Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement Csync for CDNSKEY #1603

Merged
merged 5 commits into from
Mar 31, 2021
Merged

Implement Csync for CDNSKEY #1603

merged 5 commits into from
Mar 31, 2021

Conversation

karlerikounapuu
Copy link
Member

@karlerikounapuu karlerikounapuu commented Jun 8, 2020
edited
Loading

Closes #658

Requires cdnskey-scanner to be installed, so it can crawl cdnskeys of domain zone.

By default, when new CDNSKEY record is found, it is added to the zone if scanner & Job has gone through 3 cycles and the CDNSKEY data is persistent.

Required modifications to config/application.yml:

cdns_scanner_input_file: '/desired/path/to/fred/cdns-scanner/input.txt'
cdns_scanner_output_file: 'desired/path/to/fred/cdns-scanner/output.txt'
dnssec_resolver_ips: 8.8.8.8, 8.8.4.4

...where file specificed in cdns_scanner_input_file is the file which is used for STDIN of cdnskey-scanner binary and cdns_scanner_output_file is the STDOUT of cdnskey-scanner.

CsyncJob.run(generate: true) can be used to generate content of cdns_scanner_input_file, but it can be created by external script as well. It's optional.

CsyncJob.run reads the cdns_scanner_output_file line by line and keeps track of cycles and whether and when new CDNSKEY can be pushed to zone as DNSKEY.

It is expected that CsyncJob.run is ran after cdnskey-scanner has processed the data and successfully outputed data to cdns_scanner_output_file. Output file must be not modified.

It is expected that CsyncJob.run is triggered only once per each cdnskey-scanner output. Each job run is considered as 1 cycle. As mentioned before, 3/3 cycles triggers the update of zone if the domain doesn't have active DNSSEC data or instantly after first run if it does.

Launch of cdnskey-scanner is not implemented in this PR as the scanning process itself is time consuming. But generally something like this via Cron should work:

cat /path/to/input.txt | cdnskey-scanner <max run time in sec> 1>/path/to/output.txt
bin/rails r -e production "CsyncJob.run" >> log/cron.log 2>&1

  • Better logging

  • Send poll message when DNSSEC data changed for domain

  • Notify registrant if DNSKEY has been added/deleted from zone

  • cdnskey 0 3 0 AA== (remove)

  • Validate DNSSEC doesn't break with new soon-to-be-saved DS

@karlerikounapuu karlerikounapuu force-pushed the 658-csync-for-cdnskey branch 17 times, most recently from 56ee215 to 3e8eeb4 Compare June 10, 2020 13:33
@karlerikounapuu karlerikounapuu force-pushed the 658-csync-for-cdnskey branch 13 times, most recently from 39d909c to 2fa020c Compare July 9, 2020 09:24
@yulgolem yulgolem self-requested a review July 29, 2020 11:28
@karlerikounapuu karlerikounapuu force-pushed the 658-csync-for-cdnskey branch from 96daaec to bbeaea9 Compare July 29, 2020 12:10
@vohmar vohmar assigned ratM1n and unassigned vohmar Nov 20, 2020
@karlerikounapuu karlerikounapuu force-pushed the 658-csync-for-cdnskey branch 2 times, most recently from f502626 to 7c6f5d9 Compare March 22, 2021 10:03
@ratM1n
Copy link

ratM1n commented Mar 22, 2021
edited
Loading

on imoprt job execution, I get error: https://gist.github.com/ratM1n/3856a801e45328361b6ed2f723b9cca5

@ratM1n
Copy link

ratM1n commented Mar 24, 2021

"generate" works as it should, but in import, i get this: https://gist.github.com/ratM1n/bc6601d530935f1093f7363d2478788a

@karlerikounapuu
Copy link
Member Author

karlerikounapuu commented Mar 26, 2021
edited
Loading

Before merging, please undo commit a53475d

For testing, Ensure you use RAILS_ENV staging and mock the root anchor via config/application.yml trusted_dnskey key.
Example record:

trusted_dnskey: kreative.ee. 3578 IN DNSKEY 257 3 13 mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+ KkxLbxILfDLUT0rAK9iUzy1L53eKGQ==

@ratM1n
Copy link

ratM1n commented Mar 29, 2021

last change broke database query: https://gist.github.com/ratM1n/0e8ffabac7bf4010d7f3a7cd192268c3

@yulgolem yulgolem force-pushed the 658-csync-for-cdnskey branch from e3d770b to fe6f5e8 Compare March 29, 2021 14:55
@yulgolem yulgolem force-pushed the 658-csync-for-cdnskey branch from fe6f5e8 to 15ce6d7 Compare March 30, 2021 09:03
@karlerikounapuu @yulgolem
parent 64e3bc8
88e1bc3 
author Karl Erik Õunapuu <[email protected]> 1591359032 +0300
committer Alex Sherman <[email protected]> 1617029320 +0500

CsyncJob: Don't respect IPv6 if nessecary
@yulgolem yulgolem force-pushed the 658-csync-for-cdnskey branch 4 times, most recently from 448fae8 to a6bb0f1 Compare March 30, 2021 10:21
@yulgolem yulgolem force-pushed the 658-csync-for-cdnskey branch from a6bb0f1 to aa4c040 Compare March 30, 2021 10:47
@yulgolem yulgolem force-pushed the 658-csync-for-cdnskey branch from c08d0b6 to 56565d6 Compare March 30, 2021 11:27
@vohmar vohmar merged commit 0adf956 into master Mar 31, 2021
@vohmar vohmar deleted the 658-csync-for-cdnskey branch June 8, 2021 13:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yulgolem yulgolem yulgolem approved these changes

Assignees

@ratM1n ratM1n

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Csync implementation for cdnskey records
5 participants
@karlerikounapuu @ratM1n @yulgolem @teadur @vohmar