From 0a670845fa574b7c5595daf8bb6b0f69b587036f Mon Sep 17 00:00:00 2001 From: Thomas M Steenholdt Date: Sun, 10 Jun 2018 21:23:10 -0200 Subject: [PATCH] Automatically rectify DNSSEC enabled zones For DNSSEC enabled zones to function correctly, they need to be rectified on update. This changes the DNSSEC enable/disable code to set API-RECTIFY: To `true` when activating DNSSEC on a domain To `false` when deactivating DNSSEC on a domain With this, PowerDNS promises to handle the needed rectifications. (cherry picked from commit 5d15d8899cc03a4a7d433d33c2c4b1da09b5eb2d) --- app/models.py | 47 ++++++++++++++++++++++++++++++++++------------- 1 file changed, 34 insertions(+), 13 deletions(-) diff --git a/app/models.py b/app/models.py index 8d01a4f..1c02928 100644 --- a/app/models.py +++ b/app/models.py @@ -842,19 +842,30 @@ class Domain(db.Model): if domain: headers = {} headers['X-API-Key'] = PDNS_API_KEY - post_data = { - "keytype": "ksk", - "active": True - } try: + # Enable API-RECTIFY for domain, BEFORE activating DNSSEC + post_data = { + "api_rectify": True + } + jdata = utils.fetch_json(urljoin(PDNS_STATS_URL, API_EXTENDED_URL + '/servers/localhost/zones/{0}'.format(domain.name)), headers=headers, method='PUT', data=post_data) + if 'error' in jdata: + return {'status': 'error', 'msg': 'API-RECTIFY could not be enabled for this domain', 'jdata' : jdata} + + # Activate DNSSEC + post_data = { + "keytype": "ksk", + "active": True + } jdata = utils.fetch_json(urljoin(PDNS_STATS_URL, API_EXTENDED_URL + '/servers/localhost/zones/{0}/cryptokeys'.format(domain.name)), headers=headers, method='POST',data=post_data) if 'error' in jdata: return {'status': 'error', 'msg': 'Cannot enable DNSSEC for this domain. Error: {0}'.format(jdata['error']), 'jdata' : jdata} - else: - return {'status': 'ok'} + + return {'status': 'ok'} + except: logging.error(traceback.print_exc()) return {'status': 'error', 'msg': 'There was something wrong, please contact administrator'} + else: return {'status': 'error', 'msg': 'This domain does not exist'} @@ -866,16 +877,26 @@ class Domain(db.Model): if domain: headers = {} headers['X-API-Key'] = PDNS_API_KEY - url = '/servers/localhost/zones/{0}/cryptokeys/{1}'.format(domain.name, key_id) - try: - jdata = utils.fetch_json(urljoin(PDNS_STATS_URL, API_EXTENDED_URL + url), headers=headers, method='DELETE') - if 'error' in jdata: + # Deactivate DNSSEC + jdata = utils.fetch_json(urljoin(PDNS_STATS_URL, API_EXTENDED_URL + '/servers/localhost/zones/{0}/cryptokeys/{1}'.format(domain.name, key_id)), headers=headers, method='DELETE') + if jdata != True: return {'status': 'error', 'msg': 'Cannot disable DNSSEC for this domain. Error: {0}'.format(jdata['error']), 'jdata' : jdata} - else: - return {'status': 'ok'} + + # Disable API-RECTIFY for domain, AFTER deactivating DNSSEC + post_data = { + "api_rectify": False + } + jdata = utils.fetch_json(urljoin(PDNS_STATS_URL, API_EXTENDED_URL + '/servers/localhost/zones/{0}'.format(domain.name)), headers=headers, method='PUT', data=post_data) + if 'error' in jdata: + return {'status': 'error', 'msg': 'API-RECTIFY could not be disabled for this domain', 'jdata' : jdata} + + return {'status': 'ok'} + except: - return {'status': 'error', 'msg': 'There was something wrong, please contact administrator','id': key_id, 'url': url} + logging.error(traceback.print_exc()) + return {'status': 'error', 'msg': 'There was something wrong, please contact administrator','domain': domain.name, 'id': key_id} + else: return {'status': 'error', 'msg': 'This domain doesnot exist'}