IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

DNS upgrade: change global forwarding policy in LDAP to "only" if private IPs are used

Browse Source 
This change is necessary to override automatic empty zone configuration
in latest BIND and bind-dyndb-ldap 9.0+.

This procedure is still not complete because we need to handle global
forwarders in named.conf too (independently on each server).

https://fedorahosted.org/freeipa/ticket/5710

Reviewed-By: Martin Basti <mbasti@redhat.com>
This commit is contained in:
Petr Spacek
2016-04-27 15:24:01 +02:00
committed by Martin Basti
parent f750d42b6f
commit e45a80308c
2 changed files with 34 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
ipapython/dnsutil.py
View File

@@ -264,6 +264,24 @@ def related_to_auto_empty_zone(name):
for aez in EMPTY_ZONES) for aez in EMPTY_ZONES)
def has_empty_zone_addresses(hostname):
"""Detect if given host is using IP address belonging to
an automatic empty zone.
Information from --ip-address option used in installed is lost by
the time when upgrade is run. Use IP addresses from DNS as best
approximation.
This is brain-dead and duplicates logic from DNS installer
but I did not find other way around.
"""
ip_addresses = resolve_ip_addresses(hostname)
return any(
inside_auto_empty_zone(DNSName(ip.reverse_dns))
for ip in ip_addresses
)
def resolve_rrsets(fqdn, rdtypes): def resolve_rrsets(fqdn, rdtypes):
""" """
Get Resource Record sets for given FQDN. Get Resource Record sets for given FQDN.

16
ipaserver/install/plugins/dns.py
View File

@@ -461,6 +461,19 @@ class update_dnsforward_emptyzones(DNSUpdater):
self.log.debug('Zone %s was sucessfully modified to use ' self.log.debug('Zone %s was sucessfully modified to use '
'forward policy "only"', zone['idnsname'][0]) 'forward policy "only"', zone['idnsname'][0])
def update_global_ldap_forwarder(self):
config = self.api.Command['dnsconfig_show'](all=True,
raw=True)['result']
if (
config.get('idnsforwardpolicy', [u'first'])[0] == u'first'
and config.get('idnsforwarders', [])
):
self.log.info('Global forward policy in LDAP for all servers will '
'be changed to "only" to avoid conflicts with '
'automatic empty zones')
self.backup_zone(config)
self.api.Command['dnsconfig_mod'](idnsforwardpolicy=u'only')
def execute(self, **options): def execute(self, **options):
# check LDAP if DNS subtree already uses new semantics # check LDAP if DNS subtree already uses new semantics
if not self.version_update_needed(target_version=2): if not self.version_update_needed(target_version=2):
@@ -473,4 +486,7 @@ class update_dnsforward_emptyzones(DNSUpdater):
self.api.Command['dnsconfig_mod'](ipadnsversion=2) self.api.Command['dnsconfig_mod'](ipadnsversion=2)
self.update_zones() self.update_zones()
if dnsutil.has_empty_zone_addresses(self.api.env.host):
self.update_global_ldap_forwarder()
return False, [] return False, []