From a19cb9b5477901efc08c00c122f08e3d5ed126ff Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 21 Oct 2014 14:25:50 +0200 Subject: [PATCH] Disable DNSSEC support --- install/share/bind.named.conf.template | 2 +- install/tools/ipa-dns-install | 52 ++++------------------------------ install/tools/ipa-replica-install | 16 ++++------- install/tools/ipa-replica-manage | 12 -------- install/tools/ipa-server-install | 40 +++----------------------- install/tools/ipa-upgradeconfig | 10 ------- ipalib/plugins/dns.py | 4 ++- ipaplatform/redhat/services.py | 6 ++-- ipapython/Makefile | 2 +- ipapython/setup.py.in | 2 +- ipaserver/install/bindinstance.py | 25 ---------------- 11 files changed, 24 insertions(+), 147 deletions(-) diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template index 3c19383c0dde4353b30b16240ec2b81d7ea65776..b3b06211b15cc1736453b203b52bacfba8036618 100644 --- a/install/share/bind.named.conf.template +++ b/install/share/bind.named.conf.template @@ -18,7 +18,7 @@ options { pid-file "$NAMED_PID"; dnssec-enable yes; - dnssec-validation yes; + dnssec-validation no; /* Path to ISC DLV key */ bindkeys-file "$BINDKEYS_FILE"; diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install index cbf3faeef3644870b6978e02c95f67354cc7e61b..114351c9f7a5a779e4c8516c1411139c38d7138b 100755 --- a/install/tools/ipa-dns-install +++ b/install/tools/ipa-dns-install @@ -23,8 +23,7 @@ from optparse import OptionGroup, SUPPRESS_HELP import krbV -from ipaserver.install import (service, bindinstance, ntpinstance, - httpinstance, dnskeysyncinstance, opendnssecinstance, odsexporterinstance) +from ipaserver.install import service, bindinstance, ntpinstance, httpinstance from ipaserver.install.installutils import * from ipaserver.install import installutils from ipapython import version @@ -54,10 +53,6 @@ def parse_options(): help="The reverse DNS zone to use") parser.add_option("--no-reverse", dest="no_reverse", action="store_true", default=False, help="Do not create new reverse DNS zone") - parser.add_option("--no-dnssec-validation", dest="no_dnssec_validation", action="store_true", - default=False, help="Disable DNSSEC validation") - parser.add_option("--dnssec-master", dest="dnssec_master", action="store_true", - default=False, help="Setup server to be DNSSEC key master") parser.add_option("--zonemgr", action="callback", callback=bindinstance.zonemgr_callback, type="string", help="DNS zone manager e-mail address. Defaults to hostmaster@DOMAIN") @@ -67,6 +62,10 @@ def parse_options(): options, args = parser.parse_args() safe_options = parser.get_safe_opts(options) + # Disable DNSSEC support + options.no_dnssec_validation = False + options.dnssec_master = False + if options.forwarders and options.no_forwarders: parser.error("You cannot specify a --forwarder option together with --no-forwarders") elif options.reverse_zones and options.no_reverse: @@ -101,21 +100,6 @@ def main(): print "" print "This includes:" print " * Configure DNS (bind)" - print " * Configure SoftHSM (required by DNSSEC)" - print " * Configure ipa-dnskeysyncd (required by DNSSEC)" - if options.dnssec_master: - print " * Configure ipa-ods-exporter (required by DNSSEC key master)" - print " * Configure OpenDNSSEC (required by DNSSEC key master)" - print " * Generate DNSSEC master key (required by DNSSEC key master)" - print "" - print "NOTE: DNSSEC zone signing is not enabled by default" - print "" - if options.dnssec_master: - print "DNSSEC support is experimental!" - print "" - print "Plan carefully, current version doesn't allow you to move DNSSEC" - print "key master to different server and master cannot be uninstalled" - print "" print "" print "To accept the default shown in brackets, press the Enter key." print "" @@ -126,15 +110,9 @@ def main(): sys.exit("Aborted") # Check bind packages are installed - if not (bindinstance.check_inst(options.unattended) and - dnskeysyncinstance.check_inst()): + if not