Merge pull request #116 from Northover/CAA

CAA record support

Author: Northover

docs/tm/records/records.rst

@@ -18,6 +18,12 @@ ALIASRecord
     :members:
     :undoc-members:    
 
+CAARecord
+==========
+.. autoclass:: dyn.tm.records.CAARecord
+    :members:
+    :undoc-members:
+
 CERTRecord
 ==========
 .. autoclass:: dyn.tm.records.CERTRecord

dyn/core.py

@@ -6,10 +6,11 @@
 """
 import base64
 import copy
-import time
 import locale
 import logging
+import re
 import threading
+import time
 from datetime import datetime
 
 from . import __version__
@@ -114,6 +115,7 @@ def __init__(self, host=None, port=443, ssl=True, history=False,
         self._encoding = locale.getdefaultlocale()[-1] or 'UTF-8'
         self._token = self._conn = self._last_response = None
         self._permissions = None
+        self._tasks = {}
 
     @classmethod
     def new_session(cls, *args, **kwargs):
@@ -243,6 +245,39 @@ def _handle_error(self, uri, method, raw_args):
         """
         return None
 
+    def _retry(self, msgs, final=False):
+        """Retry logic around throttled or blocked tasks"""
+
+        throttle_err = 'RATE_LIMIT_EXCEEDED'
+        throttled = any(throttle_err == err['ERR_CD'] for err in msgs)
+
+        if throttled:
+            # We're rate limited, so wait 5 seconds and try again
+            return dict(retry=True, wait=5, final=final)
+
+        blocked_err = 'Operation blocked by current task'
+        blocked = any(blocked_err in err['INFO'] for err in msgs)
+
+        pat = re.compile(r'^task_id:\s+(\d+)$')
+        if blocked:
+            try:
+                # Get the task id
+                task = next(pat.match(i['INFO']).group(1) for i in msgs
+                            if pat.match(i.get('INFO', '')))
+            except:
+                # Task id could not be recovered
+                wait = 1
+            else:
+                # Exponential backoff for individual blocked tasks
+                wait = self._tasks.get(task, 1)
+                self._tasks[task] = wait * 2 + 1
+
+            # Give up if final or wait > 30 seconds
+            return dict(retry=True, wait=wait, final=wait > 30 or final)
+
+        # Neither blocked nor throttled?
+        return dict(retry=False, wait=0, final=True)
+
     def _handle_response(self, response, uri, method, raw_args, final):
         """Handle the processing of the API's response"""
         body = response.read()
@@ -258,12 +293,15 @@ def _handle_response(self, response, uri, method, raw_args, final):
                                       ret_val['status']))
 
         self._meta_update(uri, method, ret_val)
-        # Handle retrying if ZoneProp is blocking the current task
-        error_msg = 'Operation blocked by current task'
-        if ret_val['status'] == 'failure' and error_msg in \
-                ret_val['msgs'][0]['INFO'] and not final:
-            time.sleep(8)
-            return self.execute(uri, method, raw_args, final=True)
+
+        retry = {}
+        # Try to retry?
+        if ret_val['status'] == 'failure' and not final:
+            retry = self._retry(ret_val['msgs'], final)
+
+        if retry.get('retry', False):
+            time.sleep(retry['wait'])
+            return self.execute(uri, method, raw_args, final=retry['final'])
         else:
             return self._process_response(ret_val, method)
 

dyn/tm/records.py

@@ -9,11 +9,11 @@
 from ..compat import force_unicode
 
 __author__ = 'jnappi'
-__all__ = ['DNSRecord', 'ARecord', 'AAAARecord', 'ALIASRecord', 'CDSRecord',
-           'CDNSKEYRecord', 'CERTRecord', 'CNAMERecord', 'CSYNCRecord',
-           'DHCIDRecord', 'DNAMERecord', 'DNSKEYRecord', 'DSRecord',
-           'KEYRecord', 'KXRecord', 'LOCRecord', 'IPSECKEYRecord', 'MXRecord',
-           'NAPTRRecord', 'PTRRecord', 'PXRecord', 'NSAPRecord',
+__all__ = ['DNSRecord', 'ARecord', 'AAAARecord', 'ALIASRecord', 'CAARecord',
+           'CDSRecord', 'CDNSKEYRecord', 'CERTRecord', 'CNAMERecord',
+           'CSYNCRecord', 'DHCIDRecord', 'DNAMERecord', 'DNSKEYRecord',
+           'DSRecord', 'KEYRecord', 'KXRecord', 'LOCRecord', 'IPSECKEYRecord',
+           'MXRecord', 'NAPTRRecord', 'PTRRecord', 'PXRecord', 'NSAPRecord',
            'RPRecord', 'NSRecord', 'SOARecord', 'SPFRecord', 'SRVRecord',
            'TLSARecord', 'TXTRecord', 'SSHFPRecord', 'UNKNOWNRecord']
 
