Re: [Freeipa-devel] [PATCH 0344] Use absolute domain name in detection of A/AAAA records
On 25.11.2015 13:36, Petr Spacek wrote: On 19.11.2015 11:05, Martin Basti wrote: On 18.11.2015 18:33, Petr Spacek wrote: On 12.11.2015 13:58, Martin Basti wrote: On 09.11.2015 08:47, Petr Spacek wrote: On 4.11.2015 16:16, Martin Basti wrote: Patch attached. https://fedorahosted.org/freeipa/ticket/5421 I'm not entirely sure how this patch will interact with magic included in ipalib/plugins/dns.py:class dns_resolve(Command). I would like to delete the 'normalization' from at least one of these places. Also, as you know, DNS names are not strings and should be manipulated using python-dns so all crazy things in DNS names do not break in weird corner cases. Updated patch attached. Hmm, you bravely ignored my comment about class dns_resolve(Command) above, sooo: NACK. As far as I can tell ipalib/plugins/dns.py:class dns_resolve(Command) behaves in the same brain-dead way as original is_host_resolvable() function. Please fix both, not just one. If you are sure that the behavior of the dns-resolve is bad, then updated patch that removes the code which appending the api.env.domain to query. Patch attached. ACK Pushed to master: 800c7023241fd6182da300cf120870072e6ca602 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0344] Use absolute domain name in detection of A/AAAA records
On 19.11.2015 11:05, Martin Basti wrote: > > > On 18.11.2015 18:33, Petr Spacek wrote: >> On 12.11.2015 13:58, Martin Basti wrote: >>> >>> On 09.11.2015 08:47, Petr Spacek wrote: On 4.11.2015 16:16, Martin Basti wrote: > Patch attached. > > https://fedorahosted.org/freeipa/ticket/5421 I'm not entirely sure how this patch will interact with magic included in ipalib/plugins/dns.py:class dns_resolve(Command). I would like to delete the 'normalization' from at least one of these places. Also, as you know, DNS names are not strings and should be manipulated using python-dns so all crazy things in DNS names do not break in weird corner cases. >>> Updated patch attached. >> Hmm, you bravely ignored my comment about class dns_resolve(Command) above, >> sooo: NACK. >> >> As far as I can tell ipalib/plugins/dns.py:class dns_resolve(Command) behaves >> in the same brain-dead way as original is_host_resolvable() function. Please >> fix both, not just one. >> > If you are sure that the behavior of the dns-resolve is bad, then updated > patch that removes the code which appending the api.env.domain to query. > > Patch attached. ACK -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0344] Use absolute domain name in detection of A/AAAA records
On 18.11.2015 18:33, Petr Spacek wrote:
On 12.11.2015 13:58, Martin Basti wrote:
On 09.11.2015 08:47, Petr Spacek wrote:
On 4.11.2015 16:16, Martin Basti wrote:
Patch attached.
https://fedorahosted.org/freeipa/ticket/5421
I'm not entirely sure how this patch will interact with magic included in
ipalib/plugins/dns.py:class dns_resolve(Command).
I would like to delete the 'normalization' from at least one of these places.
Also, as you know, DNS names are not strings and should be manipulated using
python-dns so all crazy things in DNS names do not break in weird corner cases.
Updated patch attached.
Hmm, you bravely ignored my comment about class dns_resolve(Command) above,
sooo: NACK.
As far as I can tell ipalib/plugins/dns.py:class dns_resolve(Command) behaves
in the same brain-dead way as original is_host_resolvable() function. Please
fix both, not just one.
If you are sure that the behavior of the dns-resolve is bad, then
updated patch that removes the code which appending the api.env.domain
to query.
Patch attached.
From 43a8522a2a0d61858e49e9a1a870e04a8f6bcbb8 Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Wed, 4 Nov 2015 16:09:21 +0100
Subject: [PATCH] Use absolute domain in detection of A/ records
Python dns resolver append configured domain to queries which may lead
to false positive answer.
Exmaple: resolving "ipa.example.com" may return records for
"ipa.example.com.example.com" if domain is configured as "example.com"
https://fedorahosted.org/freeipa/ticket/5421
---
ipalib/plugins/dns.py | 6 +-
ipapython/ipautil.py | 5 -
2 files changed, 5 insertions(+), 6 deletions(-)
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index 686eb758521ee0af2c91e16a599387f740bdb347..901afbb7ac619ee6f25d38808b4c9a7b6cdef112 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -4186,16 +4186,12 @@ class dns_resolve(Command):
takes_args = (
Str('hostname',
-label=_('Hostname'),
+label=_('Hostname (FQDN)'),
),
)
def execute(self, *args, **options):
query=args[0]
-if query.find(api.env.domain) == -1 and query.find('.') == -1:
-query = '%s.%s.' % (query, api.env.domain)
-if query[-1] != '.':
-query = query + '.'
