Add DoT support for DNS updates #7678
Conversation
|
Hi, this looks pretty straight-forwards. Code looks good, I will test it. I will also try to see if we can get dyndns tests into PR CI, but this one might be tricky. |
Is this tested in runtime? |
| </varlistentry> | ||
|
|
||
| <varlistentry> | ||
| <term>dyndns_dot_cacert (string)</term> |
There was a problem hiding this comment.
Will it be possible to specify a directory? OpenSSL in CentOS Stream 10 and Fedora 41+ is switching to default not using a single file CA bundle due to performance issues, so we should expect people wanting to use a directory of certs as well for custom bundles.
There was a problem hiding this comment.
No, I don't see any option in nsupdate. https://bind9.readthedocs.io/en/v9.20.1/manpages.html#id126 It all expects a file.
There was a problem hiding this comment.
May be we should ask for that?
|
@thalman Could you add a debug message that would show the nsupdate command line that is executed? Currently, it only shows the data we send. |
|
This PR does not work as is at the moment, it is necessary to specify -H, server and port, i.e.: Otherwise it tries to lookup the server using SOA record over port 53, which works. But then it continues and try to establish TLS on port 53 which timeouts... So right now, we need to explicitly set the hostname, server and port. However, documentation says that this should not be needed, so there's probably a bug in nsupdate. Opened: https://gitlab.isc.org/isc-projects/bind9/-/issues/5028 There is
|
|
To test this, you can install https://copr.fedorainfracloud.org/coprs/antorres/freeipa-unbound-dns/ on ipa container: on client container, renamed it so we have a dns name managed by ipa server: |
thalman
force-pushed
the
dot_nsupdate
branch
from
2010bd9
to
c019ad0
Compare
|
The code has been changed according to our discussion. |
thalman
force-pushed
the
dot_nsupdate
branch
from
c019ad0
to
40c22e4
Compare
|
We should include #7712 first and rebase to fit the changes. |
thalman
force-pushed
the
dot_nsupdate
branch
2 times, most recently
from
5090c4e
to
f292ec5
Compare
src/providers/be_dyndns.c
Outdated
| if (argv == NULL) { | ||
| return NULL; | ||
| } | ||
|
|
||
| if (! sss_is_valid_dns_scheme(server_uri->scheme)) { | ||
| DEBUG(SSSDBG_IMPORTANT_INFO, "Invalid DNS scheme: %s, using dns://\n", server_uri->scheme); |
There was a problem hiding this comment.
Maybe add syslog message if you choose to continue?
There was a problem hiding this comment.
Can you also keep DEBUG? We usually log to both.
src/util/util.c
Outdated
| @@ -1091,3 +1091,81 @@ errno_t sss_getenv(TALLOC_CTX *mem_ctx, | |||
|
|
|||
| return value != NULL ? EOK : ENOENT; | |||
| } | |||
|
|
|||
| errno_t sss_parse_uri(TALLOC_CTX *mem_ctx, const char *uri, struct sss_parsed_uri **_parsed_uri) | |||
There was a problem hiding this comment.
Maybe rename this to sss_parse_dns_uri? This is not usable by common uris.
Also, you can use libcurl to parse it for you https://curl.se/libcurl/c/libcurl-url.html CURLUPART_FRAGMENT will be the DoT server hostname.
There was a problem hiding this comment.
Renamed. It can actually parse ordinary URL but the DNS URI is special.
Unfortunately standard libraries like CURL or libldap (this also has URI parsing function) fail on DNS URIs, so we have to parse it on our own.
There was a problem hiding this comment.
Ok, that's unfortunate.
It can "parse" them, but content after # is treated as hostname instead of uri fragment. That's why I think it is only for this kind of DNS URI.
thalman
force-pushed
the
dot_nsupdate
branch
2 times, most recently
from
8487350
to
d9b40dc
Compare
There was a problem hiding this comment.
