DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP

This filtering is useful in cases where LDAP contains DNS zones which have old metadata objects and DNSSEC disabled. Such zones must be ignored to prevent errors while calling dnssec-keyfromlabel or rndc. https://fedorahosted.org/freeipa/ticket/5348 Reviewed-By: Martin Basti <mbasti@redhat.com>
2025-01-26 16:16:31 -06:00 · 2015-12-20 18:36:48 +01:00 · 2015-12-20 18:36:48 +01:00 · 43acb994f6
commit 43acb994f6
parent ddf7397a4b
2 changed files with 31 additions and 9 deletions
--- a/ipapython/dnssec/bindmgr.py
+++ b/ipapython/dnssec/bindmgr.py
@ -189,10 +189,20 @@ class BINDMgr(object):

        self.notify_zone(zone)

-    def sync(self):
-        """Synchronize list of zones in LDAP with BIND."""
+    def sync(self, dnssec_zones):
+        """Synchronize list of zones in LDAP with BIND.
+
+        dnssec_zones lists zones which should be processed. All other zones
+        will be ignored even though they were modified using ldap_event().
+
+        This filter is useful in cases where LDAP contains DNS zones which
+        have old metadata objects and DNSSEC disabled. Such zones must be
+        ignored to prevent errors while calling dnssec-keyfromlabel or rndc.
+        """
        self.log.debug('Key metadata in LDAP: %s' % self.ldap_keys)
-        for zone in self.modified_zones:
+        self.log.debug('Zones modified but skipped during bindmgr.sync: %s',
+                       self.modified_zones - dnssec_zones)
+        for zone in self.modified_zones.intersection(dnssec_zones):
            self.sync_zone(zone)

        self.modified_zones = set()
--- a/ipapython/dnssec/keysyncer.py
+++ b/ipapython/dnssec/keysyncer.py
@ -5,6 +5,8 @@
 import ldap.dn
 import os

+import dns.name
+
 from ipaplatform.paths import paths
 from ipapython import ipautil

@ -32,6 +34,7 @@ class KeySyncer(SyncReplConsumer):

        self.bindmgr = BINDMgr(self.api)
        self.init_done = False
+        self.dnssec_zones = set()
        SyncReplConsumer.__init__(self, *args, **kwargs)

    def _get_objclass(self, attrs):
@ -111,7 +114,7 @@ class KeySyncer(SyncReplConsumer):
        self.ods_sync()
        self.hsm_replica_sync()
        self.hsm_master_sync()
-        self.bindmgr.sync()
+        self.bindmgr.sync(self.dnssec_zones)

    # idnsSecKey wrapper
    # Assumption: metadata points to the same key blob all the time,
@ -120,23 +123,29 @@ class KeySyncer(SyncReplConsumer):
    def key_meta_add(self, uuid, dn, newattrs):
        self.hsm_replica_sync()
        self.bindmgr.ldap_event('add', uuid, newattrs)
-        self.bindmgr_sync()
+        self.bindmgr_sync(self.dnssec_zones)

    def key_meta_del(self, uuid, dn, oldattrs):
        self.bindmgr.ldap_event('del', uuid, oldattrs)
-        self.bindmgr_sync()
+        self.bindmgr_sync(self.dnssec_zones)
        self.hsm_replica_sync()

    def key_metadata_sync(self, uuid, dn, oldattrs, newattrs):
        self.bindmgr.ldap_event('mod', uuid, newattrs)
-        self.bindmgr_sync()
+        self.bindmgr_sync(self.dnssec_zones)

-    def bindmgr_sync(self):
+    def bindmgr_sync(self, dnssec_zones):
        if self.init_done:
-            self.bindmgr.sync()
+            self.bindmgr.sync(dnssec_zones)

    # idnsZone wrapper
    def zone_add(self, uuid, dn, newattrs):
+        zone = dns.name.from_text(newattrs['idnsname'][0])
+        if self.__is_dnssec_enabled(newattrs):
+            self.dnssec_zones.add(zone)
+        else:
+            self.dnssec_zones.discard(zone)
+
        if not self.ismaster:
            return

@ -145,6 +154,9 @@ class KeySyncer(SyncReplConsumer):
        self.ods_sync()

    def zone_del(self, uuid, dn, oldattrs):
+        zone = dns.name.from_text(oldattrs['idnsname'][0])
+        self.dnssec_zones.discard(zone)
+
        if not self.ismaster:
            return