Add missing attributes to named.conf

Ticket: https://fedorahosted.org/freeipa/ticket/3801#comment:31
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>

install/share/bind.named.conf.template

@@ -18,6 +18,11 @@ options {
 	pid-file "/run/named/named.pid";
 
 	dnssec-enable yes;
+
+	/* Path to ISC DLV key */
+	bindkeys-file "$BINDKEYS_FILE";
+
+	managed-keys-directory "$MANAGED_KEYS_DIR";
 };
 
 /* If you want to enable debugging, eg. using the 'rndc trace' command,
@@ -38,6 +43,7 @@ zone "." IN {
 };
 
 include "/etc/named.rfc1912.zones";
+include "$ROOT_KEY";
 
 dynamic-db "ipa" {
 	library "ldap.so";

install/tools/ipa-upgradeconfig

@@ -624,6 +624,123 @@ def named_enable_dnssec():
     return True
 
 
+def named_bindkey_file_option():
+    """
+    Add options bindkey_file to named.conf
+    """
+    if not bindinstance.named_conf_exists():
+        # DNS service may not be configured
+        root_logger.info('DNS is not configured')
+        return False
+
+    if sysupgrade.get_upgrade_state('named.conf', 'bindkey-file_updated'):
+        root_logger.debug('Skip bindkey-file configuration check')
+        return False
+
+    try:
+        bindkey_file = bindinstance.named_conf_get_directive('bindkey-file',
+                bindinstance.NAMED_SECTION_OPTIONS)
+    except IOError, e:
+        root_logger.error('Cannot retrieve bindkey-file option from %s: %s',
+                bindinstance.NAMED_CONF, e)
+        return False
+    else:
+        if bindkey_file:
+            root_logger.debug('bindkey-file configuration already updated')
+            sysupgrade.set_upgrade_state('named.conf', 'bindkey-file_updated', True)
+            return False
+
+    root_logger.info('[Setting "bindkeys-file" option in named.conf]')
+    try:
+        bindinstance.named_conf_set_directive('bindkeys-file',
+                                              paths.NAMED_BINDKEYS_FILE,
+                                              bindinstance.NAMED_SECTION_OPTIONS)
+    except IOError, e:
+        root_logger.error('Cannot update bindkeys-file configuration in %s: %s',
+                bindinstance.NAMED_CONF, e)
+        return False
+
+
+    sysupgrade.set_upgrade_state('named.conf', 'bindkey-file_updated', True)
+    return True
+
+def named_managed_keys_dir_option():
+    """
+    Add options managed_keys_directory to named.conf
+    """
+    if not bindinstance.named_conf_exists():
+        # DNS service may not be configured
+        root_logger.info('DNS is not configured')
+        return False
+
+    if sysupgrade.get_upgrade_state('named.conf', 'managed-keys-directory_updated'):
+        root_logger.debug('Skip managed-keys-directory configuration check')
+        return False
+
+    try:
+        managed_keys = bindinstance.named_conf_get_directive('managed-keys-directory',
+                bindinstance.NAMED_SECTION_OPTIONS)
+    except IOError, e:
+        root_logger.error('Cannot retrieve managed-keys-directory option from %s: %s',
+                bindinstance.NAMED_CONF, e)
+        return False
+    else:
+        if managed_keys:
+            root_logger.debug('managed_keys_directory configuration already updated')
+            sysupgrade.set_upgrade_state('named.conf', 'managed-keys-directory_updated', True)
+            return False
+
+    root_logger.info('[Setting "managed-keys-directory" option in named.conf]')
+    try:
+        bindinstance.named_conf_set_directive('managed-keys-directory',
+                                              paths.NAMED_MANAGED_KEYS_DIR,
+                                              bindinstance.NAMED_SECTION_OPTIONS)
+    except IOError, e:
+        root_logger.error('Cannot update managed-keys-directory configuration in %s: %s',
+                bindinstance.NAMED_CONF, e)
+        return False
+
+
+    sysupgrade.set_upgrade_state('named.conf', 'managed-keys-directory_updated', True)
+    return True
+
+def named_root_key_include():
+    """
+    Add options managed_keys_directory to named.conf
+    """
+    if not bindinstance.named_conf_exists():
+        # DNS service may not be configured
+        root_logger.info('DNS is not configured')
+        return False
+
+    if sysupgrade.get_upgrade_state('named.conf', 'root_key_updated'):
+        root_logger.debug('Skip root key configuration check')
+        return False
+
+    try:
+        root_key = bindinstance.named_conf_include_exists(paths.NAMED_ROOT_KEY)
+    except IOError, e:
+        root_logger.error('Cannot check root key include in %s: %s',
+                bindinstance.NAMED_CONF, e)
+        return False
+    else:
+        if root_key:
+            root_logger.debug('root keys configuration already updated')
+            sysupgrade.set_upgrade_state('named.conf', 'root_key_updated', True)
+            return False
+
+    root_logger.info('[Including named root key in named.conf]')
+    try:
+        bindinstance.named_conf_add_include(paths.NAMED_ROOT_KEY)
+    except IOError, e:
+        root_logger.error('Cannot update named root key include in %s: %s',
+                bindinstance.NAMED_CONF, e)
+        return False
+
+
+    sysupgrade.set_upgrade_state('named.conf', 'root_key_updated', True)
+    return True
+
 def certificate_renewal_update(ca):
     """
     Update certmonger certificate renewal configuration.
@@ -1170,6 +1287,9 @@ def main():
                           named_update_gssapi_configuration(),
                           named_update_pid_file(),
                           named_enable_dnssec(),
+                          named_bindkey_file_option(),
+                          named_managed_keys_dir_option(),
+                          named_root_key_include(),
                          )
 