bindinstance.check_inst(options.unattended): sys.exit("Aborting installation.") - if options.dnssec_master: - # check opendnssec packages are installed - if not opendnssecinstance.check_inst(): - sys.exit("Aborting installation") - # Initialize the ipalib api cfg = dict( in_server=True, @@ -160,14 +138,6 @@ def main(): except errors.ACIError: sys.exit("Password is not valid!") - ods = opendnssecinstance.OpenDNSSECInstance(fstore, dm_password) - if options.dnssec_master: - dnssec_masters = ods.get_masters() - # we can reinstall current server if it is dnssec master - if not api.env.host in dnssec_masters and dnssec_masters: - print "DNSSEC key master(s):", u','.join(dnssec_masters) - sys.exit("Only one DNSSEC key master is supported in current version.") - ip_addresses = get_server_ip_address(api.env.host, fstore, options.unattended, True, options.ip_addresses) @@ -213,16 +183,6 @@ def main(): no_dnssec_validation=options.no_dnssec_validation) bind.create_instance() - # on dnssec master this must be installed last - dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore, dm_password) - dnskeysyncd.create_instance(api.env.host, api.env.realm) - if options.dnssec_master: - ods_exporter = odsexporterinstance.ODSExporterInstance(fstore, dm_password) - - ods_exporter.create_instance(api.env.host, api.env.realm) - ods.create_instance(api.env.host, api.env.realm) - - dnskeysyncd.start_dnskeysyncd() bind.start_named() # Restart http instance to make sure that python-dns has the right resolver diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 70190b718965518803b9767325d58f9526c32f7c..b8813aaa5d54d40756e9d9b8f0ee3e2dd7e8b253 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -33,7 +33,7 @@ from ipapython import ipautil from ipaserver.install import dsinstance, installutils, krbinstance, service from ipaserver.install import bindinstance, httpinstance, ntpinstance -from ipaserver.install import memcacheinstance, dnskeysyncinstance +from ipaserver.install import memcacheinstance from ipaserver.install import otpdinstance from ipaserver.install.replication import replica_conn_check, ReplicationManager from ipaserver.install.installutils import (ReplicaConfig, expand_replica_info, @@ -112,8 +112,6 @@ def parse_options(): action="append", help="The reverse DNS zone to use") dns_group.add_option("--no-reverse", dest="no_reverse", action="store_true", default=False, help="Do not create new reverse DNS zone") - dns_group.add_option("--no-dnssec-validation", dest="no_dnssec_validation", action="store_true", - default=False, help="Disable DNSSEC validation") dns_group.add_option("--no-host-dns", dest="no_host_dns", action="store_true", default=False, help="Do not use DNS for hostname lookup during installation") @@ -127,6 +125,9 @@ def parse_options(): # pkinit is disabled in production version options.setup_pkinit = False + # Disable DNSSEC support + options.no_dnssec_validation = False + if len(args) != 1: parser.error("you must provide a file generated by ipa-replica-prepare") @@ -139,8 +140,6 @@ def parse_options(): parser.error("You cannot specify a --reverse-zone option without the --setup-dns option") if options.no_reverse: parser.error("You cannot specify a --no-reverse option without the --setup-dns option") - if options.no_dnssec_validation: - parser.error("You cannot specify a --no-dnssec-validation option without the --setup-dns option") elif options.forwarders and options.no_forwarders: parser.error("You cannot specify a --forwarder option together with --no-forwarders") elif not options.forwarders and not options.no_forwarders: @@ -274,10 +273,6 @@ def install_bind(config, options): no_dnssec_validation=options.no_dnssec_validation) bind.create_instance() print "" - dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance( - dm_password=config.dirman_password) - dnskeysyncd.create_instance(api.env.host, api.env.realm) - dnskeysyncd.start_dnskeysyncd() bind.start_named() print "" bind.check_global_configuration() @@ -354,8 +349,7 @@ def check_dirsrv(): sys.exit(1) def check_bind(): - if not (bindinstance.check_inst(unattended=True) and - dnskeysyncinstance.check_inst()): + if not bindinstance.check_inst(unattended=True): print "Aborting installation" sys.exit(1) diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index 4f92c0c927b3267eeb466a06d3283823c05437b0..86d77844489abe4d7151a29a4e81320e01d5c412 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -29,7 +29,6 @@ import socket from ipapython import ipautil from ipaserver.install import replication, dsinstance, installutils from ipaserver.install import bindinstance, cainstance, certs -from ipaserver.install import opendnssecinstance, dnskeysyncinstance from ipaserver.plugins import ldap2 from ipapython import version, ipaldap from ipalib import api, errors, util @@ -695,14 +694,6 @@ def del_master(realm, hostname, options): if not options.force and not ipautil.user_input("Continue to delete?", False): sys.exit("Deletion aborted") - # test if replica is not DNSSEC master - # allow to delete it if is last DNS server - if 'DNS' in this_services and other_dns and not options.force: - dnssec_masters = opendnssecinstance.get_dnssec_key_masters(delrepl.conn) - if hostname in dnssec_masters: - print "Replica is active DNSSEC key master. Uninstall could break your DNS system." - sys.exit("Deletion aborted") - # Pick CA renewal master ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) if ca.is_renewal_master(hostname): @@ -757,9 +748,6 @@ def del_master(realm, hostname, options): bind.remove_master_dns_records(hostname, realm, realm.lower()) bind.remove_ipa_ca_dns_records(hostname, realm.lower()) bind.remove_server_ns_records(hostname) - - keysyncd = dnskeysyncinstance.DNSKeySyncInstance() - keysyncd.remove_replica_public_keys(hostname) except Exception, e: print "Failed to cleanup %s DNS entries: %s" % (hostname, e) print "You may need to manually remove them from the tree" diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 3b748aaab37fa8806ebc7a4983ed97cc8243a9c4..6bcb0a16dbdfc0258ab40c70ea94740dfb537d8a 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -49,9 +49,6 @@ except ImportError: from ipaserver.install import dsinstance from ipaserver.install import krbinstance from ipaserver.install import bindinstance -from ipaserver.install import dnskeysyncinstance -from ipaserver.install import opendnssecinstance -from ipaserver.install import odsexporterinstance from ipaserver.install import httpinstance from ipaserver.install import ntpinstance from ipaserver.install import certs @@ -272,8 +269,6 @@ def parse_options(): action="append", default=[]) dns_group.add_option("--no-reverse", dest="no_reverse", action="store_true", default=False, help="Do not create reverse DNS zone") - dns_group.add_option("--no-dnssec-validation", dest="no_dnssec_validation", action="store_true", - default=False, help="Disable DNSSEC validation") dns_group.add_option("--zonemgr", action="callback", callback=bindinstance.zonemgr_callback, type="string", help="DNS zone manager e-mail address. Defaults to hostmaster@DOMAIN") @@ -297,6 +292,9 @@ def parse_options(): options.pkinit_pin = False options.pkinit_cert_files = False + # Disable DNSSEC support + options.no_dnssec_validation = False + if options.dm_password is not None: try: validate_dm_password(options.dm_password) @@ -323,8 +321,6 @@ def parse_options(): parser.error("You cannot specify a --reverse-zone option without the --setup-dns option") if options.no_reverse: parser.error("You cannot specify a --no-reverse option without the --setup-dns option") - if options.no_dnssec_validation: - parser.error("You cannot specify a --no-dnssec-validation option without the --setup-dns option") elif options.forwarders and options.no_forwarders: parser.error("You cannot specify a --forwarder option together with --no-forwarders") elif options.reverse_zones and options.no_reverse: @@ -564,17 +560,7 @@ def