New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Automatic DNSSEC signatures & key schedule for nsd #31724
Conversation
As far as I can determine this PR indeed does generate validly signed zones. So, as far as I'm concerned, everything works as expected. |
Looking only at the BIND changes (for now).
Python 3 instead of 2, please! Another possibility would be to always build with the tools but separate them into another output. (Python* by itself would make a large fraction of runtime closure and I can understand not everyone needs the tools.) I certainly don't have a strong opinion on this choice; I might lean slightly to have seccomp by default, too. /cc maintainers: @viric, @peti. |
OK. (Such information is one of the main reasons to ping "maintainers".) Debian does have it, so it's probably doable somehow, but better let it be at least until someone actually wants it. |
Separating out just the python-based tools would be kind of a pain. I also can't see a usecase where one would need just the python-based tools (keymgr, e.g. mostly just calls the other, more primitive tools), which, i think, is the main feature splitting them out would provide? |
No big deal. Not having two versions in some cases, e.g. using |
bump ? |
bump, again |
@GrahamcOfBorg build bind |
Success on x86_64-darwin (full log) Attempted: bind Partial log (click to expand)
|
Success on x86_64-linux (full log) Attempted: bind Partial log (click to expand)
|
Looks good to me! Waiting for this though: @GrahamcOfBorg test nsd |
Success on x86_64-linux (full log) Attempted: tests.nsd Partial log (click to expand)
|
Success on aarch64-linux (full log) Attempted: bind Partial log (click to expand)
|
Failure on aarch64-linux (full log) Attempted: tests.nsd Partial log (click to expand)
|
Motivation for this change
This PR adds some (disabled by default) options to nsd which, when enabled, set up a systemd service which automatically generates DNSSEC-keys, signs some of the zones with them, and occasionally checks to make sure the zone complies with a key-schedule policy.
For implementing this I also had to patch the package for bind in order to (optionally; disabled by default) include a python script shipped with it, which manages compliance with a key-schedule.
I'd welcome suggestions for improvement or general discussion.
I suggest, however, holding off on merging until I've heard from my DNS provider regarding upstream submission of my DS-records and made sure everything does in fact work.
Things done
build-use-sandbox
innix.conf
on non-NixOS)