[gen_conf/bind] Ajout de quelques enregistrement TLSA à titre d'exemple

Il faudra sans doute voir un moyen pour récupérer les informations pour les enregistrement TLSA depuis la base ldap.
2014-02-12 20:17:43 +01:00 · 2014-02-12 20:17:43 +01:00 · b34aae5cb9
commit b34aae5cb9
parent 8112452efa
1 changed files with 17 additions and 5 deletions
--- a/gestion/gen_confs/bind.py
+++ b/gestion/gen_confs/bind.py
@ -62,14 +62,13 @@ class TLSA(ResourceRecord):
            compat: on génère un enregistement compris même par les serveurs dns n'implémentant pas TLSA
        """
        selector = 0
-        if cert is None and proto == 'tcp':
+        if cert is None and proto == 'tcp' and name[-1] == '.':
            try:
-                cert = ssl.get_server_certificate((name[:-1], port))
-                sys.stderr.write("Warning: it is not safe to retrive cert for %s through the network, consider using an other solution\n" % name[:-1])
+                cert = ssl.get_server_certificate((name[:-1], port), ca_certs='/etc/ssl/certs/ca-certificates.crt')
            except Exception as e:
                raise ValueError("Unable de retrieve cert dynamically: %s" % e)
        elif cert is None:
-            raise ValueError("cert can only be retrive if proto is tcp")
+            raise ValueError("cert can only be retrive if proto is tcp and name fqdn")
        dercert = ssl.PEM_cert_to_DER_cert(cert)
        if not dercert:
            raise ValueError("Impossible de convertir le certificat au format DER %s %s %s\n%s" % (name, port, proto, cert))
@ -446,6 +445,19 @@ class dns(gen_config) :
    }


+    EXTRAS = {
+        'crans.org' : [
+             TLSA('cas.crans.org.', 443, 'tcp', None, 3, 2),
+             TLSA('wiki.crans.org.', 443, 'tcp', None, 3, 2),
+             TLSA('perso.crans.org.', 443, 'tcp', None, 3, 2),
+             TLSA('intranet.crans.org.', 443, 'tcp', None, 3, 2),
+             TLSA('webmail.crans.org.', 443, 'tcp', None, 3, 2),
+             TLSA('horde.crans.org.', 443, 'tcp', None, 3, 2),
+             TLSA('roundcube.crans.org.', 443, 'tcp', None, 3, 2),
+             TLSA('sogo.crans.org.', 443, 'tcp', None, 3, 2),
+        ]
+    }
+
    hostname = short_name(gethostname())
    serial = int(time.time()) + 1000000000
    TTL = 3600
@ -464,7 +476,7 @@ class dns(gen_config) :
        self.anim.iter=len(zones.values())
        for zone in zones.values():
            zone.extend(self.MXs)
-            for rr_type in [self.SRVs, self.NATPRs, self.DSs]:
+            for rr_type in [self.SRVs, self.NATPRs, self.DSs, self.EXTRAS]:
                if zone.zone_name in rr_type.keys():
                    zone.extend(rr_type[zone.zone_name])
            for m in machines: