#4930 Cannot view structured dns-record output
Closed: Fixed None Opened 9 years ago by pdf.

My guess is it's due to the NSEC3PARAM record being present.

Following enabling of DNSSEC master role, and setting NSEC3PARAM in domain settings, attempting to view the '@' record of the zone either via the web interface, or via the CLI with --structured results in a failure with the following backtrace:

ipa: ERROR: non-public: TypeError: object of type 'NoneType' has no len()
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 349, in wsgi_execute
    result = self.Command[name](*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 439, in __call__
    ret = self.run(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 754, in run
    return self.execute(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 1317, in execute
    self, ldap, entry_attrs.dn, entry_attrs, *keys, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line 4082, in post_callback
    self.obj.postprocess_record(entry_attrs, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line 3166, in postprocess_record
    values = param._get_part_values(dnsvalue)
  File "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line 707, in _get_part_values
    if len(values) != len(self.parts):
TypeError: object of type 'NoneType' has no len()

ipa: INFO: [jsonserver_session] admin@DOMAIN.TLD: dnsrecord_show(u'domain.tld.', u'@', rights=True, structured=True, all=True, version=u'2.113'): TypeError

Records present:

# ipa dnsrecord-show domain.tld @
  Record name: @
  A record: nnn.nnn.nnn.nnn
  MX record: 10 mx0, 20 mx1
  NS record: ns0, ns1
  NSEC3PARAM record: 1 0 30 AAAAAAAAAAAAAAAAAA
  TXT record: v=spf1 ipv6:AAAA::/n ip4:nnn.nnn.nnn.nnn/n -all

This is a live system with public records, so I can't really mess with it too much, and I only noticed the issue some time after I'd published :-/

This is also occurring on v4.1.3 from updates-testing.


Because IPA try to show all records from LDAP in output, including unsupported, this will happen with each record, which is marked as unsupported in IPA.
(NSEC3PARAM is not handled as record, it is marked as unsupported record, but it is zone attribute in IPA)

Possible fixes:

  • do not show these records with --structured option
  • do not show these records at all
  • rewrite DNS plugin to handle unsupported types (allow to show (with --structured), mod?, del?)

Traceback is raised only, when the LDAP contains a record marked as unsupported.

e.g.: NSEC3, SIG, RRSIG, TA

I would show it only if both --all and --raw options are specified. That way user can know that something else is in the record.

I would rather see generic class for 'unsupported' types which allows you to read and delete values even from web UI. The value can be one long string as seen in LDAP, no format conversions, no checking.

Replying to [comment:5 pspacek]:

I would rather see generic class for 'unsupported' types which allows you to read and delete values even from web UI. The value can be one long string as seen in LDAP, no format conversions, no checking.

Hrm, that has some UI implications - NSEC3PARAM for example is implemented as a domain setting. If I had a vote, I'd vote for something along the lines of what pvobomi suggested.

pdf, could you clarify what problem you see with the generic approach? It would behave in the same way as today - web UI does not parse NSEC3PARAM in any way and just shows a text box.

Moreover the 'generic' approach is IMHO a good step towards RFC 3597 compliance.

Mostly just the added complexity in code and UI. In this example there are now two places you might modify the NSEC3PARAM record. It doesn't seem overly useful to allow only reading and deleting, but including adding/editing of unsupported records is a bit of a can of worms.

The added flexibility is not necessarily a bad thing, and perhaps that support should be the subject of a separate ticket, but it doesn't seem like a prudent path towards solving this particular issue, which is a regression introduced in recent releases - I think pvoborni's proposal is a good compromise that should have minimal impact.

I should defer scope assesment to mbasti who will be actually doing the work, but it should not be particularly hard :-)

I'm very much for supporting RFC 3597 in user interface because, if implemented, users do not need to wait for vendor (us) to add new RR type before they can start using it. It makes life of users & us easier because there will be smaller pressure for new releases etc.

For real use-case see [mailing list archives]]([http://mailman.mit.edu/pipermail/krbdev/2015-February/thread.html|krbdev@mit.edu): We were hitting exactly this limitation inside Windows Server DNS with URI record type. I hope that FreeIPA can do better.

dnsrecord-show, dnsrecord-find will print all records (including records marked as unsupported) in read only mode.

NSEC3PARAM is option just for zone. Should not be shown in dnsrecord-* output.

Feel free to open RFE if more functionality is required.

master:

  • 0c3bf59 DNS fix: do not traceback if unsupported records are in LDAP
  • 63c497a DNS fix: do not show part options for unsupported records
  • f26220b DNS: remove NSEC3PARAM from records

Metadata Update from @pdf:
- Issue assigned to mbasti
- Issue set to the milestone: FreeIPA 4.1.4

7 years ago

Login to comment on this ticket.

Metadata