Blacklisting Domain Names¶
Note
The blacklist feature will be renamed and moved to denylist in the near future.
You can prevent users from creating zones with names that match a particular regular expression using blacklists. For example, you might use a blacklist to prevent users from:
creating a specific zone.
creating zones that contain a certain string,
creating subzones of a certain zone.
Managing Blacklists¶
You can create blacklists using the zone blacklist create
command with
System Administrator privileges. For example, to blacklist example.com.
and all of its subdomains:
$ openstack zone blacklist create --pattern ".*example.com."
+-------------+--------------------------------------+
| Field | Value |
+-------------+--------------------------------------+
| created_at | 2021-05-27T04:06:42.000000 |
| description | None |
| id | 7622e241-8c3d-4c03-a692-8747e3cf2658 |
| pattern | .*example.com. |
| updated_at | None |
+-------------+--------------------------------------+
If a Domain or Project Persona attempts to create foo.example.com.
, or
example.com.
, they encounter an error:
$ openstack zone create --email admin@example.com example.com.
Blacklisted zone name
$ openstack zone create --email admin@example.com foo.example.com.
Blacklisted zone name
Note
Users who satisfy the use_blacklisted_zone
policy can create zones with
names that are on a blacklist. By default, the only users who have this
override are System Administrators.
You can update a blacklist using zone blacklist set
to modify its pattern
or description;
$ openstack zone blacklist set 81fbfe02-6bf9-4812-a40e-1522ab6862ca --pattern ".*web.example.com"
+-------------+--------------------------------------+
| Field | Value |
+-------------+--------------------------------------+
| created_at | 2021-05-27T04:14:14.000000 |
| description | None |
| id | 81fbfe02-6bf9-4812-a40e-1522ab6862ca |
| pattern | .*web.example.com |
| updated_at | 2021-05-27T04:14:48.000000 |
+-------------+--------------------------------------+
You can delete a blacklist using zone blacklist delete:
$ openstack zone blacklist delete 7622e241-8c3d-4c03-a692-8747e3cf2658
There is no output when this command is successful.
Using the REST API¶
The regular expressions used for blacklists are similar to Python regular expressions, but you must escape certain characters when making HTTP calls.
For examples, this refex restricts using example.com.
and its ASCII
subdomains:
^([A-Za-z0-9_\\-]+\.)*example\.com\.$
However, you must insert the escape character (backslash, ) before the instances of dot (.) and .com:
^([A-Za-z0-9_\\-]+\\.)*example\\.com\\.$
Here is the API call and the regex with the HTTP characters escaped:
POST /v2/blacklists/ HTTP/1.1
Accept: application/json
Content-Type: application/json
{
"pattern" : "^([A-Za-z0-9_\\-]+\\.)*example\\.com\\.$",
"description" : "This blacklists *.example.com."
}
Regular Expressions¶
Regular Expressions can be difficult to work with. The Python Regex Documentation may serve as a useful introduction, and online regular expression tools can assist when building and testing regexes for use with the blacklist API.