     if any(named_conf_changes):

ipaplatform/base/paths.py

@@ -72,6 +72,9 @@ class BasePathNamespace(object):
     NAMED_CONF = "/etc/named.conf"
     NAMED_KEYTAB = "/etc/named.keytab"
     NAMED_RFC1912_ZONES = "/etc/named.rfc1912.zones"
+    NAMED_ROOT_KEY = "/etc/named.root.key"
+    NAMED_BINDKEYS_FILE = "/etc/named.iscdlv.key"
+    NAMED_MANAGED_KEYS_DIR = "/var/named/dynamic"
     NSLCD_CONF = "/etc/nslcd.conf"
     NSS_LDAP_CONF = "/etc/nss_ldap.conf"
     NSSWITCH_CONF = "/etc/nsswitch.conf"

ipaserver/install/bindinstance.py

@@ -55,6 +55,9 @@ named_conf_arg_options_template = "%(indent)s%(name)s \"%(value)s\";\n"
 # non string args for options section
 named_conf_arg_options_re_nonstr = re.compile(r'(?P<indent>\s*)(?P<name>\S+)\s+(?P<value>[^"]+)\s*;')
 named_conf_arg_options_template_nonstr = "%(indent)s%(name)s %(value)s;\n"
+# include directive
+named_conf_include_re = re.compile(r'\s*include\s+"(?P<path>)"\s*;')
+named_conf_include_template = "include \"%(path)s\";\n"
 
 def check_inst(unattended):
     has_bind = True
@@ -203,6 +206,28 @@ def named_conf_set_directive(name, value, section=NAMED_SECTION_IPA,
     with open(NAMED_CONF, 'w') as f:
         f.write("".join(new_lines))
 
+def named_conf_include_exists(path):
+    """
+    Check if include exists in named.conf
+    :param path: path in include directive
+    :return: True if include exists, else False
+    """
+    with open(NAMED_CONF, 'r') as f:
+        for line in f:
+            match = named_conf_include_re.match(line)
+            if match and path == match.group('path'):
+                return True
+
+    return False
+
+def named_conf_add_include(path):
+    """
+    append include at the end of file
+    :param path: path to be insert to include directive
+    """
+    with open(NAMED_CONF, 'a') as f:
+        f.write(named_conf_include_template % {'path': path})
+
 def dns_container_exists(fqdn, suffix, dm_password=None, ldapi=False, realm=None,
                          autobind=ipaldap.AUTOBIND_DISABLED):
     """
@@ -638,6 +663,9 @@ class BindInstance(service.Service):
             OPTIONAL_NTP=optional_ntp,
             ZONEMGR=self.zonemgr,
             IPA_CA_RECORD=ipa_ca,
+            BINDKEYS_FILE=paths.NAMED_BINDKEYS_FILE,
+            MANAGED_KEYS_DIR=paths.NAMED_MANAGED_KEYS_DIR,
+            ROOT_KEY=paths.NAMED_ROOT_KEY,
             )
 
     def __setup_dns_container(self):