On Mon, 2014-06-30 at 18:07 +0200, Petr Vobornik wrote: > On 27.6.2014 14:55, Martin Basti wrote: > > On Thu, 2014-06-26 at 13:57 +0200, Petr Vobornik wrote: > >> On 25.6.2014 14:35, Martin Basti wrote: > >>> On Wed, 2014-06-25 at 14:31 +0200, Martin Basti wrote: > >>>> Ticket https://fedorahosted.org/freeipa/ticket/4328#comment:12 > >>>> Patches attached. > >>>> > >>>> Note: ACI will be updated in another patch which fix ACIs in DNS plugin > >>> > >>> Patches are here > >>> > >> What are patch 0078's dependencies? I'm missing necessary blobs.. > >> (current master). Also it requires rebase because of today's pushes to > >> master (VERSION conflict). > > > > Rebased patch attached > > > > Patch 0078-2: > > Just nitpicks. > > 1. The LDAP attribute type description should be changed to something > more meaningful. the "DNS-Based Authentication of Named Entities - > Transport Layer Security Protocol, RFC 6698" is the complete effort. It > does not say anything about the TLSA record itself. I suggest: "TLSA > certificate association, RFC 6698" which is used in chapter 2 of RFC 6698. This is synced with bind-dyndb-ldap, I use the same description.
> 2. Nitpick: Not a proper alphabetic order ;) > - u'TSIG', u'TXT', > + u'TSIG', u'TLSA', u'TXT', Fixed > > Patch 0079: > > 3. A js-lint warning: > > /dns.js(1140): lint warning: extra comma is not recommended in array > initializers > ] > ............^ > > Just remove the comma on line 1139. To check it, run: > > `jsl -nofilelisting -nologo -nosummary -conf jsl.conf` > > in install/ui directory Fixed Updated patches attached. -- Martin^2 Basti
>From cd3c3bd992175422596d75ff7fe3b63a25877f1a Mon Sep 17 00:00:00 2001 From: Martin Basti <mba...@redhat.com> Date: Wed, 25 Jun 2014 12:36:59 +0200 Subject: [PATCH 1/2] DNSSEC: add TLSA record type Ticket: https://fedorahosted.org/freeipa/ticket/4328 --- ACI.txt | 4 +-- API.txt | 20 ++++++++++++--- VERSION | 4 +-- install/share/60ipadns.ldif | 3 ++- ipalib/plugins/dns.py | 59 +++++++++++++++++++++++++++++++++------------ 5 files changed, 66 insertions(+), 24 deletions(-) diff --git a/ACI.txt b/ACI.txt index 22b10e3dd9f22ca76a757506f6a0851b18030549..d75f6ea4f9994a1b38cae492161cccb65f4b3191 100644 --- a/ACI.txt +++ b/ACI.txt @@ -39,11 +39,11 @@ aci: (targetattr = "idnsallowsyncptr || idnsforwarders || idnsforwardpolicy || i dn: cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Add DNS Entries";allow (add) groupdn = "ldap:///cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example -aci: (targetattr = "a6record || aaaarecord || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || txtrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) +aci: (targetattr = "a6record || aaaarecord || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Remove DNS Entries";allow (delete) groupdn = "ldap:///cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example -aci: (targetattr = "a6record || aaaarecord || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || txtrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Update DNS Entries";allow (write) groupdn = "ldap:///cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) +aci: (targetattr = "a6record || aaaarecord || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Update DNS Entries";allow (write) groupdn = "ldap:///cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=System: Add Groups,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Add