DNSSEC: validate forwarders

Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>

install/share/bind.named.conf.template

@@ -18,6 +18,7 @@ options {
 	pid-file "$NAMED_PID";
 
 	dnssec-enable yes;
+	dnssec-validation yes;
 
 	/* Path to ISC DLV key */
 	bindkeys-file "$BINDKEYS_FILE";

install/tools/ipa-dns-install

@@ -54,6 +54,8 @@ def parse_options():
                       help="The reverse DNS zone to use")
     parser.add_option("--no-reverse", dest="no_reverse", action="store_true",
                       default=False, help="Do not create new reverse DNS zone")
+    parser.add_option("--no-dnssec-validation", dest="no_dnssec_validation", action="store_true",
+                      default=False, help="Disable DNSSEC validation")
     parser.add_option("--zonemgr", action="callback", callback=bindinstance.zonemgr_callback,
                       type="string",
                       help="DNS zone manager e-mail address. Defaults to hostmaster@DOMAIN")
@@ -142,6 +144,14 @@ def main():
         dns_forwarders = options.forwarders
     else:
         dns_forwarders = read_dns_forwarders()
+
+    # test DNSSEC forwarders
+    if dns_forwarders:
+        if (not bindinstance.check_forwarders(dns_forwarders, root_logger)
+                and not options.no_dnssec_validation):
+            options.no_dnssec_validation = True
+            print "WARNING: DNSSEC validation will be disabled"
+
     root_logger.debug("will use dns_forwarders: %s\n", str(dns_forwarders))
 
     if bind.dm_password:
@@ -166,7 +176,8 @@ def main():
         print ""
 
     bind.setup(api.env.host, ip_addresses, api.env.realm, api.env.domain,
-               dns_forwarders, conf_ntp, reverse_zones, zonemgr=options.zonemgr)
+               dns_forwarders, conf_ntp, reverse_zones, zonemgr=options.zonemgr,
+               no_dnssec_validation=options.no_dnssec_validation)
     bind.create_instance()
 
     # Restart http instance to make sure that python-dns has the right resolver

install/tools/ipa-replica-install

@@ -116,6 +116,8 @@ def parse_options():
                          action="append", help="The reverse DNS zone to use")
     dns_group.add_option("--no-reverse", dest="no_reverse", action="store_true",
                       default=False, help="Do not create new reverse DNS zone")
+    dns_group.add_option("--no-dnssec-validation", dest="no_dnssec_validation", action="store_true",
+                      default=False, help="Disable DNSSEC validation")
     dns_group.add_option("--no-host-dns", dest="no_host_dns", action="store_true",
                       default=False,
                       help="Do not use DNS for hostname lookup during installation")
@@ -138,6 +140,8 @@ def parse_options():
             parser.error("You cannot specify a --reverse-zone option without the --setup-dns option")
         if options.no_reverse:
             parser.error("You cannot specify a --no-reverse option without the --setup-dns option")
+        if options.no_dnssec_validation:
+            parser.error("You cannot specify a --no-dnssec-validation option without the --setup-dns option")
     elif options.forwarders and options.no_forwarders:
         parser.error("You cannot specify a --forwarder option together with --no-forwarders")
     elif not options.forwarders and not options.no_forwarders:
@@ -268,7 +272,8 @@ def install_bind(config, options):
 
     bind.setup(config.host_name, config.ips, config.realm_name,
                config.domain_name, forwarders, options.conf_ntp,
-               config.reverse_zones, ca_configured=options.setup_ca)
+               config.reverse_zones, ca_configured=options.setup_ca,
+               no_dnssec_validation=options.no_dnssec_validation)
     bind.create_instance()
 
     print ""
@@ -471,6 +476,13 @@ def main():
     if options.setup_dns:
         check_bind()
 
+    # test DNSSEC forwarders
+    if options.forwarders:
+        if (not bindinstance.check_forwarders(options.forwarders, root_logger)
+                and not options.no_dnssec_validation):
+            options.no_dnssec_validation = True
+            print "WARNING: DNSSEC validation will be disabled"
+
     # Check to see if httpd is already configured to listen on 443
     if httpinstance.httpd_443_configured():
         sys.exit("Aborting installation")

install/tools/ipa-server-install

@@ -286,6 +286,8 @@ def parse_options():
                       action="append", default=[])
     dns_group.add_option("--no-reverse", dest="no_reverse", action="store_true",
                       default=False, help="Do not create reverse DNS zone")
+    dns_group.add_option("--no-dnssec-validation", dest="no_dnssec_validation", action="store_true",
+                      default=False, help="Disable DNSSEC validation")
     dns_group.add_option("--zonemgr", action="callback", callback=bindinstance.zonemgr_callback,
                       type="string",
                       help="DNS zone manager e-mail address. Defaults to hostmaster@DOMAIN")
@@ -331,6 +333,8 @@ def parse_options():
             parser.error("You cannot specify a --reverse-zone option without the --setup-dns option")
         if options.no_reverse:
             parser.error("You cannot specify a --no-reverse option without the --setup-dns option")
+        if options.no_dnssec_validation:
+            parser.error("You cannot specify a --no-dnssec-validation option without the --setup-dns option")
     elif options.forwarders and options.no_forwarders:
         parser.error("You cannot specify a --forwarder option together with --no-forwarders")
     elif options.reverse_zones and options.no_reverse:
@@ -1033,6 +1037,13 @@ def main():
         else:
             dns_forwarders = read_dns_forwarders()
 
+        #test DNSSEC forwarders
+        if dns_forwarders:
+            if (not bindinstance.check_forwarders(dns_forwarders, root_logger)
+                    and not options.no_dnssec_validation):
+                options.no_dnssec_validation = True
+                print "WARNING: DNSSEC validation will be disabled"
+
         reverse_zones = bindinstance.check_reverse_zones(ip_addresses,
             options.reverse_zones, options, options.unattended)
 
@@ -1267,7 +1278,8 @@ def main():
     bind = bindinstance.BindInstance(fstore, dm_password)
     bind.setup(host_name, ip_addresses, realm_name, domain_name, dns_forwarders,
                options.conf_ntp, reverse_zones, zonemgr=options.zonemgr,
-               ca_configured=setup_ca)
+               ca_configured=setup_ca,
+               no_dnssec_validation=options.no_dnssec_validation)
     if options.setup_dns:
         api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=dm_password)