BasePathNamespace):
     HTTPD_PASSWORD_CONF = "/etc/apache2/ipa/password.conf"
     NAMED_CUSTOM_CONF = "/etc/named.d/ipa-ext.conf"
     NAMED_CUSTOM_OPTIONS_CONF = "/etc/named.d/ipa-options-ext.conf"
+    NAMED_LOGGING_OPTIONS_CONF = "/etc/named.d/ipa-logging-ext.conf"
     NAMED_VAR_DIR = "/var/lib/named"
     NAMED_MANAGED_KEYS_DIR = "/var/lib/named/dyn"
     OPENSSL_DIR = "/etc/ssl"

ipaserver/install/bindinstance.py

@@ -884,6 +884,7 @@ class BindInstance(service.Service):
             NAMED_CONF=paths.NAMED_CONF,
             NAMED_CUSTOM_CONF=paths.NAMED_CUSTOM_CONF,
             NAMED_CUSTOM_OPTIONS_CONF=paths.NAMED_CUSTOM_OPTIONS_CONF,
+            NAMED_LOGGING_OPTIONS_CONF=paths.NAMED_LOGGING_OPTIONS_CONF,
             NAMED_DATA_DIR=constants.NAMED_DATA_DIR,
             NAMED_ZONE_COMMENT=constants.NAMED_ZONE_COMMENT,
             NAMED_DNSSEC_VALIDATION=self._get_dnssec_validation(),
@@ -1082,7 +1083,11 @@ class BindInstance(service.Service):
             (
                 paths.NAMED_CUSTOM_OPTIONS_CONF_SRC,
                 paths.NAMED_CUSTOM_OPTIONS_CONF
-            )
+            ),
+            (
+                paths.NAMED_LOGGING_OPTIONS_CONF_SRC,
+                paths.NAMED_LOGGING_OPTIONS_CONF,
+            ),
         )
         for src, dest in user_configs:
             if not os.path.exists(dest):

ipaserver/install/ipa_backup.py

@@ -125,6 +125,7 @@ class Backup(admintool.AdminTool):
         paths.NAMED_CONF,
         paths.NAMED_CUSTOM_CONF,
         paths.NAMED_CUSTOM_OPTIONS_CONF,
+        paths.NAMED_LOGGING_OPTIONS_CONF,
         paths.NAMED_KEYTAB,
         paths.RESOLV_CONF,
         paths.SYSCONFIG_PKI_TOMCAT,

ipatests/test_integration/test_upgrade.py

@@ -164,7 +164,12 @@ class TestUpgrade(IntegrationTest):
             paths.NAMED_CUSTOM_OPTIONS_CONF, encoding="utf-8"
         )
         print(opt_conf)
-        return named_conf, custom_conf, opt_conf
+
+        log_conf = self.master.get_file_contents(
+            paths.NAMED_LOGGING_OPTIONS_CONF, encoding="utf-8"
+        )
+        print(log_conf)
+        return named_conf, custom_conf, opt_conf, log_conf
 
     @pytest.mark.skip_if_platform(
         "debian", reason="Debian does not use crypto policy"
@@ -176,17 +181,20 @@ class TestUpgrade(IntegrationTest):
         assert paths.NAMED_CRYPTO_POLICY_FILE in named_conf
 
     def test_current_named_conf(self):
-        named_conf, custom_conf, opt_conf = self.get_named_confs()
-        # verify that both includes are present exactly one time
+        named_conf, custom_conf, opt_conf, log_conf = self.get_named_confs()
+        # verify that all includes are present exactly one time
         inc_opt_conf = f'include "{paths.NAMED_CUSTOM_OPTIONS_CONF}";'
         assert named_conf.count(inc_opt_conf) == 1
         inc_custom_conf = f'include "{paths.NAMED_CUSTOM_CONF}";'
         assert named_conf.count(inc_custom_conf) == 1
+        inc_log_conf = f'include "{paths.NAMED_LOGGING_OPTIONS_CONF}";'
+        assert named_conf.count(inc_log_conf) == 1
 
         assert "dnssec-validation yes;" in opt_conf
         assert "dnssec-validation" not in named_conf
 
         assert custom_conf
+        assert log_conf
 
     def test_update_named_conf_simple(self):
         # remove files to force a migration
@@ -196,13 +204,15 @@ class TestUpgrade(IntegrationTest):
                 "-f",
                 paths.NAMED_CUSTOM_CONF,
                 paths.NAMED_CUSTOM_OPTIONS_CONF,
+                paths.NAMED_LOGGING_OPTIONS_CONF,
             ]
         )
         self.master.run_command(['ipa-server-upgrade'])
-        named_conf, custom_conf, opt_conf = self.get_named_confs()
+        named_conf, custom_conf, opt_conf, log_conf = self.get_named_confs()
 
         # not empty
         assert custom_conf.strip()
+        assert log_conf.strip()
         # has dnssec-validation enabled in option config
         assert "dnssec-validation yes;" in opt_conf
         assert "dnssec-validation" not in named_conf
@@ -212,6 +222,8 @@ class TestUpgrade(IntegrationTest):
         assert named_conf.count(inc_opt_conf) == 1
         inc_custom_conf = f'include "{paths.NAMED_CUSTOM_CONF}";'
         assert named_conf.count(inc_custom_conf) == 1
+        inc_log_conf = f'include "{paths.NAMED_LOGGING_OPTIONS_CONF}";'
+        assert named_conf.count(inc_log_conf) == 1
 
     def test_update_named_conf_old(self):
         # remove files to force a migration
@@ -221,6 +233,7 @@ class TestUpgrade(IntegrationTest):
                 "-f",
                 paths.NAMED_CUSTOM_CONF,
                 paths.NAMED_CUSTOM_OPTIONS_CONF,
+                paths.NAMED_LOGGING_OPTIONS_CONF,
             ]
         )
         # dump an old named conf to verify migration
@@ -233,10 +246,11 @@ class TestUpgrade(IntegrationTest):
         # upgrade
         self.master.run_command(['ipa-server-upgrade'])
 
-        named_conf, custom_conf, opt_conf = self.get_named_confs()
+        named_conf, custom_conf, opt_conf, log_conf = self.get_named_confs()
 
         # not empty
         assert custom_conf.strip()
+        assert log_conf.strip()
         # dnssec-validation is migrated as "disabled" from named.conf
         assert "dnssec-validation no;" in opt_conf
         assert "dnssec-validation" not in named_conf
@@ -246,6 +260,8 @@ class TestUpgrade(IntegrationTest):
         assert named_conf.count(inc_opt_conf) == 1
         inc_custom_conf = f'include "{paths.NAMED_CUSTOM_CONF}";'
         assert named_conf.count(inc_custom_conf) == 1
+        inc_log_conf = f'include "{paths.NAMED_LOGGING_OPTIONS_CONF}";'
+        assert named_conf.count(inc_log_conf) == 1
 
     def test_admin_root_alias_upgrade_CVE_2020_10747(self):
         # Test upgrade for CVE-2020-10747 fix