Groups";allow (add) groupdn = "ldap:///cn=System: Add Groups,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=System: Modify Group Membership,cn=permissions,cn=pbac,dc=ipa,dc=example diff --git a/API.txt b/API.txt index 69ca2277e68261b8af48bea04997b59e059337de..dedc80edb5afdfea343e1d912c947e501dffd098 100644 --- a/API.txt +++ b/API.txt @@ -799,7 +799,7 @@ output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDA output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None) output: PrimaryKey('value', None, None) command: dnsrecord_add -args: 2,100,3 +args: 2,105,3 arg: DNSNameParam('dnszoneidnsname', cli_name='dnszone', multivalue=False, only_absolute=True, primary_key=True, query=True, required=True) arg: DNSNameParam('idnsname', attribute=True, cli_name='name', multivalue=False, primary_key=True, required=True) option: Str('a6_part_data', attribute=False, cli_name='a6_data', multivalue=False, option_group=u'A6 Record', required=False) @@ -898,6 +898,11 @@ option: SSHFPRecord('sshfprecord', attribute=True, cli_name='sshfp_rec', csv=Tru option: Flag('structured', autofill=True, default=False) option: TARecord('tarecord', attribute=True, cli_name='ta_rec', csv=True, multivalue=True, option_group=u'TA Record', required=False) option: TKEYRecord('tkeyrecord', attribute=True, cli_name='tkey_rec', csv=True, multivalue=True, option_group=u'TKEY Record', required=False) +option: Str('tlsa_part_cert_association_data', attribute=False, cli_name='tlsa_cert_association_data', multivalue=False, option_group=u'TLSA Record', required=False) +option: Int('tlsa_part_cert_usage', attribute=False, cli_name='tlsa_cert_usage', maxvalue=255, minvalue=0, multivalue=False, option_group=u'TLSA Record', required=False) +option: Int('tlsa_part_matching_type', attribute=False, cli_name='tlsa_matching_type', maxvalue=255, minvalue=0, multivalue=False, option_group=u'TLSA Record', required=False) +option: Int('tlsa_part_selector', attribute=False, cli_name='tlsa_selector', maxvalue=255, minvalue=0, multivalue=False, option_group=u'TLSA Record', required=False) +option: TLSARecord('tlsarecord', attribute=True, cli_name='tlsa_rec', csv=True, multivalue=True, option_group=u'TLSA Record', required=False) option: TSIGRecord('tsigrecord', attribute=True, cli_name='tsig_rec', csv=True, multivalue=True, option_group=u'TSIG Record', required=False) option: Str('txt_part_data', attribute=False, cli_name='txt_data', multivalue=False, option_group=u'TXT Record', required=False) option: TXTRecord('txtrecord', attribute=True, cli_name='txt_rec', csv=True, multivalue=True, option_group=u'TXT Record', required=False) @@ -906,7 +911,7 @@ output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDA output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None) output: PrimaryKey('value', None, None) command: dnsrecord_del -args: 2,39,3 +args: 2,40,3 arg: DNSNameParam('dnszoneidnsname', cli_name='dnszone', multivalue=False, only_absolute=True, primary_key=True, query=True, required=True) arg: DNSNameParam('idnsname', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) option: A6Record('a6record', attribute=True, autofill=False, cli_name='a6_rec', csv=True, multivalue=True, option_group=None, required=False) @@ -945,6 +950,7 @@ option: SSHFPRecord('sshfprecord', attribute=True, autofill=False, cli_name='ssh option: Flag('structured', autofill=True, default=False) option: TARecord('tarecord', attribute=True, autofill=False, cli_name='ta_rec', csv=True, multivalue=True, option_group=None, required=False) option: TKEYRecord('tkeyrecord', attribute=True, autofill=False, cli_name='tkey_rec', csv=True, multivalue=True, option_group=None, required=False) +option: TLSARecord('tlsarecord', attribute=True, autofill=False, cli_name='tlsa_rec', csv=True, multivalue=True, option_group=None, required=False) option: TSIGRecord('tsigrecord', attribute=True, autofill=False, cli_name='tsig_rec', csv=True, multivalue=True, option_group=None, required=False) option: TXTRecord('txtrecord', attribute=True, autofill=False, cli_name='txt_rec', csv=True, multivalue=True, option_group=None, required=False) option: Str('version?', exclude='webui') @@ -961,7 +967,7 @@ output: Output('result', <type 'dict'>, None) output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None) output: ListOfPrimaryKeys('value', None, None) command: dnsrecord_find -args: 2,44,4 +args: 2,45,4 arg: DNSNameParam('dnszoneidnsname', cli_name='dnszone', multivalue=False, only_absolute=True, primary_key=True, query=True, required=True) arg: Str('criteria?', noextrawhitespace=False) option: A6Record('a6record', attribute=True, autofill=False, cli_name='a6_rec', csv=True, multivalue=True, option_group=None, query=True, required=False) @@ -1005,6 +1011,7 @@ option: Flag('structured', autofill=True, default=False) option: TARecord('tarecord', attribute=True, autofill=False, cli_name='ta_rec', csv=True, multivalue=True, option_group=None, query=True, required=False) option: Int('timelimit?', autofill=False, minvalue=0) option: TKEYRecord('tkeyrecord', attribute=True, autofill=False, cli_name='tkey_rec', csv=True, multivalue=True, option_group=None, query=True, required=False) +option: TLSARecord('tlsarecord', attribute=True, autofill=False, cli_name='tlsa_rec', csv=True, multivalue=True, option_group=None, query=True, required=False) option: TSIGRecord('tsigrecord', attribute=True, autofill=False, cli_name='tsig_rec', csv=True, multivalue=True, option_group=None, query=True, required=False) option: TXTRecord('txtrecord', attribute=True, autofill=False, cli_name='txt_rec', csv=True, multivalue=True, option_group=None, query=True, required=False) option: Str('version?', exclude='webui') @@ -1013,7 +1020,7 @@ output: ListOfEntries('result', (<type 'list'>, <type 'tuple'>), Gettext('A list output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None) output: Output('truncated', <type 'bool'>, None) command: dnsrecord_mod -args: 2,100,3 +args: 2,105,3 arg: DNSNameParam('dnszoneidnsname', cli_name='dnszone', multivalue=False, only_absolute=True, primary_key=True, query=True, required=True) arg: DNSNameParam('idnsname', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) option: Str('a6_part_data', attribute=False, autofill=False, cli_name='a6_data', multivalue=False, option_group=u'A6 Record', required=False) @@ -1112,6 +1119,11 @@ option: SSHFPRecord('sshfprecord', attribute=True, autofill=False, cli_name='ssh option: Flag('structured', autofill=True, default=False) option: TARecord('tarecord', attribute=True, autofill=False, cli_name='ta_rec', csv=True, multivalue=True, option_group=u'TA Record', required=False) option: TKEYRecord('tkeyrecord', attribute=True, autofill=False, cli_name='tkey_rec', csv=True, multivalue=True, option_group=u'TKEY Record', required=False) +option: Str('tlsa_part_cert_association_data', attribute=False, autofill=False, cli_name='tlsa_cert_association_data', multivalue=False, option_group=u'TLSA Record', required=False) +option: Int('tlsa_part_cert_usage', attribute=False, autofill=False, cli_name='tlsa_cert_usage', maxvalue=255, minvalue=0, multivalue=False, option_group=u'TLSA Record', required=False) +option: Int('tlsa_part_matching_type', attribute=False, autofill=False, cli_name='tlsa_matching_type', maxvalue=255, minvalue=0, multivalue=False, option_group=u'TLSA Record', required=False) +option: Int('tlsa_part_selector', attribute=False, autofill=False, cli_name='tlsa_selector', maxvalue=255, minvalue=0, multivalue=False, option_group=u'TLSA Record', required=False) +option: TLSARecord('tlsarecord', attribute=True, autofill=False, cli_name='tlsa_rec', csv=True, multivalue=True, option_group=u'TLSA Record', required=False) option: TSIGRecord('tsigrecord', attribute=True, autofill=False, cli_name='tsig_rec', csv=True, multivalue=True, option_group=u'TSIG Record', required=False) option: Str('txt_part_data', attribute=False, autofill=False, cli_name='txt_data', multivalue=False, option_group=u'TXT Record', required=False) option: TXTRecord('txtrecord', attribute=True, autofill=False, cli_name='txt_rec', csv=True, multivalue=True, option_group=u'TXT Record', required=False) diff --git a/VERSION b/VERSION index 84e648f4da6cac5bb770280d047145e9759cc6d6..4a3cfa63ebb6c7f758374f224a111703c2b159c1 100644 --- a/VERSION +++ b/VERSION @@ -89,5 +89,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=96 -# Last change: npmaccallum - otptoken-sync +IPA_API_VERSION_MINOR=97 +# Last change: mbasti - New record type added: TLSA diff --git a/install/share/60ipadns.ldif b/install/share/60ipadns.ldif index fbad68018734151792e9ead5f06cb07b85f3effe..ac9a50a6baf7aeea8fdd132de69b3f36a04f75ef 100644 --- a/install/share/60ipadns.ldif +++ b/install/share/60ipadns.ldif @@ -27,6 +27,7 @@ attributeTypes: (1.3.6.1.4.1.2428.20.1.44 NAME 'sSHFPRecord' DESC 'SSH Key Finge attributeTypes: (1.3.6.1.4.1.2428.20.1.46 NAME 'rRSIGRecord' DESC 'RRSIG, RFC 3755' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: (1.3.6.1.4.1.2428.20.1.47 NAME 'nSECRecord' DESC 'NSEC, RFC 3755' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: (1.3.6.1.4.1.2428.20.1.51 NAME 'nSEC3PARAMRecord' DESC 'RFC 5155' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +attributeTypes: (1.3.6.1.4.1.2428.20.1.52 NAME 'TLSARecord' DESC 'DNS-Based Authentication of Named Entities - Transport Layer Security Protocol, RFC 6698' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: (1.3.6.1.4.1.2428.20.1.32769 NAME 'DLVRecord' DESC 'DNSSEC Lookaside Validation, RFC 4431' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: (0.9.2342.19200300.100.1.26 NAME 'aRecord' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: (0.9.2342.19200300.100.1.29 NAME 'nSRecord' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) @@ -52,7 +53,7 @@ attributeTypes: ( 2.16.840.1.113730.3.8.5.15 NAME 'idnsForwarders' DESC 'list of attributeTypes: ( 2.16.840.1.113730.3.8.5.16 NAME 'idnsZoneRefresh' DESC 'zone refresh interval' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v2' ) attributeTypes: ( 2.16.840.1.113730.3.8.5.17 NAME 'idnsPersistentSearch' DESC 'allow persistent searches' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v2' ) attributeTypes: ( 