uninstall(): api.env.realm, certs.NSS_DIR, dogtag_constants=dogtag_constants) if ca_instance.is_configured(): ca_instance.uninstall() - - ods = opendnssecinstance.OpenDNSSECInstance(fstore) - if ods.is_configured(): - ods.uninstall() - - ods_exporter = odsexporterinstance.ODSExporterInstance(fstore) - if ods_exporter.is_configured(): - ods_exporter.uninstall() - bindinstance.BindInstance(fstore).uninstall() - dnskeysyncinstance.DNSKeySyncInstance(fstore).uninstall() httpinstance.HTTPInstance(fstore).uninstall() krbinstance.KrbInstance(fstore).uninstall() dsinstance.DsInstance(fstore=fstore).uninstall() @@ -737,20 +723,6 @@ def main(): "agreements.\n\n") print textwrap.fill(msg, width=80, replace_whitespace=False) else: - - # test if server is DNSSEC key master - masters = opendnssecinstance.get_dnssec_key_masters(conn) - if api.env.host in masters: - print "This server is active DNSSEC key master. Uninstall could break your DNS system." - if not (options.unattended or user_input("Are you sure you " - "want to continue " - "with the uninstall " - "procedure?", - False)): - print "" - print "Aborting uninstall operation." - sys.exit(1) - rm = replication.ReplicationManager( realm=api.env.realm, hostname=api.env.host, @@ -899,8 +871,7 @@ def main(): # check bind packages are installed if options.setup_dns: - if not (bindinstance.check_inst(options.unattended) and - dnskeysyncinstance.check_inst()): + if not bindinstance.check_inst(options.unattended): sys.exit("Aborting installation") # Don't require an external DNS to say who we are if we are @@ -1289,9 +1260,6 @@ def main(): api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=dm_password) bind.create_instance() - dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore, dm_password) - dnskeysyncd.create_instance(api.env.host, api.env.realm) - dnskeysyncd.start_dnskeysyncd() bind.start_named() print "" bind.check_global_configuration() diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index cd50edeecb055c71831fad806afde43c2779cdf8..cf85f58c26510fcd105b54126152a50474c869b5 100755 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -53,7 +53,6 @@ from ipaserver.install import cainstance from ipaserver.install import certs from ipaserver.install import otpdinstance from ipaserver.install import sysupgrade -from ipaserver.install import dnskeysyncinstance def parse_options(): @@ -1421,14 +1420,6 @@ def main(): except ipalib.errors.DuplicateEntry: pass - # install DNSKeySync service only if DNS is configured on server - if bindinstance.named_conf_exists(): - dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore, ldapi=True) - if not dnskeysyncd.is_configured(): - ds.start() - dnskeysyncd.create_instance(fqdn, api.env.realm) - dnskeysyncd.start_dnskeysyncd() - cleanup_kdc(fstore) cleanup_adtrust(fstore) setup_firefox_extension(fstore) @@ -1447,7 +1438,6 @@ def main(): named_bindkey_file_option(), named_managed_keys_dir_option(), named_root_key_include(), - mask_named_regular(), ) if any(named_conf_changes): diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index ea4c212b42631e8513a13d2a7f5a859b2176376b..60129f8b873fad1d3552ca749068f36db41108e9 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -2389,7 +2389,9 @@ class dnszone(DNSZoneBase): if options['idnssecinlinesigning'] is True: messages.add_message(options['version'], result, messages.DNSSECWarning( - additional_info=_("Visit 'http://www.freeipa.org/page/Releases/4.1.0#DNSSEC_Support'.") + additional_info=_("Manual configuration needed, please " + "visit 'http://www.freeipa.org/page/Releases/4.0.0#" + "Experimental_DNSSEC_Support'") )) else: messages.add_message(options['version'], result, diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py index 20d0adec421ecd3285464e2a51b9d5c61a0e3d92..5c9bae56552cefec1f3b8a16a52b8704171d4024 100644 --- a/ipaplatform/redhat/services.py +++ b/ipaplatform/redhat/services.py @@ -69,7 +69,7 @@ redhat_system_units['ipa-otpd'] = 'ipa-otpd.socket' redhat_system_units['ipa-dnskeysyncd'] = 