IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Wipe the ipa-ca DNS record when updating system records

Browse Source 
If a server with a CA has been marked as hidden and
contains the last A or AAAA address then that address
would remain in the ipa-ca entry.

This is because update-dns-system-records did not delete
values, it just re-computed them. So if no A or AAAA
records were found then the existing value was left.

Fixes: https://pagure.io/freeipa/issue/9195

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
This commit is contained in:
Rob Crittenden 2022-07-11 14:20:32 -04:00
parent 724c8314b5
commit c38546d085
1 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
ipaserver/dns_data_management.py
View File

@ -19,6 +19,7 @@ from dns import (
from time import sleep, time from time import sleep, time
from ipalib import errors from ipalib import errors
from ipalib.constants import IPA_CA_RECORD
from ipalib.dns import record_name_format from ipalib.dns import record_name_format
from ipapython.dnsutil import DNSName from ipapython.dnsutil import DNSName
from ipaserver.install import installutils from ipaserver.install import installutils
@ -187,7 +188,7 @@ class IPASystemRecords:
def __add_ca_records_from_hostname(self, zone_obj, hostname): def __add_ca_records_from_hostname(self, zone_obj, hostname):
assert isinstance(hostname, DNSName) and hostname.is_absolute() assert isinstance(hostname, DNSName) and hostname.is_absolute()
r_name = DNSName('ipa-ca') + self.domain_abs r_name = DNSName(IPA_CA_RECORD) + self.domain_abs
rrsets = None rrsets = None
end_time = time() + CA_RECORDS_DNS_TIMEOUT end_time = time() + CA_RECORDS_DNS_TIMEOUT
while True: while True:
@ -210,6 +211,7 @@ class IPASystemRecords:
for rrset in rrsets: for rrset in rrsets:
for rd in rrset: for rd in rrset:
logger.debug("Adding CA IP %s for %s", rd.to_text(), hostname)
rdataset = zone_obj.get_rdataset( rdataset = zone_obj.get_rdataset(
r_name, rd.rdtype, create=True) r_name, rd.rdtype, create=True)
rdataset.add(rd, ttl=self.TTL) rdataset.add(rd, ttl=self.TTL)
@ -461,6 +463,14 @@ class IPASystemRecords:
) )
) )
# Remove the ipa-ca record(s). They will be reconstructed in
# get_base_records().
r_name = DNSName(IPA_CA_RECORD) + self.domain_abs
try:
self.api_instance.Command.dnsrecord_del(
self.domain_abs, r_name, del_all=True)
except errors.NotFound:
pass
base_zone = self.get_base_records() base_zone = self.get_base_records()
for record_name, node in base_zone.items(): for record_name, node in base_zone.items():
set_cname_template = record_name in names_requiring_cname_templates set_cname_template = record_name in names_requiring_cname_templates