def dns_update_all_zones(reload_retry=False, reload_timeout=2):
"""Update all zone files for all domains.
Serving these zone files means updating BIND's configuration to include
them, then asking it to load the new configuration.
:param reload_retry: Should the DNS server reload be retried in case
of failure? Defaults to `False`.
:type reload_retry: bool
"""
if not is_dns_enabled():
return
domains = Domain.objects.filter(authoritative=True)
forwarded_zones = forward_domains_to_forwarded_zones(
Domain.objects.get_forward_domains())
subnets = Subnet.objects.exclude(rdns_mode=RDNS_MODE.DISABLED)
default_ttl = Config.objects.get_config("default_dns_ttl")
serial = current_zone_serial()
zones = ZoneGenerator(
domains,
subnets,
default_ttl,
serial,
internal_domains=[get_internal_domain()],
).as_list()
bind_write_zones(zones)
# We should not be calling bind_write_options() here; call-sites should be
# making a separate call. It's a historical legacy, where many sites now
# expect this side-effect from calling dns_update_all_zones_now(), and
# some that call it for this side-effect alone. At present all it does is
# set the upstream DNS servers, nothing to do with serving zones at all!
bind_write_options(
upstream_dns=get_upstream_dns(),
dnssec_validation=get_dnssec_validation(),
)
# Nor should we be rewriting ACLs that are related only to allowing
# recursive queries to the upstream DNS servers. Again, this is legacy,
# where the "trusted" ACL ended up in the same configuration file as the
# zone stanzas, and so both need to be rewritten at the same time.
bind_write_configuration(
zones,
trusted_networks=get_trusted_networks(),
forwarded_zones=forwarded_zones,
)
# Reloading with retries may be a legacy from Celery days, or it may be
# necessary to recover from races during start-up. We're not sure if it is
# actually needed but it seems safer to maintain this behaviour until we
# have a better understanding.
if reload_retry:
reloaded = bind_reload_with_retries(timeout=reload_timeout)
else:
reloaded = bind_reload(timeout=reload_timeout)
# Return the current serial and list of domain names.
return serial, reloaded, [domain.name for domain in domains]
def test_bind_write_configuration_writes_file(self):
domain = factory.make_string()
zones = [
DNSReverseZoneConfig(domain,
serial=random.randint(1, 100),
network=factory.make_ipv4_network()),
DNSReverseZoneConfig(domain,
serial=random.randint(1, 100),
network=factory.make_ipv6_network()),
]
actions.bind_write_configuration(zones=zones, trusted_networks=[])
self.assertThat(os.path.join(self.dns_conf_dir, MAAS_NAMED_CONF_NAME),
FileExists())
def _bindConfigure(self, configuration):
"""Update the DNS configuration for the rack.
Possible node was converted from a region to a rack-only, so we always
ensure that all zones are removed.
"""
# We allow the region controller to do the dnssec validation, if
# enabled. On the rack controller we just let it pass through.
bind_write_options(upstream_dns=list(sorted(
configuration.upstream_dns)),
dnssec_validation='no')
# No zones on the rack controller.
bind_write_configuration([],
list(sorted(configuration.trusted_networks)))
def test_bind_write_configuration_writes_file_with_acl(self):
trusted_networks = [
factory.make_ipv4_network(),
factory.make_ipv6_network(),
]
actions.bind_write_configuration(zones=[],
trusted_networks=trusted_networks)
expected_file = os.path.join(self.dns_conf_dir, MAAS_NAMED_CONF_NAME)
self.assertThat(expected_file, FileExists())
expected_content = dedent("""\
acl "trusted" {
%s;
%s;
localnets;
localhost;
};
""")
expected_content %= tuple(trusted_networks)
self.assertThat(expected_file,
FileContains(matcher=Contains(expected_content)))
