Fill new DNS zone update policy by default

For security reasons, dynamic updates are not enabled for new DNS zones. In order to enable the dynamic zone securely, user needs to allow dynamic updates and create a zone update policy. The policy is not easy to construct for regular users, we should rather fill it by default and let users just switch the policy on or off. https://fedorahosted.org/freeipa/ticket/2441
2025-02-25 18:55:28 -06:00 · 2012-06-04 17:53:34 +02:00
parent 7d9abecbb6
commit c06cbb12ac
7 changed files with 60 additions and 14 deletions
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -32,7 +32,8 @@ from ipapython import sysrestore
 from ipapython import ipautil
 from ipalib.constants import DNS_ZONE_REFRESH
 from ipalib.parameters import IA5Str
-from ipalib.util import validate_zonemgr, normalize_zonemgr, gen_dns_update_policy
+from ipalib.util import (validate_zonemgr, normalize_zonemgr,
+        get_dns_forward_zone_update_policy, get_dns_reverse_zone_update_policy)
 from ipapython.ipa_log_manager import *

 import ipalib
@@ -185,7 +186,7 @@ def read_reverse_zone(default, ip_address):
 def add_zone(name, zonemgr=None, dns_backup=None, ns_hostname=None, ns_ip_address=None,
       update_policy=None):
    if update_policy is None:
-        update_policy = gen_dns_update_policy(api.env.realm)
+        update_policy = get_dns_forward_zone_update_policy(api.env.realm)

    if zonemgr is None:
        zonemgr = 'hostmaster.%s' % name
@@ -229,7 +230,7 @@ def add_reverse_zone(zone, ns_hostname=None, ns_ip_address=None,
        ns_replicas=[], update_policy=None, dns_backup=None):
    zone = normalize_zone(zone)
    if update_policy is None:
-        update_policy = "grant %s krb5-subdomain %s PTR;" % (api.env.realm, zone)
+        update_policy = get_dns_reverse_zone_update_policy(api.env.realm, zone)

    if ns_hostname is None:
        # automatically retrieve list of DNS masters
--- a/ipaserver/install/plugins/dns.py
+++ b/ipaserver/install/plugins/dns.py
@@ -70,9 +70,9 @@ class update_dnszones(PostUpdate):
                # do not open zone transfers by default
                update['idnsallowtransfer'] = u'none;'

-            old_policy = util.gen_dns_update_policy(api.env.realm, ('A', 'AAAA'))
+            old_policy = util.get_dns_forward_zone_update_policy(api.env.realm, ('A', 'AAAA'))
            if zone.get('idnsupdatepolicy', [''])[0] == old_policy:
-                update['idnsupdatepolicy'] = util.gen_dns_update_policy(\
+                update['idnsupdatepolicy'] = util.get_dns_forward_zone_update_policy(\
                        api.env.realm)

            if update: