From b35c75d864040b98ed3f9214d5d17d32f06d6ee1 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mon, 11 Jul 2022 14:20:32 -0400 Subject: [PATCH] Wipe the ipa-ca DNS record when updating system records If a server with a CA has been marked as hidden and contains the last A or AAAA address then that address would remain in the ipa-ca entry. This is because update-dns-system-records did not delete values, it just re-computed them. So if no A or AAAA records were found then the existing value was left. Fixes: https://pagure.io/freeipa/issue/9195 Signed-off-by: Rob Crittenden --- ipaserver/dns_data_management.py | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/ipaserver/dns_data_management.py b/ipaserver/dns_data_management.py index e2bc530ee8a..aaae5446856 100644 --- a/ipaserver/dns_data_management.py +++ b/ipaserver/dns_data_management.py @@ -19,6 +19,7 @@ from time import sleep, time from ipalib import errors +from ipalib.constants import IPA_CA_RECORD from ipalib.dns import record_name_format from ipapython.dnsutil import DNSName from ipaserver.install import installutils @@ -187,7 +188,7 @@ def __add_uri_records( def __add_ca_records_from_hostname(self, zone_obj, hostname): assert isinstance(hostname, DNSName) and hostname.is_absolute() - r_name = DNSName('ipa-ca') + self.domain_abs + r_name = DNSName(IPA_CA_RECORD) + self.domain_abs rrsets = None end_time = time() + CA_RECORDS_DNS_TIMEOUT while True: @@ -210,6 +211,7 @@ def __add_ca_records_from_hostname(self, zone_obj, hostname): for rrset in rrsets: for rd in rrset: + logger.debug("Adding CA IP %s for %s", rd.to_text(), hostname) rdataset = zone_obj.get_rdataset( r_name, rd.rdtype, create=True) rdataset.add(rd, ttl=self.TTL) @@ -461,6 +463,14 @@ def update_base_records(self): ) ) + # Remove the ipa-ca record(s). They will be reconstructed in + # get_base_records(). + r_name = DNSName(IPA_CA_RECORD) + self.domain_abs + try: + self.api_instance.Command.dnsrecord_del( + self.domain_abs, r_name, del_all=True) + except errors.NotFound: + pass base_zone = self.get_base_records() for record_name, node in base_zone.items(): set_cname_template = record_name in names_requiring_cname_templates