From 803dc81fe8837afbeb7fd4b63f4edba41d5a2ec3 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 20 Aug 2014 15:14:12 +0200 Subject: [PATCH] FIX DNS wildcard records (RFC4592) Make validation more strict * DS, NS, DNAME owners should not be a wildcard domanin name * zone name should not be a wildcard domain name Ticket: https://fedorahosted.org/freeipa/ticket/4488 Reviewed-By: Petr Spacek --- ipalib/plugins/dns.py | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index daa0ec396..75611a615 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -489,6 +489,14 @@ def _hostname_validator(ugettext, value): return None +def _no_wildcard_validator(ugettext, value): + """Disallow usage of wildcards as RFC 4592 section 4 recommends + """ + assert isinstance(value, DNSName) + if value.is_wild(): + return _('should not be a wildcard domain name (RFC 4592 section 4)') + return None + def is_forward_record(zone, str_address): addr = netaddr.IPAddress(str_address) if addr.version == 4: @@ -1731,6 +1739,7 @@ class DNSZoneBase(LDAPObject): takes_params = ( DNSNameParam('idnsname', + _no_wildcard_validator, # RFC 4592 section 4 only_absolute=True, cli_name='name', label=_('Zone name'), @@ -2627,6 +2636,19 @@ class dnsrecord(LDAPObject): error=unicode(_('out-of-zone data: record name must ' 'be a subdomain of the zone or a ' 'relative name'))) + # dissallowed wildcard (RFC 4592 section 4) + no_wildcard_rtypes = ['DNAME', 'DS', 'NS'] + if (keys[-1].is_wild() and + any(entry_attrs.get('%srecord' % r.lower()) + for r in no_wildcard_rtypes) + ): + raise errors.ValidationError( + name='idnsname', + error=(_('owner of %(types)s records ' + 'should not be a wildcard domain name (RFC 4592 section 4)') % + {'types': ', '.join(no_wildcard_rtypes)} + ) + ) def _ptrrecord_pre_callback(self, ldap, dn, entry_attrs, *keys, **options): assert isinstance(dn, DN)