Use absolute domain in detection of A/AAAA records

Python dns resolver append configured domain to queries which may lead to false positive answer. Exmaple: resolving "ipa.example.com" may return records for "ipa.example.com.example.com" if domain is configured as "example.com" https://fedorahosted.org/freeipa/ticket/5421 Reviewed-By: Petr Spacek <pspacek@redhat.com>
2025-02-25 18:55:28 -06:00 · 2015-11-04 16:09:21 +01:00 · 2015-11-04 16:09:21 +01:00 · 800c702324
commit 800c702324
parent 0f52eddd1d
2 changed files with 5 additions and 6 deletions
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@ -4189,16 +4189,12 @@ class dns_resolve(Command):
    takes_args = (
        Str('hostname',
-            label=_('Hostname'),
+            label=_('Hostname (FQDN)'),
        ),
    )
    def execute(self, *args, **options):
        query=args[0]
        if query.find(api.env.domain) == -1 and query.find('.') == -1:
            query = '%s.%s.' % (query, api.env.domain)
        if query[-1] != '.':
            query = query + '.'
        if not is_host_resolvable(query):
            raise errors.NotFound(
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@ -49,6 +49,7 @@ from ipapython import ipavalidate
 from ipapython import config
 from ipaplatform.paths import paths
 from ipapython.dn import DN
 from ipapython.dnsutil import DNSName
 SHARE_DIR = paths.USR_SHARE_IPA_DIR
 PLUGINS_SHARE_DIR = paths.IPA_PLUGINS
@ -911,9 +912,11 @@ def bind_port_responder(port, socket_type=socket.SOCK_STREAM, socket_timeout=Non
        raise last_socket_error # pylint: disable=E0702
 def is_host_resolvable(fqdn):
    if not isinstance(fqdn, DNSName):
        fqdn = DNSName(fqdn)
    for rdtype in (rdatatype.A, rdatatype.AAAA):
        try:
-            resolver.query(fqdn, rdtype)
+            resolver.query(fqdn.make_absolute(), rdtype)
        except DNSException:
            continue
        else: