From 867d4d76de92ce9057a42b464503075066cc92ef Mon Sep 17 00:00:00 2001
From: Tomas Hozza <thozza@redhat.com>
Date: Thu, 2 Apr 2015 20:02:46 +0200
Subject: [PATCH] dnssec-trigger-script: Don't configure RFC1918 zones if there
 are no global forwarders

Previously the script tried to install RFC1918 zones even if there
were no global forwarders from NetworkManager. This lead to removing
the zones from Unbound which is good, but not from zones Store. Also
on subsequent calls the script tried to remove the zones from Unbound
again and crashed with traceback.

When a machine had configuration of RFC1918 zones enabled by default,
the script crashed also during boot, if the machine was not connected
to any network.

Please also see https://bugzilla.redhat.com/show_bug.cgi?id=1205864

This change makes the script to add RFC1918 zones only if there
are global forwarders, otherwise it will remove them from Unbound
and zones Store. If zones are not configured in Unbound or are not
present in the zones Store, it will do nothing.

Signed-off-by: Tomas Hozza <thozza@redhat.com>
---
 dnssec-trigger-script.in | 27 ++++++++++++++++++---------
 1 file changed, 18 insertions(+), 9 deletions(-)

diff --git a/dnssec-trigger-script.in b/dnssec-trigger-script.in
index 7bf6c2e..88010e9 100644
--- a/dnssec-trigger-script.in
+++ b/dnssec-trigger-script.in
@@ -611,21 +611,30 @@ class Application:
                     unbound_zones.add(zone, connections[zone].servers, secure=config.validate_connection_provided_zones)
                     stored_zones.add(zone)
 
-            # Install zones for reverse name resolution of private addresses
-            # except those already provided by connections and those installed
-            # by other means than dnssec-trigger-script.
+            # Configure forward zones for reverse name resolution of private addresses.
+            # RFC1918 zones will be installed, except those already provided by connections
+            # and those installed by other means than by dnssec-trigger-script.
+            # RFC19118 zones will be removed if there are no global forwarders.
             if self.rfc1918_reverse_zones:
-                log.debug("adding RFC 1918 private zones not present in unbound or connections")
-                global_forwarders = self.global_forwarders
+                log.debug("configuring RFC 1918 private zones")
                 for zone in self.rfc1918_reverse_zones:
                     # Ignore a connection provided zone as it's been already
                     # processed.
                     if zone in connections:
                         continue
-                    # Reinstall a known zone or install a new zone.
-                    if zone in stored_zones or zone not in unbound_zones:
-                        unbound_zones.add(zone, global_forwarders, secure=False)
-                        stored_zones.add(zone)
+                    if self.global_forwarders:
+                        # Reinstall a known zone or install a new zone.
+                        log.debug("Installing RFC 1918 private zone '%s' not present in unbound or connections", zone)
+                        if zone in stored_zones or zone not in unbound_zones:
+                            unbound_zones.add(zone, self.global_forwarders, secure=False)
+                            stored_zones.add(zone)
+                    else:
+                        # There are no global forwarders, therefore remove the zone
+                        log.debug("Removing RFC 1918 private zone '%s' since there are no global forwarders", zone)
+                        if zone in unbound_zones:
+                            unbound_zones.remove(zone)
+                        if zone in stored_zones:
+                            stored_zones.remove(zone)
 
             stored_zones.commit()
 
-- 
2.1.0