'ipa-dnskeysyncd.service' redhat_system_units['named-regular'] = 'named.service' redhat_system_units['named-pkcs11'] = 'named-pkcs11.service' -redhat_system_units['named'] = redhat_system_units['named-pkcs11'] +redhat_system_units['named'] = redhat_system_units['named-regular'] redhat_system_units['ods-enforcerd'] = 'ods-enforcerd.service' redhat_system_units['ods_enforcerd'] = redhat_system_units['ods-enforcerd'] redhat_system_units['ods-signerd'] = 'ods-signerd.service' @@ -242,10 +242,10 @@ class RedHatNamedService(RedHatService): return u'named' def get_binary_path(self): - return paths.NAMED_PKCS11 + return paths.NAMED def get_package_name(self): - return u"bind-pkcs11" + return u"bind" class RedHatODSEnforcerdService(RedHatService): diff --git a/ipapython/Makefile b/ipapython/Makefile index b2cf719fdd580801a147def17e5a7483665b3d79..e09956ad32cf48d1ed585a494c8083e58c48d037 100644 --- a/ipapython/Makefile +++ b/ipapython/Makefile @@ -3,7 +3,7 @@ PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR)/ipa CONFIGDIR ?= $(DESTDIR)/etc/ipa TESTS = $(wildcard test/*.py) -SUBDIRS = py_default_encoding ipap11helper +SUBDIRS = py_default_encoding all: @for subdir in $(SUBDIRS); do \ diff --git a/ipapython/setup.py.in b/ipapython/setup.py.in index 6caf179051533e0db77a4091db5874bbdae426c9..a839f094ac0f9a2c303862e397bb4deb7589cc62 100644 --- a/ipapython/setup.py.in +++ b/ipapython/setup.py.in @@ -65,7 +65,7 @@ def setup_package(): classifiers=filter(None, CLASSIFIERS.split('\n')), platforms = ["Linux", "Solaris", "Unix"], package_dir = {'ipapython': ''}, - packages = [ "ipapython", "ipapython.dnssec" ], + packages = [ "ipapython" ], ) finally: del sys.path[0] diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 547cf19ee36140b5f29fcf7d217933fa68e1952b..9085cf9b59a064d82c0df774a6fa961c9d158ccf 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -543,7 +543,6 @@ class BindInstance(service.Service): self.sub_dict = None self.reverse_zones = [] self.dm_password = dm_password - self.named_regular = services.service('named-regular') if fstore: self.fstore = fstore @@ -652,8 +651,6 @@ class BindInstance(service.Service): if self.get_state("running") is None: # first time store status self.backup_state("running", self.is_running()) - self.backup_state("named-regular-running", - self.named_regular.is_running()) self.restart() except Exception as e: root_logger.error("Named service failed to start (%s)", e) @@ -662,8 +659,6 @@ class BindInstance(service.Service): def __enable(self): if self.get_state("enabled") is None: self.backup_state("enabled", self.is_running()) - self.backup_state("named-regular-enabled", - self.named_regular.is_running()) # We do not let the system start IPA components on its own, # Instead we reply on the IPA init script to start only enabled # components as found in our LDAP configuration tree @@ -674,17 +669,6 @@ class BindInstance(service.Service): # don't crash, just report error root_logger.error("DNS service already exists") - # disable named, we need to run named-pkcs11 only - try: - self.named_regular.stop() - except Exception as e: - root_logger.debug("Unable to stop named (%s)", e) - - try: - self.named_regular.mask() - except Exception as e: - root_logger.debug("Unable to mask named (%s)", e) - def __setup_sub_dict(self): if self.forwarders: fwds = "\n" @@ -1167,8 +1151,6 @@ class BindInstance(service.Service): running = self.restore_state("running") enabled = self.restore_state("enabled") - named_regular_running = self.restore_state("named-regular-running") - named_regular_enabled = self.restore_state("named-regular-enabled") self.dns_backup.clear_records(api.Backend.ldap2.isconnected()) @@ -1187,10 +1169,3 @@ class BindInstance(service.Service): if not running is None and running: self.start() - - self.named_regular.unmask() - if named_regular_enabled: - self.named_regular.enable() - - if named_regular_running: - self.named_regular.start() -- 2.1.0