DNSSEC: validate forwarders

Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
2025-02-25 18:55:28 -06:00 · 2014-10-16 16:27:00 +02:00
parent 30bc3a55cf
commit ca030a089f
8 changed files with 158 additions and 6 deletions
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -40,7 +40,8 @@ from ipalib import api, errors
 from ipaplatform.paths import paths
 from ipalib.util import (validate_zonemgr_str, normalize_zonemgr,
        get_dns_forward_zone_update_policy, get_dns_reverse_zone_update_policy,
-        normalize_zone, get_reverse_zone_default, zone_is_reverse)
+        normalize_zone, get_reverse_zone_default, zone_is_reverse,
+        validate_dnssec_forwarder)
 from ipalib.constants import CACERT

 NAMED_CONF = paths.NAMED_CONF
@@ -447,6 +448,25 @@ def check_reverse_zones(ip_addresses, reverse_zones, options, unattended, search

    return ret_reverse_zones

+def check_forwarders(dns_forwarders, logger):
+    print "Checking forwarders, please wait ..."
+    forwarders_dnssec_valid = True
+    for forwarder in dns_forwarders:
+        logger.debug("Checking forwarder: %s", forwarder)
+        result = validate_dnssec_forwarder(forwarder)
+        if result is None:
+            logger.error("Forwarder %s does not work", forwarder)
+            raise RuntimeError("Forwarder %s does not respond" % forwarder)
+        elif result is False:
+            forwarders_dnssec_valid = False
+            logger.warning("DNS forwarder %s does not return DNSSEC signatures in answers", forwarder)
+            logger.warning("Please fix forwarder configuration to enable DNSSEC support.\n"
+                "(For BIND 9 add directive \"dnssec-enable yes;\" to \"options {}\")")
+            print ("WARNING: DNS forwarder %s is not configured to support "
+                   "DNSSEC" % forwarder)
+
+    return forwarders_dnssec_valid
+

 class DnsBackup(object):
    def __init__(self, service):
@@ -523,7 +543,7 @@ class BindInstance(service.Service):

    def setup(self, fqdn, ip_addresses, realm_name, domain_name, forwarders, ntp,
              reverse_zones, named_user="named", zonemgr=None,
-              ca_configured=None):
+              ca_configured=None, no_dnssec_validation=False):
        self.named_user = named_user
        self.fqdn = fqdn
        self.ip_addresses = ip_addresses
@@ -535,6 +555,7 @@ class BindInstance(service.Service):
        self.ntp = ntp
        self.reverse_zones = reverse_zones
        self.ca_configured = ca_configured
+        self.no_dnssec_validation=no_dnssec_validation

        if not zonemgr:
            self.zonemgr = 'hostmaster.%s' % self.domain
@@ -902,6 +923,12 @@ class BindInstance(service.Service):
        named_fd.write(named_txt)
        named_fd.close()

+        if self.no_dnssec_validation:
+            # disable validation
+            named_conf_set_directive("dnssec-validation", "no",
+                                     section=NAMED_SECTION_OPTIONS,
+                                     str_val=False)
+
    def __setup_resolv_conf(self):
        self.fstore.backup_file(RESOLV_CONF)
        resolv_txt = "search "+self.domain+"\n"