2.16.840.1.113730.3.8.5.18 NAME 'idnsSecInlineSigning' DESC 'allow inline DNSSEC signing' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4' ) -objectClasses: ( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC 'dns Record, usually a host' SUP top STRUCTURAL MUST idnsName MAY ( idnsAllowDynUpdate $ dNSTTL $ dNSClass $ aRecord $ aAAARecord $ a6Record $ nSRecord $ cNAMERecord $ pTRRecord $ sRVRecord $ tXTRecord $ mXRecord $ mDRecord $ hInfoRecord $ mInfoRecord $ aFSDBRecord $ SigRecord $ KeyRecord $ LocRecord $ nXTRecord $ nAPTRRecord $ kXRecord $ certRecord $ dNameRecord $ dSRecord $ sSHFPRecord $ rRSIGRecord $ nSECRecord $ nSEC3PARAMRecord $ DLVRecord ) ) +objectClasses: ( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC 'dns Record, usually a host' SUP top STRUCTURAL MUST idnsName MAY ( idnsAllowDynUpdate $ dNSTTL $ dNSClass $ aRecord $ aAAARecord $ a6Record $ nSRecord $ cNAMERecord $ pTRRecord $ sRVRecord $ tXTRecord $ mXRecord $ mDRecord $ hInfoRecord $ mInfoRecord $ aFSDBRecord $ SigRecord $ KeyRecord $ LocRecord $ nXTRecord $ nAPTRRecord $ kXRecord $ certRecord $ dNameRecord $ dSRecord $ sSHFPRecord $ rRSIGRecord $ nSECRecord $ nSEC3PARAMRecord $ DLVRecord $ TLSARecord ) ) objectClasses: ( 2.16.840.1.113730.3.8.6.1 NAME 'idnsZone' DESC 'Zone class' SUP idnsRecord STRUCTURAL MUST ( idnsZoneActive $ idnsSOAmName $ idnsSOArName $ idnsSOAserial $ idnsSOArefresh $ idnsSOAretry $ idnsSOAexpire $ idnsSOAminimum ) MAY ( idnsUpdatePolicy $ idnsAllowQuery $ idnsAllowTransfer $ idnsAllowSyncPTR $ idnsForwardPolicy $ idnsForwarders $ idnsSecInlineSigning ) ) objectClasses: ( 2.16.840.1.113730.3.8.6.2 NAME 'idnsConfigObject' DESC 'DNS global config options' STRUCTURAL MAY ( idnsForwardPolicy $ idnsForwarders $ idnsAllowSyncPTR $ idnsZoneRefresh $ idnsPersistentSearch ) ) objectClasses: ( 2.16.840.1.113730.3.8.12.18 NAME 'ipaDNSZone' SUP top AUXILIARY MUST idnsName MAY managedBy X-ORIGIN 'IPA v3' ) diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index 890d2cceb01faf0e8933a884d812aa2af9f08ab9..3fa2c0b6a01f13960bb28936eeffc6c2559f3d3c 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -238,7 +238,7 @@ _record_types = ( u'DNAME', u'DNSKEY', u'DS', u'HIP', u'IPSECKEY', u'KEY', u'KX', u'LOC', u'MX', u'NAPTR', u'NS', u'NSEC', u'NSEC3', u'NSEC3PARAM', u'PTR', u'RRSIG', u'RP', u'SIG', u'SPF', u'SRV', u'SSHFP', u'TA', u'TKEY', - u'TSIG', u'TXT', + u'TLSA', u'TSIG', u'TXT', ) # DNS zone record identificator @@ -1384,6 +1384,32 @@ class TARecord(DNSRecord): rrtype = 'TA' supported = False + +class TLSARecord(DNSRecord): + rrtype = 'TLSA' + rfc = 6698 + parts = ( + Int('cert_usage', + label=_('Certificate Usage'), + minvalue=0, + maxvalue=255, + ), + Int('selector', + label=_('Selector'), + minvalue=0, + maxvalue=255, + ), + Int('matching_type', + label=_('Matching Type'), + minvalue=0, + maxvalue=255, + ), + Str('cert_association_data', + label=_('Certificate Association Data'), + ), + ) + + class TKEYRecord(DNSRecord): rrtype = 'TKEY' supported = False @@ -1437,6 +1463,7 @@ _dns_records = ( SRVRecord(), SSHFPRecord(), TARecord(), + TLSARecord(), TKEYRecord(), TSIGRecord(), TXTRecord(), @@ -2118,13 +2145,14 @@ class dnszone(DNSZoneBase): 'dnsclass', 'dnsttl', 'dsrecord', 'hinforecord', 'idnsallowdynupdate', 'idnsallowquery', 'idnsallowsyncptr', 'idnsallowtransfer', 'idnsforwarders', 'idnsforwardpolicy', - 'idnsname', 'idnssoaexpire', 'idnssoaminimum', 