1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
|
..
Copyright 2016 Rackspace Inc.
Author: Tim Simmons <tim.simmons@rackspace.com>
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
Blacklisting Domain Names
=========================
Zone and recordset names can be blacklisted in Designate, disallowing
the creation of certain names, specified by regular expressions.
The simple use case here could be "I don't want anyone to be able to
create anything with ``mycompany.com.`` in it!", or maybe disallowing
subzones on a certain zone. Or simply disallowing the creation of a single
zone, like ``google.com.``.
If wanted to blacklist ``example.com.`` and all of it's subdomains, we could
make the following API calls.
.. code-block:: http
POST /v2/blacklists/ HTTP/1.1
Accept: application/json
Content-Type: application/json
{
"pattern" : "^([A-Za-z0-9_\\-]+\\.)*example\\.com\\.$",
"description" : "This blacklists *.example.com."
}
Response:
.. code-block:: http
HTTP/1.1 201 CREATED
Content-Type: application/json; charset=UTF-8
X-Openstack-Request-Id: req-bfcd0723-624c-4ec2-bbd5-99e985efe8db
{
"description": "This blacklists *.example.com.",
"links": {
"self": "http://127.0.0.1:9001/v2/blacklists/af91edb5-ede8-453f-af13-feabdd088f9c"
},
"pattern": "^([A-Za-z0-9_\\-]+\\.)*example\\.com\\.$",
"created_at": "2016-05-20 06:15:42",
"updated_at": null,
"id": "af91edb5-ede8-453f-af13-feabdd088f9c"
}
Now, if someone were to try and create ``foo.example.com.``,
or ``example.com.`` they would encounter an error:
.. code-block:: http
HTTP/1.1 400 BAD REQUEST
Content-Type: application/json
X-Openstack-Request-Id: req-b7be7770-ec4f-4573-b4db-70f95475f691
{
"message": "Blacklisted zone name",
"code": 400,
"type": "invalid_zone_name",
"request_id": "req-b7be7770-ec4f-4573-b4db-70f95475f691"
}
Blacklists can be deleted, just like an other resource in the API,
``DELETE /v2/blacklists/<id>``.
Regular Expressions
-------------------
The regular expressions used here can be a bit difficult to wrap your mind
around at first. Try using a tool like https://www.debuggex.com/
It's important to note that the regular expressions we enter are similar
to Python regular expressions, but we need to escape certain characters
when we make HTTP calls.
This means that if you wanted to debug this regex:
``^([A-Za-z0-9_\\-]+\\.)*example\\.com\\.$``
you're really working with this regex:
``^([A-Za-z0-9_\\-]+\.)*example\.com\.$``
|