The patch kind of works, but it still has issues.
First, I had to apply #7727 otherwise the arguments to nsupdate where added in reverse order nsupdate master.ipa.test -H ... which made nsupdate fail on the hostname.
Additionally, dns+tls should imply port 853 if other port is not set. Otherwise nsupdate will attempt to talk on port 53 which will fail. Until https://gitlab.isc.org/isc-projects/bind9/-/issues/5028 is fixed and backported, we need to workaround it.
And also see my previous comments.
I have prepared containers where you can test it:
services:
client:
image: ${REGISTRY}/dyndns-dot-client:f41
ipa:
image: quay.io/sssd/dyndns-dot-ipa:f41
You can add fake IP to the client:
sudo ip addr add 192.168.100.41 dev eth0
src/providers/be_dyndns.c
Outdated
| @@ -1078,7 +1091,7 @@ struct tevent_req *be_nsupdate_send(TALLOC_CTX *mem_ctx, | |||
| goto done; | |||
| } | |||
|
|
|||
| args = be_nsupdate_args(state, auth_type, force_tcp); | |||
| args = be_nsupdate_args(state, auth_type, force_tcp, server_uri, dot_cacert, dot_cert, dot_key); | |||
src/providers/be_dyndns.c
Outdated
| if (argv == NULL) { | ||
| return NULL; | ||
| } | ||
|
|
||
| if (!sss_is_valid_dns_scheme(server_uri)) { | ||
| sss_log(SSS_LOG_WARNING, "Invalid DNS scheme in SSSD config file: %s, using dns://\n", server_uri->scheme); |
src/providers/be_dyndns.c
Outdated
| have_dot_cert = (dot_cert != NULL && dot_cert[0] != 0); | ||
| have_dot_key = (dot_key != NULL && dot_key[0] != 0); | ||
| if (have_dot_key != have_dot_cert) { | ||
| DEBUG(SSSDBG_OP_FAILURE, "The dyndns_dot_cert and dyndns_dot_key must be set both (or none of them)\n"); |
src/util/util.c
Outdated
| @@ -1091,3 +1091,81 @@ errno_t sss_getenv(TALLOC_CTX *mem_ctx, | |||
|
|
|||
| return value != NULL ? EOK : ENOENT; | |||
| } | |||
|
|
|||
| errno_t sss_parse_dns_uri(TALLOC_CTX *mem_ctx, const char *uri, struct sss_parsed_dns_uri **_parsed_uri) | |||
src/util/util.h
Outdated
| char *data; | ||
| }; | ||
|
|
||
| errno_t sss_parse_dns_uri(TALLOC_CTX *ctx, const char *uri, struct sss_parsed_dns_uri **_parsed_uri); |
DNS-over-TLS is a new standard for encrypting DNS traffic. SSSD does not implement the DoT itself but relies on other components of the system. This modification allows as to set a DoT for dynamic DNS updates :config: the `dyndns_server` option is extended so it can be in form of URI (dns+tls://1.2.3.4:853#servername). New set of options `dyndns_dot_cacert`, `dyndns_dot_cert` and `dyndns_dot_key` allows to configure DNS-over-TLS communication. :relnote: The DoT for dynamic DNS updates is supported now. It requires new version of `nsupdate` from BIND 9.20.1+
thalman
force-pushed
the
dot_nsupdate
branch
from
d9b40dc
to
98581d8
Compare
DNS-over-TLS is a new standard for encrypting DNS traffic.
SSSD does not implement the DoT itself but relies on other components of the system. This modification allows as to set a DoT for dynamic DNS updates
:config: New set of options
dyndns_dot,dyndns_dot_cacert,dyndns_dot_certanddyndns_dot_keyallows to enableDNS-over-TLS for DNS updates.
:relnote: The DoT for dynamic DNS updates is supported now.
It requires new version of
nsupdatefrom BIND 9.20.3+