@@ -1240,6 +1240,116 @@ def __repr__(self):
         return self.__str__()
 
 
+class CAARecord(DNSRecord):
+    """Certification Authority Authorization (CAA) Resource Record
+
+    This record allows a DNS domain name holder to specify one or more
+    Certification Authorities (CAs) authorized to issue certificates for that
+    domain.  CAA Resource Records allow a public Certification Authority to
+    implement additional controls to reduce the risk of unintended certificate
+    mis-issue.  This document defines the syntax of the CAA record and rules
+    for processing CAA records by certificate issuers.
+
+    see: https://tools.ietf.org/html/rfc6844 """
+
+    def __init__(self, zone, fqdn, *args, **kwargs):
+        """Create a :class:`~dyn.tm.records.CAARecord` object
+
+        :param zone: Name of zone where the record will be added
+        :param fqdn: Name of node where the record will be added
+        :param flags: A byte
+        :param tag: A string defining the tag component of the <tag>=<value>
+            record property. May be one of:
+            issue: The issue property entry authorizes the holder of
+                the domain name <Issuer Domain Name> or a party acting under
+                the explicit authority of the holder of that domain name to
+                issue certificates for the domain in which the property is
+                published.
+
+            issuewild: The issuewild property entry authorizes the
+                holder of the domain name <Issuer Domain Name> or a party
+                acting under the explicit authority of the holder of that
+                domain name to issue wildcard certificates for the domain in
+                which the property is published.
+
+            iodef: Specifies a URL to which an issuer MAY report
+                certificate issue requests that are inconsistent with the
+                issuer's Certification Practices or Certificate Policy, or
+                that a Certificate Evaluator may use to report observation
+                of a possible policy violation.
+            :param value: A string representing the value component of the
+                property.  This will be an issuer domain name or a URL.
+            :param ttl: TTL for this record. Use 0 for zone default
+        """
+        fields = ['flags', 'tag', 'value', 'ttl']
+
+        create = kwargs.pop('create', None)
+        if create is not None:
+            super(CAARecord, self).__init__(zone, fqdn, create)
+            self._build(kwargs)
+            self._record_type = 'CAARecord'
+        else:
+            super(CAARecord, self).__init__(zone, fqdn)
+            self._record_type = 'CAARecord'
+            arg_length = len(args) + len(kwargs)
+            if 'record_id' in kwargs:
+                self._get_record(kwargs['record_id'])
+            elif arg_length == 1:
+                self._get_record(*args, **kwargs)
+            elif any(field in kwargs for field in fields) or arg_length >= 1:
+                self._post(*args, **kwargs)
+
+    def _post(self, flags, tag, value, ttl=0):
+        self._flags = flags
+        self._tag = tag
+        self._value = value
+        self._ttl = ttl
+        self.api_args = dict(
+            rdata=dict(flags=flags, tag=tag, value=value),
+            ttl=ttl
+        )
+        self._create_record(self.api_args)
+
+    def rdata(self):
+        return dict(caa_rdata=super(CAARecord, self).rdata())
+
+    @property
+    def flags(self):
+        self._pull()
+        return self._flags
+
+    @flags.setter
+    def flags(self, value):
+        self.api_args['rdata']['flags'] = value
+        self._update_record(self.api_args)
+        if self._implicitPublish:
+            self._flags = value
+
+    @property
+    def tag(self):
+        self._pull()
+        return self._tag
+
+    @tag.setter
+    def tag(self, value):
+        self.api_args['rdata']['tag'] = value
+        self._update_record(self.api_args)
+        if self._implicitPublish:
+            self._tag = value
+
+    @property
+    def value(self):
+        self._pull()
+        return self._value
+
+    @value.setter
+    def value(self, value):
+        self.api_args['rdata']['value'] = value
+        self._update_record(self.api_args)
+        if self._implicitPublish:
+            self._value = value
+
+
 class DSRecord(DNSRecord):
     """The Delegation Signer (DS) record type is used in DNSSEC to create the
     chain of trust or authority from a signed parent zone to a signed child

