|
|
0fcb1e |
From 4e0ad96fbd9f438c884eeeaa60c2fb0c910a2b61 Mon Sep 17 00:00:00 2001
|
|
|
0fcb1e |
From: Rob Crittenden <rcritten@redhat.com>
|
|
|
0fcb1e |
Date: Mon, 11 Jul 2022 14:20:32 -0400
|
|
|
0fcb1e |
Subject: [PATCH] Wipe the ipa-ca DNS record when updating system records
|
|
|
0fcb1e |
|
|
|
0fcb1e |
If a server with a CA has been marked as hidden and
|
|
|
0fcb1e |
contains the last A or AAAA address then that address
|
|
|
0fcb1e |
would remain in the ipa-ca entry.
|
|
|
0fcb1e |
|
|
|
0fcb1e |
This is because update-dns-system-records did not delete
|
|
|
0fcb1e |
values, it just re-computed them. So if no A or AAAA
|
|
|
0fcb1e |
records were found then the existing value was left.
|
|
|
0fcb1e |
|
|
|
0fcb1e |
Fixes: https://pagure.io/freeipa/issue/9195
|
|
|
0fcb1e |
|
|
|
0fcb1e |
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
|
0fcb1e |
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
|
|
|
0fcb1e |
Reviewed-By: Stanislav Levin <slev@altlinux.org>
|
|
|
0fcb1e |
---
|
|
|
0fcb1e |
ipaserver/dns_data_management.py | 12 +++++++++++-
|
|
|
0fcb1e |
1 file changed, 11 insertions(+), 1 deletion(-)
|
|
|
0fcb1e |
|
|
|
0fcb1e |
diff --git a/ipaserver/dns_data_management.py b/ipaserver/dns_data_management.py
|
|
|
0fcb1e |
index e2bc530ee8a8d7ade853652680c524ccd229205c..aaae5446856aba5e39ca9bb9c03decd434e4f71a 100644
|
|
|
0fcb1e |
--- a/ipaserver/dns_data_management.py
|
|
|
0fcb1e |
+++ b/ipaserver/dns_data_management.py
|
|
|
0fcb1e |
@@ -19,6 +19,7 @@ from dns import (
|
|
|
0fcb1e |
from time import sleep, time
|
|
|
0fcb1e |
|
|
|
0fcb1e |
from ipalib import errors
|
|
|
0fcb1e |
+from ipalib.constants import IPA_CA_RECORD
|
|
|
0fcb1e |
from ipalib.dns import record_name_format
|
|
|
0fcb1e |
from ipapython.dnsutil import DNSName
|
|
|
0fcb1e |
from ipaserver.install import installutils
|
|
|
0fcb1e |
@@ -187,7 +188,7 @@ class IPASystemRecords:
|
|
|
0fcb1e |
|
|
|
0fcb1e |
def __add_ca_records_from_hostname(self, zone_obj, hostname):
|
|
|
0fcb1e |
assert isinstance(hostname, DNSName) and hostname.is_absolute()
|
|
|
0fcb1e |
- r_name = DNSName('ipa-ca') + self.domain_abs
|
|
|
0fcb1e |
+ r_name = DNSName(IPA_CA_RECORD) + self.domain_abs
|
|
|
0fcb1e |
rrsets = None
|
|
|
0fcb1e |
end_time = time() + CA_RECORDS_DNS_TIMEOUT
|
|
|
0fcb1e |
while True:
|
|
|
0fcb1e |
@@ -210,6 +211,7 @@ class IPASystemRecords:
|
|
|
0fcb1e |
|
|
|
0fcb1e |
for rrset in rrsets:
|
|
|
0fcb1e |
for rd in rrset:
|
|
|
0fcb1e |
+ logger.debug("Adding CA IP %s for %s", rd.to_text(), hostname)
|
|
|
0fcb1e |
rdataset = zone_obj.get_rdataset(
|
|
|
0fcb1e |
r_name, rd.rdtype, create=True)
|
|
|
0fcb1e |
rdataset.add(rd, ttl=self.TTL)
|
|
|
0fcb1e |
@@ -461,6 +463,14 @@ class IPASystemRecords:
|
|
|
0fcb1e |
)
|
|
|
0fcb1e |
)
|
|
|
0fcb1e |
|
|
|
0fcb1e |
+ # Remove the ipa-ca record(s). They will be reconstructed in
|
|
|
0fcb1e |
+ # get_base_records().
|
|
|
0fcb1e |
+ r_name = DNSName(IPA_CA_RECORD) + self.domain_abs
|
|
|
0fcb1e |
+ try:
|
|
|
0fcb1e |
+ self.api_instance.Command.dnsrecord_del(
|
|
|
0fcb1e |
+ self.domain_abs, r_name, del_all=True)
|
|
|
0fcb1e |
+ except errors.NotFound:
|
|
|
0fcb1e |
+ pass
|
|
|
0fcb1e |
base_zone = self.get_base_records()
|
|
|
0fcb1e |
for record_name, node in base_zone.items():
|
|
|
0fcb1e |
set_cname_template = record_name in names_requiring_cname_templates
|
|
|
0fcb1e |
--
|
|
|
0fcb1e |
2.39.1
|
|
|
0fcb1e |
|