Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Automatic DNSSEC signatures & key schedule for nsd #31724

Merged
merged 3 commits into from Apr 21, 2018
Merged

Automatic DNSSEC signatures & key schedule for nsd #31724

merged 3 commits into from Apr 21, 2018

Conversation

gkleen
Copy link
Contributor

@gkleen gkleen commented Nov 16, 2017

Motivation for this change

This PR adds some (disabled by default) options to nsd which, when enabled, set up a systemd service which automatically generates DNSSEC-keys, signs some of the zones with them, and occasionally checks to make sure the zone complies with a key-schedule policy.

For implementing this I also had to patch the package for bind in order to (optionally; disabled by default) include a python script shipped with it, which manages compliance with a key-schedule.

I'd welcome suggestions for improvement or general discussion.
I suggest, however, holding off on merging until I've heard from my DNS provider regarding upstream submission of my DS-records and made sure everything does in fact work.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option build-use-sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Fits CONTRIBUTING.md.

@gkleen
Copy link
Contributor Author

gkleen commented Nov 16, 2017

As far as I can determine this PR indeed does generate validly signed zones. So, as far as I'm concerned, everything works as expected.

@vcunat
Copy link
Member

vcunat commented Nov 17, 2017
edited

Looking only at the BIND changes (for now).

checking python2 version >= 2.7 or python3 version >= 3.2... found

Python 3 instead of 2, please!

Another possibility would be to always build with the tools but separate them into another output. (Python* by itself would make a large fraction of runtime closure and I can understand not everyone needs the tools.) I certainly don't have a strong opinion on this choice; I might lean slightly to have seccomp by default, too. /cc maintainers: @viric, @peti.

@peti
Copy link
Member

peti commented Nov 17, 2017

@vcunat, enabling seccomp by default has caused issues in the past: #25645 & #23431.

@vcunat
Copy link
Member

vcunat commented Nov 17, 2017

OK. (Such information is one of the main reasons to ping "maintainers".) Debian does have it, so it's probably doable somehow, but better let it be at least until someone actually wants it.

@gkleen
Copy link
Contributor Author

gkleen commented Nov 17, 2017

Separating out just the python-based tools would be kind of a pain.

I also can't see a usecase where one would need just the python-based tools (keymgr, e.g. mostly just calls the other, more primitive tools), which, i think, is the main feature splitting them out would provide?

@vcunat
Copy link
Member

vcunat commented Nov 17, 2017

No big deal. Not having two versions in some cases, e.g. using dig or something else from BIND "built without python" and at the same time activating this service you add.

@gkleen
Copy link
Contributor Author

gkleen commented Dec 2, 2017

bump ?

@gkleen
Copy link
Contributor Author

gkleen commented Jan 14, 2018

bump, again

@matthewbauer
Copy link
Member

@GrahamcOfBorg build bind

@GrahamcOfBorg
Copy link

Success on x86_64-darwin (full log)

Attempted: bind

Partial log (click to expand)

gzipping man pages under /nix/store/dgn20vaqn7x3q60nsfslsbvl96qlmjij-bind-9.12.1-man/share/man/
strip is /nix/store/kdff2gim6417493yha769kh00n63lnrw-cctools-binutils-darwin/bin/strip
patching script interpreter paths in /nix/store/dgn20vaqn7x3q60nsfslsbvl96qlmjij-bind-9.12.1-man
strip is /nix/store/kdff2gim6417493yha769kh00n63lnrw-cctools-binutils-darwin/bin/strip
stripping (with command strip and flags -S) in /nix/store/fhynj3wjyxm9a3pcd3dibb7dhcmpynin-bind-9.12.1-dnsutils/bin
patching script interpreter paths in /nix/store/fhynj3wjyxm9a3pcd3dibb7dhcmpynin-bind-9.12.1-dnsutils
strip is /nix/store/kdff2gim6417493yha769kh00n63lnrw-cctools-binutils-darwin/bin/strip
stripping (with command strip and flags -S) in /nix/store/9fm3n129d73nfv4vd6r6rhj4idwx4v27-bind-9.12.1-host/bin
patching script interpreter paths in /nix/store/9fm3n129d73nfv4vd6r6rhj4idwx4v27-bind-9.12.1-host
/nix/store/z4agvvxrqjlf61abi6vm68n1mndbhw73-bind-9.12.1

