From 31a9cec3fc366954b3cb8943621834fdfce04bd3 Mon Sep 17 00:00:00 2001

From: Petr Spacek <pspacek@redhat.com>

Date: Thu, 26 Nov 2015 15:19:03 +0100

Subject: [PATCH] DNSSEC: Make sure that current key state in LDAP matches key

 state in BIND

We have to explicitly specify "none" value to prevent dnssec-keyfromlabel

utility from using current time for keys without "publish" and "activate"

timestamps.

Previously this lead to situation where key was in (intermediate) state

"generated" in OpenDNSSEC but BIND started to use this key for signing.

https://fedorahosted.org/freeipa/ticket/5348

Reviewed-By: Martin Basti <mbasti@redhat.com>

Reviewed-By: Martin Basti <mbasti@redhat.com>

---

 ipapython/dnssec/bindmgr.py | 6 +++++-

 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/ipapython/dnssec/bindmgr.py b/ipapython/dnssec/bindmgr.py

index 2c6781609594fa27812af3a01d16318198a3e120..70caaf4ee74f594c652cd82bccb8964e172bc719 100644

--- a/ipapython/dnssec/bindmgr.py

+++ b/ipapython/dnssec/bindmgr.py

@@ -58,6 +58,8 @@ class BINDMgr(object):

         return dt.strftime(time_bindfmt)

     def dates2params(self, ldap_attrs):

+        """Convert LDAP timestamps to list of parameters suitable

+        for dnssec-keyfromlabel utility"""

         attr2param = {'idnsseckeypublish': '-P',

                 'idnsseckeyactivate': '-A',

                 'idnsseckeyinactive': '-I',

@@ -65,10 +67,12 @@ class BINDMgr(object):

         params = []

         for attr, param in attr2param.items():

+            params.append(param)

             if attr in ldap_attrs:

-                params.append(param)

                 assert len(ldap_attrs[attr]) == 1, 'Timestamp %s is expected to be single-valued' % attr

                 params.append(self.time_ldap2bindfmt(ldap_attrs[attr][0]))

+            else:

+                params.append('none')

         return params

-- 

2.4.3