|
 |
5347ee |
From b35c75d864040b98ed3f9214d5d17d32f06d6ee1 Mon Sep 17 00:00:00 2001
|
|
|
5347ee |
From: Rob Crittenden <rcritten@redhat.com>
|
|
|
5347ee |
Date: Mon, 11 Jul 2022 14:20:32 -0400
|
|
|
5347ee |
Subject: [PATCH] Wipe the ipa-ca DNS record when updating system records
|
|
|
5347ee |
|
|
|
5347ee |
If a server with a CA has been marked as hidden and
|
|
|
5347ee |
contains the last A or AAAA address then that address
|
|
|
5347ee |
would remain in the ipa-ca entry.
|
|
|
5347ee |
|
|
|
5347ee |
This is because update-dns-system-records did not delete
|
|
|
5347ee |
values, it just re-computed them. So if no A or AAAA
|
|
|
5347ee |
records were found then the existing value was left.
|
|
|
5347ee |
|
|
|
5347ee |
Fixes: https://pagure.io/freeipa/issue/9195
|
|
|
5347ee |
|
|
|
5347ee |
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
|
5347ee |
---
|
|
|
5347ee |
ipaserver/dns_data_management.py | 12 +++++++++++-
|
|
|
5347ee |
1 file changed, 11 insertions(+), 1 deletion(-)
|
|
|
5347ee |
|
|
|
5347ee |
diff --git a/ipaserver/dns_data_management.py b/ipaserver/dns_data_management.py
|
|
|
5347ee |
index e2bc530ee8a..aaae5446856 100644
|
|
|
5347ee |
--- a/ipaserver/dns_data_management.py
|
|
|
5347ee |
+++ b/ipaserver/dns_data_management.py
|
|
|
5347ee |
@@ -19,6 +19,7 @@
|
|
|
5347ee |
from time import sleep, time
|
|
|
5347ee |
|
|
|
5347ee |
from ipalib import errors
|
|
|
5347ee |
+from ipalib.constants import IPA_CA_RECORD
|
|
|
5347ee |
from ipalib.dns import record_name_format
|
|
|
5347ee |
from ipapython.dnsutil import DNSName
|
|
|
5347ee |
from ipaserver.install import installutils
|
|
|
5347ee |
@@ -187,7 +188,7 @@ def __add_uri_records(
|
|
|
5347ee |
|
|
|
5347ee |
def __add_ca_records_from_hostname(self, zone_obj, hostname):
|
|
|
5347ee |
assert isinstance(hostname, DNSName) and hostname.is_absolute()
|
|
|
5347ee |
- r_name = DNSName('ipa-ca') + self.domain_abs
|
|
|
5347ee |
+ r_name = DNSName(IPA_CA_RECORD) + self.domain_abs
|
|
|
5347ee |
rrsets = None
|
|
|
5347ee |
end_time = time() + CA_RECORDS_DNS_TIMEOUT
|
|
|
5347ee |
while True:
|
|
|
5347ee |
@@ -210,6 +211,7 @@ def __add_ca_records_from_hostname(self, zone_obj, hostname):
|
|
|
5347ee |
|
|
|
5347ee |
for rrset in rrsets:
|
|
|
5347ee |
for rd in rrset:
|
|
|
5347ee |
+ logger.debug("Adding CA IP %s for %s", rd.to_text(), hostname)
|
|
|
5347ee |
rdataset = zone_obj.get_rdataset(
|
|
|
5347ee |
r_name, rd.rdtype, create=True)
|
|
|
5347ee |
rdataset.add(rd, ttl=self.TTL)
|
|
|
5347ee |
@@ -461,6 +463,14 @@ def update_base_records(self):
|
|
|
5347ee |
)
|
|
|
5347ee |
)
|
|
|
5347ee |
|
|
|
5347ee |
+ # Remove the ipa-ca record(s). They will be reconstructed in
|
|
|
5347ee |
+ # get_base_records().
|
|
|
5347ee |
+ r_name = DNSName(IPA_CA_RECORD) + self.domain_abs
|
|
|
5347ee |
+ try:
|
|
|
5347ee |
+ self.api_instance.Command.dnsrecord_del(
|
|
|
5347ee |
+ self.domain_abs, r_name, del_all=True)
|
|
|
5347ee |
+ except errors.NotFound:
|
|
|
5347ee |
+ pass
|
|
|
5347ee |
base_zone = self.get_base_records()
|
|
|
5347ee |
for record_name, node in base_zone.items():
|
|
|
5347ee |
set_cname_template = record_name in names_requiring_cname_templates
|