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: bind

Partial log (click to expand)

stripping (with command strip and flags -S) in /nix/store/gvqf174zp0gh68pzpik1zsd0q52jg031-bind-9.12.1-dnsutils/bin
patching script interpreter paths in /nix/store/gvqf174zp0gh68pzpik1zsd0q52jg031-bind-9.12.1-dnsutils
checking for references to /build in /nix/store/gvqf174zp0gh68pzpik1zsd0q52jg031-bind-9.12.1-dnsutils...
shrinking RPATHs of ELF executables and libraries in /nix/store/0kwsxpv4s1118ban1rirznbvxji21x6d-bind-9.12.1-host
shrinking /nix/store/0kwsxpv4s1118ban1rirznbvxji21x6d-bind-9.12.1-host/bin/host
strip is /nix/store/j75dgadrff2d1fyc4fczmcgqkid2imdx-binutils-2.30/bin/strip
stripping (with command strip and flags -S) in /nix/store/0kwsxpv4s1118ban1rirznbvxji21x6d-bind-9.12.1-host/bin
patching script interpreter paths in /nix/store/0kwsxpv4s1118ban1rirznbvxji21x6d-bind-9.12.1-host
checking for references to /build in /nix/store/0kwsxpv4s1118ban1rirznbvxji21x6d-bind-9.12.1-host...
/nix/store/94ijrb5lbr5rirlcmmj78bnwyxsnaipj-bind-9.12.1

@matthewbauer
Copy link
Member

Looks good to me! Waiting for this though:

@GrahamcOfBorg test nsd

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: tests.nsd

Partial log (click to expand)

clientv6: exit status 0
2 out of 2 tests succeeded
test script finished in 23.37s
cleaning up
killing server (pid 593)
killing clientv4 (pid 603)
killing clientv6 (pid 615)
vde_switch: EOF on stdin, cleaning up and exiting
vde_switch: Could not remove ctl dir '/build/vde1.ctl': Directory not empty
/nix/store/68yicbp3r8y0wvgjry2nmwnz6njhplx2-vm-test-run-nsd

@matthewbauer matthewbauer merged commit 55a7e45 into NixOS:master Apr 21, 2018
@gkleen gkleen deleted the feat/nsd/dnssec branch April 21, 2018 20:20
@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: bind

Partial log (click to expand)

stripping (with command strip and flags -S) in /nix/store/8r9hg0zphxhvaw45h4yr21xs4zcys58m-bind-9.12.1-dnsutils/bin
patching script interpreter paths in /nix/store/8r9hg0zphxhvaw45h4yr21xs4zcys58m-bind-9.12.1-dnsutils
checking for references to /build in /nix/store/8r9hg0zphxhvaw45h4yr21xs4zcys58m-bind-9.12.1-dnsutils...
shrinking RPATHs of ELF executables and libraries in /nix/store/n74ki0jgavjybv6yvq57sb9bfrsl6sm8-bind-9.12.1-host
shrinking /nix/store/n74ki0jgavjybv6yvq57sb9bfrsl6sm8-bind-9.12.1-host/bin/host
strip is /nix/store/j7d4mr0ikv974ig7yzhknpsq288js4bs-binutils-2.30/bin/strip
stripping (with command strip and flags -S) in /nix/store/n74ki0jgavjybv6yvq57sb9bfrsl6sm8-bind-9.12.1-host/bin
patching script interpreter paths in /nix/store/n74ki0jgavjybv6yvq57sb9bfrsl6sm8-bind-9.12.1-host
checking for references to /build in /nix/store/n74ki0jgavjybv6yvq57sb9bfrsl6sm8-bind-9.12.1-host...
/nix/store/z8db1l9sm7616a39l65lb90lv5dv2l4l-bind-9.12.1

@GrahamcOfBorg
Copy link

Failure on aarch64-linux (full log)

Attempted: tests.nsd

Partial log (click to expand)

cannot build derivation '/nix/store/fdrvsh2iqk80dbpkvwnrs0hrkxwvqhvy-closure-info.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/47aiv7s17j7cw67j4srvm4w29qvy87lb-run-nixos-vm.drv': 2 dependencies couldn't be built
cannot build derivation '/nix/store/4slicr6fl8frvg9yziv55xz3pmxjh0vp-run-nixos-vm.drv': 2 dependencies couldn't be built
cannot build derivation '/nix/store/959zsdfg2hndvx48asb7v8dchs5ww9gw-run-nixos-vm.drv': 2 dependencies couldn't be built
cannot build derivation '/nix/store/94k8icrpq49abd574n6n27a1capgc1vz-nixos-vm.drv': 2 dependencies couldn't be built
cannot build derivation '/nix/store/s0y81zip47v1a8g5nx4jaii4d4c08q0r-nixos-vm.drv': 2 dependencies couldn't be built
cannot build derivation '/nix/store/sl33ac3sz8kvswsdvb8a9wkmr9vd692c-nixos-vm.drv': 2 dependencies couldn't be built
cannot build derivation '/nix/store/da9y42ssbvrp4ivrsacw5mj3glg36bx9-nixos-test-driver-nsd.drv': 3 dependencies couldn't be built
cannot build derivation '/nix/store/z31kmkknmfbf91hqbhfwf5q41y8l3x0d-vm-test-run-nsd.drv': 1 dependencies couldn't be built
�[31;1merror:�[0m build of '/nix/store/z31kmkknmfbf91hqbhfwf5q41y8l3x0d-vm-test-run-nsd.drv' failed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 1-10 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@gkleen @vcunat @peti @matthewbauer @GrahamcOfBorg