diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template index 6db17120f..cdf21c142 100644 --- a/install/share/bind.named.conf.template +++ b/install/share/bind.named.conf.template @@ -18,6 +18,11 @@ options { pid-file "/run/named/named.pid"; dnssec-enable yes; + + /* Path to ISC DLV key */ + bindkeys-file "$BINDKEYS_FILE"; + + managed-keys-directory "$MANAGED_KEYS_DIR"; }; /* If you want to enable debugging, eg. using the 'rndc trace' command, @@ -38,6 +43,7 @@ zone "." IN { }; include "/etc/named.rfc1912.zones"; +include "$ROOT_KEY"; dynamic-db "ipa" { library "ldap.so"; diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 339dcb9ec..7f785e614 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -624,6 +624,123 @@ def named_enable_dnssec(): return True +def named_bindkey_file_option(): + """ + Add options bindkey_file to named.conf + """ + if not bindinstance.named_conf_exists(): + # DNS service may not be configured + root_logger.info('DNS is not configured') + return False + + if sysupgrade.get_upgrade_state('named.conf', 'bindkey-file_updated'): + root_logger.debug('Skip bindkey-file configuration check') + return False + + try: + bindkey_file = bindinstance.named_conf_get_directive('bindkey-file', + bindinstance.NAMED_SECTION_OPTIONS) + except IOError, e: + root_logger.error('Cannot retrieve bindkey-file option from %s: %s', + bindinstance.NAMED_CONF, e) + return False + else: + if bindkey_file: + root_logger.debug('bindkey-file configuration already updated') + sysupgrade.set_upgrade_state('named.conf', 'bindkey-file_updated', True) + return False + + root_logger.info('[Setting "bindkeys-file" option in named.conf]') + try: + bindinstance.named_conf_set_directive('bindkeys-file', + paths.NAMED_BINDKEYS_FILE, + bindinstance.NAMED_SECTION_OPTIONS) + except IOError, e: + root_logger.error('Cannot update bindkeys-file configuration in %s: %s', + bindinstance.NAMED_CONF, e) + return False + + + sysupgrade.set_upgrade_state('named.conf', 'bindkey-file_updated', True) + return True + +def named_managed_keys_dir_option(): + """ + Add options managed_keys_directory to named.conf + """ + if not bindinstance.named_conf_exists(): + # DNS service may not be configured + root_logger.info('DNS is not configured') + return False + + if sysupgrade.get_upgrade_state('named.conf', 'managed-keys-directory_updated'): + root_logger.debug('Skip managed-keys-directory configuration check') + return False + + try: + managed_keys = bindinstance.named_conf_get_directive('managed-keys-directory', + bindinstance.NAMED_SECTION_OPTIONS) + except IOError, e: + root_logger.error('Cannot retrieve managed-keys-directory option from %s: %s', + bindinstance.NAMED_CONF, e) + return False + else: + if managed_keys: + root_logger.debug('managed_keys_directory configuration already updated') + sysupgrade.set_upgrade_state('named.conf', 'managed-keys-directory_updated', True) + return False + + root_logger.info('[Setting "managed-keys-directory" option in named.conf]') + try: + bindinstance.named_conf_set_directive('managed-keys-directory', + paths.NAMED_MANAGED_KEYS_DIR, + bindinstance.NAMED_SECTION_OPTIONS) + except IOError, e: + root_logger.error('Cannot update managed-keys-directory configuration in %s: %s', + bindinstance.NAMED_CONF, e) + return False + + + sysupgrade.set_upgrade_state('named.conf', 'managed-keys-directory_updated', True) + return True + +def named_root_key_include(): + """ + Add options managed_keys_directory to named.conf + """ + if not bindinstance.named_conf_exists(): + # DNS service may not be