DNS upgrade: change global forwarding policy in LDAP to "only" if private IPs are used

This change is necessary to override automatic empty zone configuration in latest BIND and bind-dyndb-ldap 9.0+. This procedure is still not complete because we need to handle global forwarders in named.conf too (independently on each server). https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-04-27 15:24:01 +02:00
parent f750d42b6f
commit e45a80308c
2 changed files with 34 additions and 0 deletions
--- a/ipapython/dnsutil.py
+++ b/ipapython/dnsutil.py
@@ -264,6 +264,24 @@ def related_to_auto_empty_zone(name):
               for aez in EMPTY_ZONES)


+def has_empty_zone_addresses(hostname):
+    """Detect if given host is using IP address belonging to
+    an automatic empty zone.
+
+    Information from --ip-address option used in installed is lost by
+    the time when upgrade is run. Use IP addresses from DNS as best
+    approximation.
+
+    This is brain-dead and duplicates logic from DNS installer
+    but I did not find other way around.
+    """
+    ip_addresses = resolve_ip_addresses(hostname)
+    return any(
+        inside_auto_empty_zone(DNSName(ip.reverse_dns))
+        for ip in ip_addresses
+    )
+
+
 def resolve_rrsets(fqdn, rdtypes):
    """
    Get Resource Record sets for given FQDN.
--- a/ipaserver/install/plugins/dns.py
+++ b/ipaserver/install/plugins/dns.py
@@ -461,6 +461,19 @@ class update_dnsforward_emptyzones(DNSUpdater):
            self.log.debug('Zone %s was sucessfully modified to use '
                           'forward policy "only"', zone['idnsname'][0])

+    def update_global_ldap_forwarder(self):
+        config = self.api.Command['dnsconfig_show'](all=True,
+                                                    raw=True)['result']
+        if (
+            config.get('idnsforwardpolicy', [u'first'])[0] == u'first'
+            and config.get('idnsforwarders', [])
+        ):
+            self.log.info('Global forward policy in LDAP for all servers will '
+                          'be changed to "only" to avoid conflicts with '
+                          'automatic empty zones')
+            self.backup_zone(config)
+            self.api.Command['dnsconfig_mod'](idnsforwardpolicy=u'only')
+
    def execute(self, **options):
        # check LDAP if DNS subtree already uses new semantics
        if not self.version_update_needed(target_version=2):
@@ -473,4 +486,7 @@ class update_dnsforward_emptyzones(DNSUpdater):
        self.api.Command['dnsconfig_mod'](ipadnsversion=2)

        self.update_zones()
+        if dnsutil.has_empty_zone_addresses(self.api.env.host):
+            self.update_global_ldap_forwarder()
+
        return False, []