dyn/tm/services/dsf.py

@@ -6,8 +6,8 @@
 from dyn.compat import force_unicode, string_types
 from dyn.tm.utils import APIList, Active
 from dyn.tm.errors import DynectInvalidArgumentError
-from dyn.tm.records import (ARecord, AAAARecord, ALIASRecord, CDSRecord,
-                            CDNSKEYRecord, CSYNCRecord, CERTRecord,
+from dyn.tm.records import (ARecord, AAAARecord, ALIASRecord, CAARecord,
+                            CDSRecord, CDNSKEYRecord, CSYNCRecord, CERTRecord,
                             CNAMERecord, DHCIDRecord, DNAMERecord,
                             DNSKEYRecord, DSRecord, KEYRecord, KXRecord,
                             LOCRecord, IPSECKEYRecord, MXRecord, NAPTRRecord,
@@ -3578,7 +3578,7 @@ def __init__(self, zone, fqdn=None):
         self.records = {}
 
         self.recs = {'A': ARecord, 'AAAA': AAAARecord,
-                     'ALIAS': ALIASRecord, 'CDS': CDSRecord,
+                     'ALIAS': ALIASRecord, 'CAA': CAARecord, 'CDS': CDSRecord,
                      'CDNSKEY': CDNSKEYRecord, 'CSYNC': CSYNCRecord,
                      'CERT': CERTRecord, 'CNAME': CNAMERecord,
                      'DHCID': DHCIDRecord, 'DNAME': DNAMERecord,
@@ -3597,10 +3597,10 @@ def add_record(self, record_type='A', *args, **kwargs):
         """Adds an a record with the provided data to this :class:`Node`
 
         :param record_type: The type of record you would like to add.
-            Valid record_type arguments are: 'A', 'AAAA', 'CERT', 'CNAME',
-            'DHCID', 'DNAME', 'DNSKEY', 'DS', 'KEY', 'KX', 'LOC', 'IPSECKEY',
-            'MX', 'NAPTR', 'PTR', 'PX', 'NSAP', 'RP', 'NS', 'SOA', 'SPF',
-            'SRV', and 'TXT'.
+            Valid record_type arguments are: 'A', 'AAAA', 'CAA', 'CERT',
+            'CNAME', 'DHCID', 'DNAME', 'DNSKEY', 'DS', 'KEY', 'KX', 'LOC',
+            'IPSECKEY', 'MX', 'NAPTR', 'PTR', 'PX', 'NSAP', 'RP', 'NS', 'SOA',
+            'SPF', 'SRV', and 'TXT'.
         :param args: Non-keyword arguments to pass to the Record constructor
         :param kwargs: Keyword arguments to pass to the Record constructor
         """
@@ -3650,13 +3650,14 @@ def get_all_records_by_type(self, record_type):
         are owned by this node.
 
         :param record_type: The type of :class:`DNSRecord` you wish returned.
-            Valid record_type arguments are: 'A', 'AAAA', 'CERT', 'CNAME',
-            'DHCID', 'DNAME', 'DNSKEY', 'DS', 'KEY', 'KX', 'LOC', 'IPSECKEY',
-            'MX', 'NAPTR', 'PTR', 'PX', 'NSAP', 'RP', 'NS', 'SOA', 'SPF',
-            'SRV', and 'TXT'.
+            Valid record_type arguments are: 'A', 'AAAA', 'CAA', 'CERT',
+            'CNAME', 'DHCID', 'DNAME', 'DNSKEY', 'DS', 'KEY', 'KX', 'LOC',
+            'IPSECKEY', 'MX', 'NAPTR', 'PTR', 'PX', 'NSAP', 'RP', 'NS', 'SOA',
+            'SPF', 'SRV', and 'TXT'.
         :return: A list of :class:`DNSRecord`'s
         """
-        names = {'A': 'ARecord', 'AAAA': 'AAAARecord', 'CERT': 'CERTRecord',
+        names = {'A': 'ARecord', 'AAAA': 'AAAARecord',
+                 'CAA': 'CAARecord', 'CERT': 'CERTRecord',
                  'CNAME': 'CNAMERecord', 'DHCID': 'DHCIDRecord',
                  'DNAME': 'DNAMERecord', 'DNSKEY': 'DNSKEYRecord',
                  'DS': 'DSRecord', 'KEY': 'KEYRecord', 'KX': 'KXRecord',

