Re: [Freeipa-devel] [PATCH 0344] Use absolute domain name in detection of A/AAAA records

[Petr Spacek]

On 19.11.2015 11:05, Martin Basti wrote:
> 
> 
> On 18.11.2015 18:33, Petr Spacek wrote:
>> On 12.11.2015 13:58, Martin Basti wrote:
>>>
>>> On 09.11.2015 08:47, Petr Spacek wrote:
 On 4.11.2015 16:16, Martin Basti wrote:
> Patch attached.
>
> https://fedorahosted.org/freeipa/ticket/5421
 I'm not entirely sure how this patch will interact with magic included in
 ipalib/plugins/dns.py:class dns_resolve(Command).

 I would like to delete the 'normalization' from at least one of these 
 places.

 Also, as you know, DNS names are not strings and should be manipulated 
 using
 python-dns so all crazy things in DNS names do not break in weird corner
 cases.

>>> Updated patch attached.
>> Hmm, you bravely ignored my comment about class dns_resolve(Command) above,
>> sooo: NACK.
>>
>> As far as I can tell ipalib/plugins/dns.py:class dns_resolve(Command) behaves
>> in the same brain-dead way as original is_host_resolvable() function. Please
>> fix both, not just one.
>>
> If you are sure that the behavior of the dns-resolve is bad, then updated
> patch that removes the code which appending the api.env.domain to query.
> 
> Patch attached.

ACK

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0344] Use absolute domain name in detection of A/AAAA records

[Martin Basti]

On 25.11.2015 13:36, Petr Spacek wrote:

On 19.11.2015 11:05, Martin Basti wrote:


On 18.11.2015 18:33, Petr Spacek wrote:

On 12.11.2015 13:58, Martin Basti wrote:

On 09.11.2015 08:47, Petr Spacek wrote:

On 4.11.2015 16:16, Martin Basti wrote:

Patch attached.

https://fedorahosted.org/freeipa/ticket/5421

I'm not entirely sure how this patch will interact with magic included in
ipalib/plugins/dns.py:class dns_resolve(Command).

I would like to delete the 'normalization' from at least one of these places.

Also, as you know, DNS names are not strings and should be manipulated using
python-dns so all crazy things in DNS names do not break in weird corner
cases.


Updated patch attached.

Hmm, you bravely ignored my comment about class dns_resolve(Command) above,
sooo: NACK.

As far as I can tell ipalib/plugins/dns.py:class dns_resolve(Command) behaves
in the same brain-dead way as original is_host_resolvable() function. Please
fix both, not just one.


If you are sure that the behavior of the dns-resolve is bad, then updated
patch that removes the code which appending the api.env.domain to query.

Patch attached.

ACK


Pushed to master: 800c7023241fd6182da300cf120870072e6ca602

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0344] Use absolute domain name in detection of A/AAAA records

[Martin Basti]

On 18.11.2015 18:33, Petr Spacek wrote:

On 12.11.2015 13:58, Martin Basti wrote:


On 09.11.2015 08:47, Petr Spacek wrote:

On 4.11.2015 16:16, Martin Basti wrote:

Patch attached.

https://fedorahosted.org/freeipa/ticket/5421

I'm not entirely sure how this patch will interact with magic included in
ipalib/plugins/dns.py:class dns_resolve(Command).

I would like to delete the 'normalization' from at least one of these places.

Also, as you know, DNS names are not strings and should be manipulated using
python-dns so all crazy things in DNS names do not break in weird corner cases.


Updated patch attached.

Hmm, you bravely ignored my comment about class dns_resolve(Command) above,
sooo: NACK.

As far as I can tell ipalib/plugins/dns.py:class dns_resolve(Command) behaves
in the same brain-dead way as original is_host_resolvable() function. Please
fix both, not just one.

If you are sure that the behavior of the dns-resolve is bad, then 
updated patch that removes the code which appending the api.env.domain 
to query.


Patch attached.
From 43a8522a2a0d61858e49e9a1a870e04a8f6bcbb8 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 4 Nov 2015 16:09:21 +0100
Subject: [PATCH] Use absolute domain in  detection of A/ records

Python dns resolver append configured domain to queries which may lead
to false positive answer.

Exmaple: resolving "ipa.example.com" may return records for
"ipa.example.com.example.com" if domain is configured as "example.com"

https://fedorahosted.org/freeipa/ticket/5421
---
 ipalib/plugins/dns.py | 6 +-
 ipapython/ipautil.py  | 5 -
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index 686eb758521ee0af2c91e16a599387f740bdb347..901afbb7ac619ee6f25d38808b4c9a7b6cdef112 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -4186,16 +4186,12 @@ class dns_resolve(Command):
 
 takes_args = (
 Str('hostname',
-label=_('Hostname'),
+label=_('Hostname (FQDN)'),
 ),
 )
 
 def execute(self, *args, **options):
 query=args[0]
-if query.find(api.env.domain) == -1 and query.find('.') == -1:
-query = '%s.%s.' % (query, api.env.domain)
-if query[-1] != '.':
-query = query + '.'
 
 if not is_host_resolvable(query):
 raise errors.NotFound(
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 4acdd1a98818bf311a8fef103e7219cc62a28ec1..2e306013bf64f56917688da7aec3d9678ec627bc 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -49,6 +49,7 @@ from ipapython import ipavalidate
 from ipapython import config
 from ipaplatform.paths import paths
 from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
 
 SHARE_DIR = paths.USR_SHARE_IPA_DIR
 PLUGINS_SHARE_DIR = paths.IPA_PLUGINS
@@ -911,9 +912,11 @@ def bind_port_responder(port, socket_type=socket.SOCK_STREAM, socket_timeout=Non
 raise last_socket_error # pylint: disable=E0702
 
 def is_host_resolvable(fqdn):
+if not isinstance(fqdn, DNSName):
+fqdn = DNSName(fqdn)
 for rdtype in (rdatatype.A, rdatatype.):
 try:
-resolver.query(fqdn, rdtype)
+resolver.query(fqdn.make_absolute(), rdtype)
 except DNSException:
 continue
 else:
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0344] Use absolute domain name in detection of A/AAAA records

[Petr Spacek]

On 12.11.2015 13:58, Martin Basti wrote:
> 
> 
> On 09.11.2015 08:47, Petr Spacek wrote:
>> On 4.11.2015 16:16, Martin Basti wrote:
>>> Patch attached.
>>>
>>> https://fedorahosted.org/freeipa/ticket/5421
>> I'm not entirely sure how this patch will interact with magic included in
>> ipalib/plugins/dns.py:class dns_resolve(Command).
>>
>> I would like to delete the 'normalization' from at least one of these places.
>>
>> Also, as you know, DNS names are not strings and should be manipulated using
>> python-dns so all crazy things in DNS names do not break in weird corner 
>> cases.
>>
> Updated patch attached.

Hmm, you bravely ignored my comment about class dns_resolve(Command) above,
sooo: NACK.

As far as I can tell ipalib/plugins/dns.py:class dns_resolve(Command) behaves
in the same brain-dead way as original is_host_resolvable() function. Please
fix both, not just one.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0344] Use absolute domain name in detection of A/AAAA records

[Martin Basti]

On 09.11.2015 08:47, Petr Spacek wrote:

On 4.11.2015 16:16, Martin Basti wrote:

Patch attached.

https://fedorahosted.org/freeipa/ticket/5421

I'm not entirely sure how this patch will interact with magic included in
ipalib/plugins/dns.py:class dns_resolve(Command).

I would like to delete the 'normalization' from at least one of these places.

Also, as you know, DNS names are not strings and should be manipulated using
python-dns so all crazy things in DNS names do not break in weird corner cases.


Updated patch attached.
From 48358ae3806ad713b93c71718919404e17525104 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 4 Nov 2015 16:09:21 +0100
Subject: [PATCH] Use absolute domain in  detection of A/ records

Python dns resolver append configured domain to queries which may lead
to false positive answer.

Exmaple: resolving "ipa.example.com" may return records for
"ipa.example.com.example.com" if domain is configured as "example.com"

https://fedorahosted.org/freeipa/ticket/5421
---
 ipapython/ipautil.py | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 4acdd1a98818bf311a8fef103e7219cc62a28ec1..2e306013bf64f56917688da7aec3d9678ec627bc 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -49,6 +49,7 @@ from ipapython import ipavalidate
 from ipapython import config
 from ipaplatform.paths import paths
 from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
 
 SHARE_DIR = paths.USR_SHARE_IPA_DIR
 PLUGINS_SHARE_DIR = paths.IPA_PLUGINS
@@ -911,9 +912,11 @@ def bind_port_responder(port, socket_type=socket.SOCK_STREAM, socket_timeout=Non
 raise last_socket_error # pylint: disable=E0702
 
 def is_host_resolvable(fqdn):
+if not isinstance(fqdn, DNSName):
+fqdn = DNSName(fqdn)
 for rdtype in (rdatatype.A, rdatatype.):
 try:
-resolver.query(fqdn, rdtype)
+resolver.query(fqdn.make_absolute(), rdtype)
 except DNSException:
 continue
 else:
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0344] Use absolute domain name in detection of A/AAAA records

[Petr Spacek]

On 4.11.2015 16:16, Martin Basti wrote:
> Patch attached.
> 
> https://fedorahosted.org/freeipa/ticket/5421

I'm not entirely sure how this patch will interact with magic included in
ipalib/plugins/dns.py:class dns_resolve(Command).

I would like to delete the 'normalization' from at least one of these places.

Also, as you know, DNS names are not strings and should be manipulated using
python-dns so all crazy things in DNS names do not break in weird corner cases.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0344] Use absolute domain name in detection of A/AAAA records

[Martin Basti]

Patch attached.

https://fedorahosted.org/freeipa/ticket/5421
From 5e1ff605e30e0b72bf43d90cd72397ba08e68bd3 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 4 Nov 2015 16:09:21 +0100
Subject: [PATCH] Use absolute domain in  detection of A/ records

Python dns resolver append configured domain to queries which may lead
to false positive answer.

Exmaple: resolving "ipa.example.com" may return records for
"ipa.example.com.example.com" if domain is configured as "example.com"

https://fedorahosted.org/freeipa/ticket/5421
---
 ipapython/ipautil.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 4acdd1a98818bf311a8fef103e7219cc62a28ec1..f04e1a87a8d93486852c5733d97b6ed49c7a7cd7 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -911,6 +911,8 @@ def bind_port_responder(port, socket_type=socket.SOCK_STREAM, socket_timeout=Non
 raise last_socket_error # pylint: disable=E0702
 
 def is_host_resolvable(fqdn):
+if not fqdn.endswith("."):
+fqdn = fqdn + "."
 for rdtype in (rdatatype.A, rdatatype.):
 try:
 resolver.query(fqdn, rdtype)
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code