if not is_host_resolvable(query):
raise errors.NotFound(
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 4acdd1a98818bf311a8fef103e7219cc62a28ec1..2e306013bf64f56917688da7aec3d9678ec627bc 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -49,6 +49,7 @@ from ipapython import ipavalidate
from ipapython import config
from ipaplatform.paths import paths
from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
SHARE_DIR = paths.USR_SHARE_IPA_DIR
PLUGINS_SHARE_DIR = paths.IPA_PLUGINS
@@ -911,9 +912,11 @@ def bind_port_responder(port, socket_type=socket.SOCK_STREAM, socket_timeout=Non
raise last_socket_error # pylint: disable=E0702
def is_host_resolvable(fqdn):
+if not isinstance(fqdn, DNSName):
+fqdn = DNSName(fqdn)
for rdtype in (rdatatype.A, rdatatype.):
try:
-resolver.query(fqdn, rdtype)
+resolver.query(fqdn.make_absolute(), rdtype)
except DNSException:
continue
else:
--
2.5.0
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0344] Use absolute domain name in detection of A/AAAA records
On 12.11.2015 13:58, Martin Basti wrote: > > > On 09.11.2015 08:47, Petr Spacek wrote: >> On 4.11.2015 16:16, Martin Basti wrote: >>> Patch attached. >>> >>> https://fedorahosted.org/freeipa/ticket/5421 >> I'm not entirely sure how this patch will interact with magic included in >> ipalib/plugins/dns.py:class dns_resolve(Command). >> >> I would like to delete the 'normalization' from at least one of these places. >> >> Also, as you know, DNS names are not strings and should be manipulated using >> python-dns so all crazy things in DNS names do not break in weird corner >> cases. >> > Updated patch attached. Hmm, you bravely ignored my comment about class dns_resolve(Command) above, sooo: NACK. As far as I can tell ipalib/plugins/dns.py:class dns_resolve(Command) behaves in the same brain-dead way as original is_host_resolvable() function. Please fix both, not just one. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0344] Use absolute domain name in detection of A/AAAA records
On 09.11.2015 08:47, Petr Spacek wrote: On 4.11.2015 16:16, Martin Basti wrote: Patch attached. https://fedorahosted.org/freeipa/ticket/5421 I'm not entirely sure how this patch will interact with magic included in ipalib/plugins/dns.py:class dns_resolve(Command). I would like to delete the 'normalization' from at least one of these places. Also, as you know, DNS names are not strings and should be manipulated using python-dns so all crazy things in DNS names do not break in weird corner cases. Updated patch attached. From 48358ae3806ad713b93c71718919404e17525104 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 4 Nov 2015 16:09:21 +0100 Subject: [PATCH] Use absolute domain in detection of A/ records Python dns resolver append configured domain to queries which may lead to false positive answer. Exmaple: resolving "ipa.example.com" may return records for "ipa.example.com.example.com" if domain is configured as "example.com" https://fedorahosted.org/freeipa/ticket/5421 --- ipapython/ipautil.py | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index 4acdd1a98818bf311a8fef103e7219cc62a28ec1..2e306013bf64f56917688da7aec3d9678ec627bc 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -49,6 +49,7 @@ from ipapython import ipavalidate from ipapython import config from ipaplatform.paths import paths from ipapython.dn import DN +from ipapython.dnsutil import DNSName SHARE_DIR = paths.USR_SHARE_IPA_DIR PLUGINS_SHARE_DIR = paths.IPA_PLUGINS @@ -911,9 +912,11 @@ def bind_port_responder(port, socket_type=socket.SOCK_STREAM, socket_timeout=Non raise last_socket_error # pylint: disable=E0702 def is_host_resolvable(fqdn): +if not isinstance(fqdn, DNSName): +fqdn = DNSName(fqdn) for rdtype in (rdatatype.A, rdatatype.): try: -resolver.query(fqdn, rdtype) +resolver.query(fqdn.make_absolute(), rdtype) except DNSException: continue else: -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0344] Use absolute domain name in detection of A/AAAA records
On 4.11.2015 16:16, Martin Basti wrote: > Patch attached. > > https://fedorahosted.org/freeipa/ticket/5421 I'm not entirely sure how this patch will interact with magic included in ipalib/plugins/dns.py:class dns_resolve(Command). I would like to delete the 'normalization' from at least one of these places. Also, as you know, DNS names are not strings and should be manipulated using python-dns so all crazy things in DNS names do not break in weird corner cases. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0344] Use absolute domain name in detection of A/AAAA records
Patch attached.
https://fedorahosted.org/freeipa/ticket/5421
From 5e1ff605e30e0b72bf43d90cd72397ba08e68bd3 Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Wed, 4 Nov 2015 16:09:21 +0100
Subject: [PATCH] Use absolute domain in detection of A/ records
Python dns resolver append configured domain to queries which may lead
to false positive answer.
Exmaple: resolving "ipa.example.com" may return records for
"ipa.example.com.example.com" if domain is configured as "example.com"
https://fedorahosted.org/freeipa/ticket/5421
---
ipapython/ipautil.py | 2 ++
1 file changed, 2 insertions(+)
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 4acdd1a98818bf311a8fef103e7219cc62a28ec1..f04e1a87a8d93486852c5733d97b6ed49c7a7cd7 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -911,6 +911,8 @@ def bind_port_responder(port, socket_type=socket.SOCK_STREAM, socket_timeout=Non
raise last_socket_error # pylint: disable=E0702
def is_host_resolvable(fqdn):
+if not fqdn.endswith("."):
+fqdn = fqdn + "."
for rdtype in (rdatatype.A, rdatatype.):
try:
resolver.query(fqdn, rdtype)
--
2.4.3
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
