Support OpenDNSSEC 2.1: new ods-signer protocol

The communication between ods-signer and the socket-activated process has changed with OpenDNSSEC 2.1. Adapt ipa-ods-exporter to support also the new protocol. The internal database was also modified. Add a wrapper calling the right code (table names hab=ve changed, as well as table columns). With OpenDNSSEC the policy also needs to be explicitely loaded after ods-enforcer-db-setup has been run, with ods-enforcer policy import The command ods-ksmutil notify must be replace with ods-enforce flush. Related: https://pagure.io/freeipa/issue/8214 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
2025-02-25 18:55:28 -06:00 · 2020-03-05 15:54:40 +01:00
parent b857828180
commit 8080bf7b35
8 changed files with 266 additions and 34 deletions
--- a/ipaserver/dnssec/_ods14.py
+++ b/ipaserver/dnssec/_ods14.py
@@ -0,0 +1,45 @@
+#
+# Copyright (C) 2020  FreeIPA Contributors see COPYING for license
+#
+
+import socket
+
+from ipaserver.dnssec._odsbase import AbstractODSDBConnection
+from ipaserver.dnssec._odsbase import AbstractODSSignerConn
+from ipaserver.dnssec._odsbase import ODS_SE_MAXLINE
+
+
+class ODSDBConnection(AbstractODSDBConnection):
+    def get_zones(self):
+        cur = self._db.execute("SELECT name from zones")
+        rows = cur.fetchall()
+        return [row['name'] for row in rows]
+
+    def get_zone_id(self, zone_name):
+        cur = self._db.execute(
+            "SELECT id FROM zones WHERE LOWER(name)=LOWER(?)",
+            (zone_name,))
+        rows = cur.fetchall()
+        return [row[0] for row in rows]
+
+    def get_keys_for_zone(self, zone_id):
+        cur = self._db.execute(
+            "SELECT kp.HSMkey_id, kp.generate, kp.algorithm, "
+            "dnsk.publish, dnsk.active, dnsk.retire, dnsk.dead, "
+            "dnsk.keytype, dnsk.state "
+            "FROM keypairs AS kp "
+            "JOIN dnsseckeys AS dnsk ON kp.id = dnsk.keypair_id "
+            "WHERE dnsk.zone_id = ?", (zone_id,))
+        for row in cur:
+            yield row
+
+
+class ODSSignerConn(AbstractODSSignerConn):
+    def read_cmd(self):
+        cmd = self._conn.recv(ODS_SE_MAXLINE).strip()
+        return cmd
+
+    def send_reply_and_close(self, reply):
+        self._conn.send(reply + b'\n')
+        self._conn.shutdown(socket.SHUT_RDWR)
+        self._conn.close()