dyn/tm/zones.py

@@ -9,7 +9,7 @@
 from dyn.tm.errors import (DynectCreateError, DynectGetError,
                            DynectInvalidArgumentError)
 from dyn.tm.records import (ARecord, AAAARecord, ALIASRecord, CDSRecord,
-                            CDNSKEYRecord, CSYNCRecord, CERTRecord,
+                            CAARecord, CDNSKEYRecord, CSYNCRecord, CERTRecord,
                             CNAMERecord, DHCIDRecord, DNAMERecord,
                             DNSKEYRecord, DSRecord, KEYRecord, KXRecord,
                             LOCRecord, IPSECKEYRecord, MXRecord, NAPTRRecord,
@@ -27,15 +27,15 @@
            'ExternalNameserver', 'ExternalNameserverEntry']
 
 RECS = {'A': ARecord, 'AAAA': AAAARecord, 'ALIAS': ALIASRecord,
-        'CDS': CDSRecord, 'CDNSKEY': CDNSKEYRecord, 'CSYNC': CSYNCRecord,
-        'CERT': CERTRecord, 'CNAME': CNAMERecord, 'DHCID': DHCIDRecord,
-        'DNAME': DNAMERecord, 'DNSKEY': DNSKEYRecord, 'DS': DSRecord,
-        'KEY': KEYRecord, 'KX': KXRecord, 'LOC': LOCRecord,
+        'CAA': CAARecord, 'CDS': CDSRecord, 'CDNSKEY': CDNSKEYRecord,
+        'CSYNC': CSYNCRecord, 'CERT': CERTRecord, 'CNAME': CNAMERecord,
+        'DHCID': DHCIDRecord, 'DNAME': DNAMERecord, 'DNSKEY': DNSKEYRecord,
+        'DS': DSRecord, 'KEY': KEYRecord, 'KX': KXRecord, 'LOC': LOCRecord,
         'IPSECKEY': IPSECKEYRecord, 'MX': MXRecord, 'NAPTR': NAPTRRecord,
         'PTR': PTRRecord, 'PX': PXRecord, 'NSAP': NSAPRecord,
-        'RP': RPRecord, 'NS': NSRecord, 'SOA': SOARecord,
-        'SPF': SPFRecord, 'SRV': SRVRecord, 'TLSA': TLSARecord,
-        'TXT': TXTRecord, 'SSHFP': SSHFPRecord, 'UNKNOWN': UNKNOWNRecord}
+        'RP': RPRecord, 'NS': NSRecord, 'SOA': SOARecord, 'SPF': SPFRecord,
+        'SRV': SRVRecord, 'TLSA': TLSARecord, 'TXT': TXTRecord,
+        'SSHFP': SSHFPRecord, 'UNKNOWN': UNKNOWNRecord}
 
 
 def get_all_zones():
@@ -522,24 +522,23 @@ def get_all_records_by_type(self, record_type):
         are owned by this node.
 
