Split named custom config to allow changes in options stanza

Upgrade path to add additional include to named.conf is not handled. Remove bindkeys-file directive from named config The ISC DVL service was shut down (https://www.isc.org/bind-keys/). BIND versions since April 2017 (i.e. 9.9.10, 9.10.5, 9.11.1 and later) include a hard-coded copy of the root KSK which gets updates automatically according to RFC 5011. Move dnssec-enable directive to custom named config Move comment named config being managed by FreeIPA to the top Move settings which could be changed by administrators to ipa-options-ext.conf. Settings defined there are sole responsibility of the administrator. We do not check if they might collide with our settings in named.conf. Fixes: https://pagure.io/freeipa/issue/8287 Co-authored-by: Peter Keresztes Schmidt <carbenium@outlook.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-02-25 18:55:28 -06:00 · 2020-04-25 18:06:45 +02:00
parent 88d1dcc52a
commit a5cbdb57e5
10 changed files with 61 additions and 30 deletions
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -295,7 +295,7 @@ def find_reverse_zone(ip_address, api=api):
    return None


-def named_add_ext_conf_file(src, dest, t_params={}):
+def named_add_ext_conf_file(src, dest, t_params=None):
    """
    Ensure included file is present, but don't override it.

@@ -303,6 +303,9 @@ def named_add_ext_conf_file(src, dest, t_params={}):
    :param dest: String. Absolute path to destination
    :param t_params: Dict. Parameters for source template
    """
+    if t_params is None:
+        t_params = {}
+
    if not os.path.exists(dest):
        ipa_ext_txt = ipautil.template_file(src, t_params)
        gid = pwd.getpwnam(constants.NAMED_USER).pw_gid
@@ -837,6 +840,7 @@ class BindInstance(service.Service):
            BIND_LDAP_SO=paths.BIND_LDAP_SO,
            INCLUDE_CRYPTO_POLICY=crypto_policy,
            CUSTOM_CONFIG=paths.NAMED_CUSTOM_CONFIG,
+            CUSTOM_OPTIONS_CONFIG=paths.NAMED_CUSTOM_OPTIONS_CONFIG,
            NAMED_DATA_DIR=constants.NAMED_DATA_DIR,
            NAMED_ZONE_COMMENT=constants.NAMED_ZONE_COMMENT,
        )
@@ -988,20 +992,24 @@ class BindInstance(service.Service):
        named_txt = ipautil.template_file(
            os.path.join(paths.USR_SHARE_IPA_DIR, "bind.named.conf.template"),
            self.sub_dict)
-        named_fd = open(paths.NAMED_CONF, 'w')
-        named_fd.seek(0)
-        named_fd.truncate(0)
-        named_fd.write(named_txt)
-        named_fd.close()

-        named_add_ext_conf_file(paths.NAMED_CUSTOM_CFG_SRC,
-                                paths.NAMED_CUSTOM_CONFIG)
+        gid = pwd.getpwnam(constants.NAMED_USER).pw_gid
+        with open(paths.NAMED_CONF, 'w') as named_conf:
+            os.fchmod(named_conf.fileno(), 0o640)
+            os.fchown(named_conf.fileno(), 0, gid)
+            named_conf.write(named_txt)

-        if self.no_dnssec_validation:
-            # disable validation
-            named_conf_set_directive("dnssec-validation", "no",
-                                     section=NAMED_SECTION_OPTIONS,
-                                     str_val=False)
+        named_add_ext_conf_file(
+            paths.NAMED_CUSTOM_CFG_SRC,
+            paths.NAMED_CUSTOM_CONFIG
+        )
+
+        dnssec_validation = 'no' if self.no_dnssec_validation else 'yes'
+        named_add_ext_conf_file(
+            paths.NAMED_CUSTOM_OPTIONS_CFG_SRC,
+            paths.NAMED_CUSTOM_OPTIONS_CONFIG,
+            {'NAMED_DNSSEC_VALIDATION': dnssec_validation}
+        )

        # prevent repeated upgrade on new installs
        sysupgrade.set_upgrade_state(
@@ -1260,5 +1268,6 @@ class BindInstance(service.Service):
            self.named_regular.start()

        ipautil.remove_file(paths.NAMED_CUSTOM_CONFIG)
+        ipautil.remove_file(paths.NAMED_CUSTOM_OPTIONS_CONFIG)
        ipautil.remove_keytab(self.keytab)
        ipautil.remove_ccache(run_as=self.service_user)
--- a/ipaserver/install/ipa_backup.py
+++ b/ipaserver/install/ipa_backup.py
@@ -125,6 +125,7 @@ class Backup(admintool.AdminTool):
    files = (
        paths.NAMED_CONF,
        paths.NAMED_CUSTOM_CONFIG,
+        paths.NAMED_CUSTOM_OPTIONS_CONFIG,
        paths.NAMED_KEYTAB,
        paths.RESOLV_CONF,
        paths.SYSCONFIG_PKI_TOMCAT,
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -594,9 +594,18 @@ def named_add_ipa_ext_conf_file():
        logger.info('DNS is not configured.')
        return False

-    return bindinstance.named_add_ext_conf_file(
-        paths.NAMED_CUSTOM_CFG_SRC,
-        paths.NAMED_CUSTOM_CONFIG)
+    tasks = [
+        bindinstance.named_add_ext_conf_file(
+            paths.NAMED_CUSTOM_CFG_SRC,
+            paths.NAMED_CUSTOM_CONFIG
+        ),
+        bindinstance.named_add_ext_conf_file(
+            paths.NAMED_CUSTOM_OPTIONS_CFG_SRC,
+            paths.NAMED_CUSTOM_OPTIONS_CONFIG
+        )
+    ]
+
+    return any(tasks)


 def named_set_minimum_connections():