Wipe the ipa-ca DNS record when updating system records

If a server with a CA has been marked as hidden and contains the last A or AAAA address then that address would remain in the ipa-ca entry. This is because update-dns-system-records did not delete values, it just re-computed them. So if no A or AAAA records were found then the existing value was left. Fixes: https://pagure.io/freeipa/issue/9195 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Francisco Trivino <ftrivino@redhat.com> Reviewed-By: Stanislav Levin <slev@altlinux.org>
2025-02-25 18:55:28 -06:00 · 2022-07-11 14:20:32 -04:00 · 2022-07-11 14:20:32 -04:00 · c38546d085
commit c38546d085
parent 724c8314b5
1 changed files with 11 additions and 1 deletions
--- a/ipaserver/dns_data_management.py
+++ b/ipaserver/dns_data_management.py
@ -19,6 +19,7 @@ from dns import (
 from time import sleep, time

 from ipalib import errors
+from ipalib.constants import IPA_CA_RECORD
 from ipalib.dns import record_name_format
 from ipapython.dnsutil import DNSName
 from ipaserver.install import installutils
@ -187,7 +188,7 @@ class IPASystemRecords:

    def __add_ca_records_from_hostname(self, zone_obj, hostname):
        assert isinstance(hostname, DNSName) and hostname.is_absolute()
-        r_name = DNSName('ipa-ca') + self.domain_abs
+        r_name = DNSName(IPA_CA_RECORD) + self.domain_abs
        rrsets = None
        end_time = time() + CA_RECORDS_DNS_TIMEOUT
        while True:
@ -210,6 +211,7 @@ class IPASystemRecords:

        for rrset in rrsets:
            for rd in rrset:
+                logger.debug("Adding CA IP %s for %s", rd.to_text(), hostname)
                rdataset = zone_obj.get_rdataset(
                    r_name, rd.rdtype, create=True)
                rdataset.add(rd, ttl=self.TTL)
@ -461,6 +463,14 @@ class IPASystemRecords:
            )
        )

+        # Remove the ipa-ca record(s). They will be reconstructed in
+        # get_base_records().
+        r_name = DNSName(IPA_CA_RECORD) + self.domain_abs
+        try:
+            self.api_instance.Command.dnsrecord_del(
+                self.domain_abs, r_name, del_all=True)
+        except errors.NotFound:
+            pass
        base_zone = self.get_base_records()
        for record_name, node in base_zone.items():
            set_cname_template = record_name in names_requiring_cname_templates