         :param record_type: The type of :class:`DNSRecord` you wish returned.
-            Valid record_type arguments are: 'A', 'AAAA', 'CERT', 'CNAME',
-            'DHCID', 'DNAME', 'DNSKEY', 'DS', 'KEY', 'KX', 'LOC', 'IPSECKEY',
-            'MX', 'NAPTR', 'PTR', 'PX', 'NSAP', 'RP', 'NS', 'SOA', 'SPF',
-            'SRV', and 'TXT'.
+            Valid record_type arguments are: 'A', 'AAAA', 'CAA', 'CERT',
+            'CNAME', 'DHCID', 'DNAME', 'DNSKEY', 'DS', 'KEY', 'KX', 'LOC',
+            'IPSECKEY', 'MX', 'NAPTR', 'PTR', 'PX', 'NSAP', 'RP', 'NS', 'SOA',
+            'SPF', 'SRV', and 'TXT'.
         :return: A :class:`List` of :class:`DNSRecord`'s
         """
         names = {'A': 'ARecord', 'AAAA': 'AAAARecord', 'ALIAS': 'ALIASRecord',
-                 'CDS': 'CDSRecord', 'CDNSKEY': 'CDNSKEYRecord',
-                 'CERT': 'CERTRecord', 'CSYNC': 'CSYNCRecord',
-                 'CNAME': 'CNAMERecord', 'DHCID': 'DHCIDRecord',
-                 'DNAME': 'DNAMERecord', 'DNSKEY': 'DNSKEYRecord',
-                 'DS': 'DSRecord', 'KEY': 'KEYRecord', 'KX': 'KXRecord',
-                 'LOC': 'LOCRecord', 'IPSECKEY': 'IPSECKEYRecord',
-                 'MX': 'MXRecord', 'NAPTR': 'NAPTRRecord', 'PTR': 'PTRRecord',
-                 'PX': 'PXRecord', 'NSAP': 'NSAPRecord', 'RP': 'RPRecord',
-                 'NS': 'NSRecord', 'SOA': 'SOARecord', 'SPF': 'SPFRecord',
-                 'SRV': 'SRVRecord', 'TLSA': 'TLSARecord', 'TXT': 'TXTRecord',
-                 'SSHFP': 'SSHFPRecord'}
+                 'CAA': 'CAARecord', 'CDS': 'CDSRecord', 'CDNSKEY':
+                 'CDNSKEYRecord', 'CERT': 'CERTRecord', 'CSYNC': 'CSYNCRecord',
+                 'CNAME': 'CNAMERecord', 'DHCID': 'DHCIDRecord', 'DNAME':
+                 'DNAMERecord', 'DNSKEY': 'DNSKEYRecord', 'DS': 'DSRecord',
+                 'KEY': 'KEYRecord', 'KX': 'KXRecord', 'LOC': 'LOCRecord',
+                 'IPSECKEY': 'IPSECKEYRecord', 'MX': 'MXRecord', 'NAPTR':
+                 'NAPTRRecord', 'PTR': 'PTRRecord', 'PX': 'PXRecord', 'NSAP':
+                 'NSAPRecord', 'RP': 'RPRecord', 'NS': 'NSRecord', 'SOA':
+                 'SOARecord', 'SPF': 'SPFRecord', 'SRV': 'SRVRecord', 'TLSA':
+                 'TLSARecord', 'TXT': 'TXTRecord', 'SSHFP': 'SSHFPRecord'}
 
         constructor = RECS[record_type]
         uri = '/{}/{}/{}/'.format(names[record_type], self._name, self.fqdn)
@@ -1053,16 +1052,18 @@ def get_all_records_by_type(self, record_type):
             'SRV', and 'TXT'.
         :return: A list of :class:`DNSRecord`'s
         """
-        names = {'A': 'ARecord', 'AAAA': 'AAAARecord', 'CERT': 'CERTRecord',
-                 'CNAME': 'CNAMERecord', 'DHCID': 'DHCIDRecord',
-                 'DNAME': 'DNAMERecord', 'DNSKEY': 'DNSKEYRecord',
-                 'DS': 'DSRecord', 'KEY': 'KEYRecord', 'KX': 'KXRecord',
-                 'LOC': 'LOCRecord', 'IPSECKEY': 'IPSECKEYRecord',
-                 'MX': 'MXRecord', 'NAPTR': 'NAPTRRecord', 'PTR': 'PTRRecord',
+        names = {'A': 'ARecord', 'AAAA': 'AAAARecord', 'CAA': 'CAARecord',
+                 'CERT': 'CERTRecord', 'CNAME': 'CNAMERecord',
+                 'DHCID': 'DHCIDRecord', 'DNAME': 'DNAMERecord',
+                 'DNSKEY': 'DNSKEYRecord', 'DS': 'DSRecord',
+                 'KEY': 'KEYRecord', 'KX': 'KXRecord', 'LOC': 'LOCRecord',
+                 'IPSECKEY': 'IPSECKEYRecord', 'MX': 'MXRecord',
+                 'NAPTR': 'NAPTRRecord', 'PTR': 'PTRRecord',
                  'PX': 'PXRecord', 'NSAP': 'NSAPRecord', 'RP': 'RPRecord',
                  'NS': 'NSRecord', 'SOA': 'SOARecord', 'SPF': 'SPFRecord',
-                 'SRV': 'SRVRecord', 'TLSA': 'TLSARecord', 'TXT': 'TXTRecord',
-                 'SSHFP': 'SSHFPRecord', 'ALIAS': 'ALIASRecord'}
+                 'SRV': 'SRVRecord', 'TLSA': 'TLSARecord',
+                 'TXT': 'TXTRecord', 'SSHFP': 'SSHFPRecord',
+                 'ALIAS': 'ALIASRecord'}
         constructor = RECS[record_type]
         uri = '/{}/{}/{}/'.format(names[record_type], self.zone,
                                   self.fqdn)