configured + root_logger.info('DNS is not configured') + return False + + if sysupgrade.get_upgrade_state('named.conf', 'root_key_updated'): + root_logger.debug('Skip root key configuration check') + return False + + try: + root_key = bindinstance.named_conf_include_exists(paths.NAMED_ROOT_KEY) + except IOError, e: + root_logger.error('Cannot check root key include in %s: %s', + bindinstance.NAMED_CONF, e) + return False + else: + if root_key: + root_logger.debug('root keys configuration already updated') + sysupgrade.set_upgrade_state('named.conf', 'root_key_updated', True) + return False + + root_logger.info('[Including named root key in named.conf]') + try: + bindinstance.named_conf_add_include(paths.NAMED_ROOT_KEY) + except IOError, e: + root_logger.error('Cannot update named root key include in %s: %s', + bindinstance.NAMED_CONF, e) + return False + + + sysupgrade.set_upgrade_state('named.conf', 'root_key_updated', True) + return True + def certificate_renewal_update(ca): """ Update certmonger certificate renewal configuration. @@ -1170,6 +1287,9 @@ def main(): named_update_gssapi_configuration(), named_update_pid_file(), named_enable_dnssec(), + named_bindkey_file_option(), + named_managed_keys_dir_option(), + named_root_key_include(), ) if any(named_conf_changes): diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 7d294a91e..3f66afb3f 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -72,6 +72,9 @@ class BasePathNamespace(object): NAMED_CONF = "/etc/named.conf" NAMED_KEYTAB = "/etc/named.keytab" NAMED_RFC1912_ZONES = "/etc/named.rfc1912.zones" + NAMED_ROOT_KEY = "/etc/named.root.key" + NAMED_BINDKEYS_FILE = "/etc/named.iscdlv.key" + NAMED_MANAGED_KEYS_DIR = "/var/named/dynamic" NSLCD_CONF = "/etc/nslcd.conf" NSS_LDAP_CONF = "/etc/nss_ldap.conf" NSSWITCH_CONF = "/etc/nsswitch.conf" diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 2e8836ec6..928ca1b5c 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -55,6 +55,9 @@ named_conf_arg_options_template = "%(indent)s%(name)s \"%(value)s\";\n" # non string args for options section named_conf_arg_options_re_nonstr = re.compile(r'(?P\s*)(?P\S+)\s+(?P[^"]+)\s*;') named_conf_arg_options_template_nonstr = "%(indent)s%(name)s %(value)s;\n" +# include directive +named_conf_include_re = re.compile(r'\s*include\s+"(?P)"\s*;') +named_conf_include_template = "include \"%(path)s\";\n" def check_inst(unattended): has_bind = True @@ -203,6 +206,28 @@ def named_conf_set_directive(name, value, section=NAMED_SECTION_IPA, with open(NAMED_CONF, 'w') as f: f.write("".join(new_lines)) +def named_conf_include_exists(path): + """ + Check if include exists in named.conf + :param path: path in include directive + :return: True if include exists, else False + """ + with open(NAMED_CONF, 'r') as f: + for line in f: + match = named_conf_include_re.match(line) + if match and path == match.group('path'): + return True + + return False + +def named_conf_add_include(path): + """ + append include at the end of file + :param path: path to be insert to include directive + """ + with open(NAMED_CONF, 'a') as f: + f.write(named_conf_include_template % {'path': path}) + def dns_container_exists(fqdn, suffix, dm_password=None, ldapi=False, realm=None, autobind=ipaldap.AUTOBIND_DISABLED): """ @@ -638,6 +663,9 @@ class BindInstance(service.Service): OPTIONAL_NTP=optional_ntp, ZONEMGR=self.zonemgr, IPA_CA_RECORD=ipa_ca, + BINDKEYS_FILE=paths.NAMED_BINDKEYS_FILE, + MANAGED_KEYS_DIR=paths.NAMED_MANAGED_KEYS_DIR, + ROOT_KEY=paths.NAMED_ROOT_KEY, ) def __setup_dns_container(self):