DNS upgrade: change global forwarding policy in named.conf to "only" if private IPs are used

This change is necessary to override automatic empty zone configuration in latest BIND and bind-dyndb-ldap 9.0+. This upgrade has to be done on each IPA DNS server independently. https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
2024-12-26 17:01:14 -06:00 · 2016-04-28 22:19:03 +02:00 · 2016-04-28 22:19:03 +02:00 · 6eb00561c0
commit 6eb00561c0
parent e45a80308c
3 changed files with 57 additions and 3 deletions
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@ -32,6 +32,7 @@ import six

 from ipaserver.install import installutils
 from ipaserver.install import service
+from ipaserver.install import sysupgrade
 from ipaserver.install.cainstance import IPA_CA_RECORD
 from ipapython import sysrestore, ipautil, ipaldap
 from ipapython import dnsutil
@ -1038,6 +1039,12 @@ class BindInstance(service.Service):
                                     section=NAMED_SECTION_OPTIONS,
                                     str_val=False)

+        # prevent repeated upgrade on new installs
+        sysupgrade.set_upgrade_state(
+            'named.conf',
+            'forward_policy_conflict_with_empty_zones_handled', True
+        )
+
    def __setup_resolv_conf(self):
        if not self.fstore.has_file(RESOLV_CONF):
            self.fstore.backup_file(RESOLV_CONF)
--- a/ipaserver/install/plugins/dns.py
+++ b/ipaserver/install/plugins/dns.py
@ -267,7 +267,8 @@ class update_master_to_dnsforwardzones(DNSUpdater):
    than none, will be tranformed to forward zones.
    Original masters zone will be backed up to ldif file.

-    This should be applied only once, and only if original version was lower than 4.0
+    This should be applied only once,
+    and only if original version was lower than 4.0
    """
    backup_filename = u'dns-master-to-forward-zones-%Y-%m-%d-%H-%M-%S.ldif'

@ -480,8 +481,8 @@ class update_dnsforward_emptyzones(DNSUpdater):
            # forwardzones already use new semantics, no upgrade is required
            return False, []

-        self.log.debug('Updating forwarding policies to avoid conflicts '
-                       'with automatic empty zones')
+        self.log.debug('Updating forwarding policies in LDAP '
+                       'to avoid conflicts with automatic empty zones')
        # update the DNSVersion, following upgrade can be executed only once
        self.api.Command['dnsconfig_mod'](ipadnsversion=2)

--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@ -24,6 +24,7 @@ from ipapython import ipautil, sysrestore, version, certdb
 from ipapython import ipaldap
 from ipapython.ipa_log_manager import root_logger
 from ipapython import certmonger
+from ipapython import dnsutil
 from ipapython.dn import DN
 from ipaplatform.constants import constants
 from ipaplatform.paths import paths
@ -776,6 +777,50 @@ def named_root_key_include():
    return True


+def named_update_global_forwarder_policy():
+    bind = bindinstance.BindInstance()
+    if not bindinstance.named_conf_exists() or not bind.is_configured():
+        # DNS service may not be configured
+        root_logger.info('DNS is not configured')
+        return False
+
+    root_logger.info('[Checking global forwarding policy in named.conf '
+                     'to avoid conflicts with automatic empty zones]')
+    if sysupgrade.get_upgrade_state(
+        'named.conf', 'forward_policy_conflict_with_empty_zones_handled'
+    ):
+        # upgrade was done already
+        return False
+
+    sysupgrade.set_upgrade_state(
+        'named.conf',
+        'forward_policy_conflict_with_empty_zones_handled',
+        True
+    )
+    if not dnsutil.has_empty_zone_addresses(api.env.host):
+        # guess: local server does not have IP addresses from private ranges
+        # so hopefully automatic empty zones are not a problem
+        return False
+
+    if bindinstance.named_conf_get_directive(
+            'forward',
+            section=bindinstance.NAMED_SECTION_OPTIONS,
+            str_val=False
+    ) == 'only':
+        return False
+
+    root_logger.info('Global forward policy in named.conf will '
+                     'be changed to "only" to avoid conflicts with '
+                     'automatic empty zones')
+    bindinstance.named_conf_set_directive(
+        'forward',
+        'only',
+        section=bindinstance.NAMED_SECTION_OPTIONS,
+        str_val=False
+    )
+    return True
+
+
 def certificate_renewal_update(ca, ds, http):
    """
    Update certmonger certificate renewal configuration.
@ -1607,6 +1652,7 @@ def upgrade_configuration():
                          named_bindkey_file_option(),
                          named_managed_keys_dir_option(),
                          named_root_key_include(),
+                          named_update_global_forwarder_policy(),
                          mask_named_regular(),
                          fix_dyndb_ldap_workdir_permissions(),
                         )