Re: [Freeipa-devel] [PATCH 0078-0079] DNSSEC: Add TLSA record
On Thu, 2014-06-26 at 13:57 +0200, Petr Vobornik wrote: > On 25.6.2014 14:35, Martin Basti wrote: > > On Wed, 2014-06-25 at 14:31 +0200, Martin Basti wrote: > >> Ticket https://fedorahosted.org/freeipa/ticket/4328#comment:12 > >> Patches attached. > >> > >> Note: ACI will be updated in another patch which fix ACIs in DNS plugin > > > > Patches are here > > > What are patch 0078's dependencies? I'm missing necessary blobs.. > (current master). Also it requires rebase because of today's pushes to > master (VERSION conflict). Rebased patch attached -- Martin^2 Basti >From c20ad47dc8bc72e2a60b7fda8c513b3eb53ceccb Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 25 Jun 2014 12:36:59 +0200 Subject: [PATCH] DNSSEC: add TLSA record type Ticket: https://fedorahosted.org/freeipa/ticket/4328 --- ACI.txt | 4 +-- API.txt | 20 --- VERSION | 4 +-- install/share/60ipadns.ldif | 3 ++- ipalib/plugins/dns.py | 59 + 5 files changed, 66 insertions(+), 24 deletions(-) diff --git a/ACI.txt b/ACI.txt index 22b10e3dd9f22ca76a757506f6a0851b18030549..d75f6ea4f9994a1b38cae492161cccb65f4b3191 100644 --- a/ACI.txt +++ b/ACI.txt @@ -39,11 +39,11 @@ aci: (targetattr = "idnsallowsyncptr || idnsforwarders || idnsforwardpolicy || i dn: cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example";)(version 3.0;acl "permission:System: Add DNS Entries";allow (add) groupdn = "ldap:///cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example -aci: (targetattr = "a6record || record || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || txtrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example";)(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) +aci: (targetattr = "a6record || record || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example";)(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example";)(version 3.0;acl "permission:System: Remove DNS Entries";allow (delete) groupdn = "ldap:///cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example -aci: (targetattr = "a6record || record || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || txtrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example";)(version 3.0;acl "permission:System: Update DNS Entries";allow (write) groupdn = "ldap:///cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) +aci: (targeta
Re: [Freeipa-devel] [PATCH 0078-0079] DNSSEC: Add TLSA record
On 27.6.2014 14:55, Martin Basti wrote: On Thu, 2014-06-26 at 13:57 +0200, Petr Vobornik wrote: On 25.6.2014 14:35, Martin Basti wrote: On Wed, 2014-06-25 at 14:31 +0200, Martin Basti wrote: Ticket https://fedorahosted.org/freeipa/ticket/4328#comment:12 Patches attached. Note: ACI will be updated in another patch which fix ACIs in DNS plugin Patches are here What are patch 0078's dependencies? I'm missing necessary blobs.. (current master). Also it requires rebase because of today's pushes to master (VERSION conflict). Rebased patch attached Patch 0078-2: Just nitpicks. 1. The LDAP attribute type description should be changed to something more meaningful. the "DNS-Based Authentication of Named Entities - Transport Layer Security Protocol, RFC 6698" is the complete effort. It does not say anything about the TLSA record itself. I suggest: "TLSA certificate association, RFC 6698" which is used in chapter 2 of RFC 6698. 2. Nitpick: Not a proper alphabetic order ;) -u'TSIG', u'TXT', +u'TSIG', u'TLSA', u'TXT', Patch 0079: 3. A js-lint warning: /dns.js(1140): lint warning: extra comma is not recommended in array initializers ] ^ Just remove the comma on line 1139. To check it, run: `jsl -nofilelisting -nologo -nosummary -conf jsl.conf` in install/ui directory -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0078-0079] DNSSEC: Add TLSA record
On Mon, 2014-06-30 at 18:07 +0200, Petr Vobornik wrote: > On 27.6.2014 14:55, Martin Basti wrote: > > On Thu, 2014-06-26 at 13:57 +0200, Petr Vobornik wrote: > >> On 25.6.2014 14:35, Martin Basti wrote: > >>> On Wed, 2014-06-25 at 14:31 +0200, Martin Basti wrote: > Ticket https://fedorahosted.org/freeipa/ticket/4328#comment:12 > Patches attached. > > Note: ACI will be updated in another patch which fix ACIs in DNS plugin > >>> > >>> Patches are here > >>> > >> What are patch 0078's dependencies? I'm missing necessary blobs.. > >> (current master). Also it requires rebase because of today's pushes to > >> master (VERSION conflict). > > > > Rebased patch attached > > > > Patch 0078-2: > > Just nitpicks. > > 1. The LDAP attribute type description should be changed to something > more meaningful. the "DNS-Based Authentication of Named Entities - > Transport Layer Security Protocol, RFC 6698" is the complete effort. It > does not say anything about the TLSA record itself. I suggest: "TLSA > certificate association, RFC 6698" which is used in chapter 2 of RFC 6698. This is synced with bind-dyndb-ldap, I use the same description. > 2. Nitpick: Not a proper alphabetic order ;) > -u'TSIG', u'TXT', > +u'TSIG', u'TLSA', u'TXT', Fixed > > Patch 0079: > > 3. A js-lint warning: > > /dns.js(1140): lint warning: extra comma is not recommended in array > initializers > ] > ^ > > Just remove the comma on line 1139. To check it, run: > > `jsl -nofilelisting -nologo -nosummary -conf jsl.conf` > > in install/ui directory Fixed Updated patches attached. -- Martin^2 Basti >From cd3c3bd992175422596d75ff7fe3b63a25877f1a Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 25 Jun 2014 12:36:59 +0200 Subject: [PATCH 1/2] DNSSEC: add TLSA record type Ticket: https://fedorahosted.org/freeipa/ticket/4328 --- ACI.txt | 4 +-- API.txt | 20 --- VERSION | 4 +-- install/share/60ipadns.ldif | 3 ++- ipalib/plugins/dns.py | 59 + 5 files changed, 66 insertions(+), 24 deletions(-) diff --git a/ACI.txt b/ACI.txt index 22b10e3dd9f22ca76a757506f6a0851b18030549..d75f6ea4f9994a1b38cae492161cccb65f4b3191 100644 --- a/ACI.txt +++ b/ACI.txt @@ -39,11 +39,11 @@ aci: (targetattr = "idnsallowsyncptr || idnsforwarders || idnsforwardpolicy || i dn: cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example";)(version 3.0;acl "permission:System: Add DNS Entries";allow (add) groupdn = "ldap:///cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example -aci: (targetattr = "a6record || record || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || txtrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example";)(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) +aci: (targetattr = "a6record || record || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example";)(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example";)(version 3.0;acl "permission:System: Remove DNS Entries";allow (delete) groupdn = "ldap:///cn=System: Remove DNS
Re: [Freeipa-devel] [PATCH 0078-0079] DNSSEC: Add TLSA record
On 1.7.2014 10:11, Martin Basti wrote: On Mon, 2014-06-30 at 18:07 +0200, Petr Vobornik wrote: On 27.6.2014 14:55, Martin Basti wrote: On Thu, 2014-06-26 at 13:57 +0200, Petr Vobornik wrote: On 25.6.2014 14:35, Martin Basti wrote: On Wed, 2014-06-25 at 14:31 +0200, Martin Basti wrote: Ticket https://fedorahosted.org/freeipa/ticket/4328#comment:12 Patches attached. Note: ACI will be updated in another patch which fix ACIs in DNS plugin Patches are here What are patch 0078's dependencies? I'm missing necessary blobs.. (current master). Also it requires rebase because of today's pushes to master (VERSION conflict). Rebased patch attached Patch 0078-2: Just nitpicks. 1. The LDAP attribute type description should be changed to something more meaningful. the "DNS-Based Authentication of Named Entities - Transport Layer Security Protocol, RFC 6698" is the complete effort. It does not say anything about the TLSA record itself. I suggest: "TLSA certificate association, RFC 6698" which is used in chapter 2 of RFC 6698. This is synced with bind-dyndb-ldap, I use the same description. 2. Nitpick: Not a proper alphabetic order ;) -u'TSIG', u'TXT', +u'TSIG', u'TLSA', u'TXT', Fixed Patch 0079: 3. A js-lint warning: /dns.js(1140): lint warning: extra comma is not recommended in array initializers ] ^ Just remove the comma on line 1139. To check it, run: `jsl -nofilelisting -nologo -nosummary -conf jsl.conf` in install/ui directory Fixed Updated patches attached. ACK and pushed to master: * 12cb31575ca84d8084687c9906e5824462bd33ec DNSSEC: add TLSA record type * 8e911fcabc2c07cce42e32554cf8c9bcc6a544f5 DNSSEC: WebUI: add TLSA record -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel