Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auth feature: authenticated DNSSEC bootstrapping #14074

Open
wants to merge 8 commits into
base: master
Choose a base branch
from
Open

Auth feature: authenticated DNSSEC bootstrapping #14074

wants to merge 8 commits into from

Conversation

peterthomassen
Copy link
Contributor

Short description

Implements draft-ietf-dnsop-dnssec-bootstrapping. We'd like to replace our LUA-based implementation at desec.io with this for about 50k zones.

Protocol draft status: in IETF Last Call. -- Other implementations on child-side include Knot DNS and Cloudflare, and on parent-side .ch/.li.

Implementation:

  • Introduce SIGNALING-ZONE metadata. Zones with this setting will synthesize bootstrapping records.
  • Signaling zone needs to use narrow-mode online signing (because neighboring owner names are not known at signing time).
  • Usage: 
        export nshost=ns1.example.net
    pdnsutil create-zone _signal.$nshost $nshost  # create NS record too
    pdnsutil secure-zone _signal.$nshost
    pdnsutil set-nsec3 _signal.$nshost "1 0 0 -" narrow
    pdnsutil rectify-zone _signal.$nshost
    pdnsutil set-meta _signal.$nshost SIGNALING-ZONE 1

Questions / tasks:

  • Should we create pdnsutil set-signaling-zone which would run the last 4 commands above? That way users wouldn't have to worry about NSEC3 mode etc. The SIGNALING-ZONE metadata makes sense only with this specific config, so no flexibility would be lost.
  • I included a test that looks for proper CDS synthesis, but did not manage to deal with the fact that record contents change. How can this be done?
  • I added a few skip.* files to the test so that it only runs in the proper context(s). Not sure if I did this right.
  • Will also include a CDNSKEY test.

Checklist

I have:

  • read the CONTRIBUTING.md document
  • compiled this code
  • tested this code
  • included documentation (including possible behaviour changes)
  • documented the code
  • added or modified regression test(s)
  • added or modified unit test(s)
  • checked that this code was merged to master

@coveralls
Copy link

coveralls commented Apr 17, 2024
edited
Loading

Pull Request Test Coverage Report for Build 8724650639

Details

  • 26 of 94 (27.66%) changed or added relevant lines in 3 files are covered.
  • 5391 unchanged lines in 75 files lost coverage.
  • Overall coverage decreased (-3.2%) to 56.29%
Changes Missing Coverage Covered Lines Changed/Added Lines %
pdns/dbdnsseckeeper.cc 7 10 70.0%
pdns/packethandler.cc 18 83 21.69%
Files with Coverage Reduction New Missed Lines %
pdns/resolver.hh 1 0.0%
pdns/dnsparser.hh 1 76.83%
pdns/base32.cc 1 90.44%
modules/pipebackend/coprocess.hh 1 0.0%
pdns/dnswriter.cc 2 80.92%
pdns/auth-zonecache.cc 2 91.23%
ext/lmdb-safe/lmdb-typed.hh 2 72.25%
modules/gsqlite3backend/gsqlite3backend.cc 2 94.44%
pdns/webserver.hh 3 61.05%
pdns/dnspacket.hh 3 77.78%
Totals Coverage Status
Change from base Build 8686005191: -3.2%
Covered Lines: 108693
Relevant Lines: 159339
💛 - Coveralls

@Habbie Habbie self-requested a review April 23, 2024 11:18
@Habbie Habbie added this to the auth-5 milestone Apr 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Habbie Habbie Awaiting requested review from Habbie

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
auth feature request
Projects
None yet
Milestone
auth-5
Development

Successfully merging this pull request may close these issues.
3 participants
@peterthomassen @coveralls @Habbie