'idnssoamname', - 'idnssoarefresh', 'idnssoaretry', 'idnssoarname', - 'idnssoaserial', 'idnsupdatepolicy', 'idnszoneactive', - 'keyrecord', 'kxrecord', 'locrecord', 'managedby', 'mdrecord', - 'minforecord', 'mxrecord', 'naptrrecord', 'nsecrecord', - 'nsec3paramrecord', 'nsrecord', 'nxtrecord', 'ptrrecord', - 'rrsigrecord', 'sigrecord', 'srvrecord', 'sshfprecord', + 'idnsname', 'idnssoaexpire', + 'idnssoaminimum', 'idnssoamname', 'idnssoarefresh', + 'idnssoaretry', 'idnssoarname', 'idnssoaserial', + 'idnsupdatepolicy', 'idnszoneactive', 'keyrecord', 'kxrecord', + 'locrecord', 'managedby', 'mdrecord', 'minforecord', + 'mxrecord', 'naptrrecord', 'nsecrecord', 'nsec3paramrecord', + 'nsrecord', 'nxtrecord', 'ptrrecord', 'rrsigrecord', + 'sigrecord', 'srvrecord', 'sshfprecord', 'tlsarecord', 'txtrecord', }, 'replaces_system': ['Read DNS Entries'], @@ -2151,13 +2179,14 @@ class dnszone(DNSZoneBase): 'dnsclass', 'dnsttl', 'dsrecord', 'hinforecord', 'idnsallowdynupdate', 'idnsallowquery', 'idnsallowsyncptr', 'idnsallowtransfer', 'idnsforwarders', 'idnsforwardpolicy', - 'idnsname', 'idnssoaexpire', 'idnssoaminimum', 'idnssoamname', - 'idnssoarefresh', 'idnssoaretry', 'idnssoarname', - 'idnssoaserial', 'idnsupdatepolicy', 'idnszoneactive', - 'keyrecord', 'kxrecord', 'locrecord', 'managedby', 'mdrecord', - 'minforecord', 'mxrecord', 'naptrrecord', 'nsecrecord', - 'nsec3paramrecord', 'nsrecord', 'nxtrecord', 'ptrrecord', - 'rrsigrecord', 'sigrecord', 'srvrecord', 'sshfprecord', + 'idnsname', 'idnssoaexpire', + 'idnssoaminimum', 'idnssoamname', 'idnssoarefresh', + 'idnssoaretry', 'idnssoarname', 'idnssoaserial', + 'idnsupdatepolicy', 'idnszoneactive', 'keyrecord', 'kxrecord', + 'locrecord', 'managedby', 'mdrecord', 'minforecord', + 'mxrecord', 'naptrrecord', 'nsecrecord', 'nsec3paramrecord', + 'nsrecord', 'nxtrecord', 'ptrrecord', 'rrsigrecord', + 'sigrecord', 'srvrecord', 'sshfprecord', 'tlsarecord', 'txtrecord', }, 'replaces': [ -- 1.8.3.1
>From ef15f930a8634278a1b8bd2b3cd08ed3c0ffeec3 Mon Sep 17 00:00:00 2001 From: Martin Basti <mba...@redhat.com> Date: Wed, 25 Jun 2014 12:53:12 +0200 Subject: [PATCH 2/2] DNSSEC: WebUI: add TLSA record --- install/ui/src/freeipa/dns.js | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/install/ui/src/freeipa/dns.js b/install/ui/src/freeipa/dns.js index 260b6f8720c8f725426be249c0a72bd72055d4e5..c7143ca91fef9bbc372654080fe899be1ae8367f 100644 --- a/install/ui/src/freeipa/dns.js +++ b/install/ui/src/freeipa/dns.js @@ -1123,6 +1123,23 @@ IPA.dns.get_record_metadata = function() { columns: ['sshfp_part_algorithm', 'sshfp_part_fp_type'] }, { + name: 'tlsarecord', + attributes: [ + 'tlsa_part_cert_usage', + 'tlsa_part_selector', + 'tlsa_part_matching_type', + { + name: 'tlsa_part_cert_association_data', + $type: 'textarea' + } + ], + adder_attributes: [], + columns: [ + 'tlsa_part_cert_usage', 'tlsa_part_selector', + 'tlsa_part_matching_type' + ] + }, + { name: 'txtrecord', attributes: [ 'txt_part_data' @@ -1507,7 +1524,7 @@ IPA.dns_record_types = function() { //only supported var attrs = ['A', 'AAAA', 'A6', 'AFSDB', 'CERT', 'CNAME', 'DNAME', 'DS', 'DLV', 'KX', 'LOC', 'MX', 'NAPTR', 'NS', - 'NSEC3PARAM', 'PTR', 'SRV', 'SSHFP', 'TXT']; + 'NSEC3PARAM', 'PTR', 'SRV', 'SSHFP', 'TLSA', 'TXT']; var record_types = []; for (var i=0; i<attrs.length; i++) { var attr = attrs[i]; -- 1.8.3.1
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel