From b34aae5cb99961d40914ef1ad000fed2d5a39089 Mon Sep 17 00:00:00 2001 From: Valentin Samir Date: Wed, 12 Feb 2014 20:17:43 +0100 Subject: [PATCH] =?UTF-8?q?[gen=5Fconf/bind]=20Ajout=20de=20quelques=20enr?= =?UTF-8?q?egistrement=20TLSA=20=C3=A0=20titre=20d'exemple?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Il faudra sans doute voir un moyen pour récupérer les informations pour les enregistrement TLSA depuis la base ldap. --- gestion/gen_confs/bind.py | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/gestion/gen_confs/bind.py b/gestion/gen_confs/bind.py index 79a42d0a..94cf5d7d 100755 --- a/gestion/gen_confs/bind.py +++ b/gestion/gen_confs/bind.py @@ -62,14 +62,13 @@ class TLSA(ResourceRecord): compat: on génère un enregistement compris même par les serveurs dns n'implémentant pas TLSA """ selector = 0 - if cert is None and proto == 'tcp': + if cert is None and proto == 'tcp' and name[-1] == '.': try: - cert = ssl.get_server_certificate((name[:-1], port)) - sys.stderr.write("Warning: it is not safe to retrive cert for %s through the network, consider using an other solution\n" % name[:-1]) + cert = ssl.get_server_certificate((name[:-1], port), ca_certs='/etc/ssl/certs/ca-certificates.crt') except Exception as e: raise ValueError("Unable de retrieve cert dynamically: %s" % e) elif cert is None: - raise ValueError("cert can only be retrive if proto is tcp") + raise ValueError("cert can only be retrive if proto is tcp and name fqdn") dercert = ssl.PEM_cert_to_DER_cert(cert) if not dercert: raise ValueError("Impossible de convertir le certificat au format DER %s %s %s\n%s" % (name, port, proto, cert)) @@ -446,6 +445,19 @@ class dns(gen_config) : } + EXTRAS = { + 'crans.org' : [ + TLSA('cas.crans.org.', 443, 'tcp', None, 3, 2), + TLSA('wiki.crans.org.', 443, 'tcp', None, 3, 2), + TLSA('perso.crans.org.', 443, 'tcp', None, 3, 2), + TLSA('intranet.crans.org.', 443, 'tcp', None, 3, 2), + TLSA('webmail.crans.org.', 443, 'tcp', None, 3, 2), + TLSA('horde.crans.org.', 443, 'tcp', None, 3, 2), + TLSA('roundcube.crans.org.', 443, 'tcp', None, 3, 2), + TLSA('sogo.crans.org.', 443, 'tcp', None, 3, 2), + ] + } + hostname = short_name(gethostname()) serial = int(time.time()) + 1000000000 TTL = 3600 @@ -464,7 +476,7 @@ class dns(gen_config) : self.anim.iter=len(zones.values()) for zone in zones.values(): zone.extend(self.MXs) - for rr_type in [self.SRVs, self.NATPRs, self.DSs]: + for rr_type in [self.SRVs, self.NATPRs, self.DSs, self.EXTRAS]: if zone.zone_name in rr_type.keys(): zone.extend(rr_type[zone.zone_name]) for m in machines: