Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secure and Rectify Zones When they are Created or Modified Through API Calls (POST/PATCH) #3417

Closed
wants to merge 12 commits into from
Closed

Secure and Rectify Zones When they are Created or Modified Through API Calls (POST/PATCH) #3417

wants to merge 12 commits into from

Conversation

nils-wisiol
Copy link
Contributor

This PR extends existing API functionality of POST and PATCH zones by optionally sign and rectify them. To do so, the patch honors the dnssec, nsec3param and nsec3narrow parameters of the API request on POST and stores them. If anything goes wrong with signing or rectifying, the API throws an APIException and aborts the transaction -- the zone will not be inserted. On a PATCH, the zone is rectified again.

Technical note: the code for signing and rectifying was taken from pdnsutil. Due to the amount of code needed for rectifying, it was moved to the DNSSECKeeper to use the same code in pdnsutil and in the API.

The PR does not cause any more gmysql test cases to fail than before. Failing test cases are:

0dyndns-prereq-all
0dyndns-prereq-nxrrset-full
1dyndns-big-package
1dyndns-check-soa-update
1dyndns-update-add-delete
1dyndns-update-add-delete-casesensative
1dyndns-update-add-delete-cname
1dyndns-update-add-delete-ds
1dyndns-update-add-delete-mx
1dyndns-update-add-delete-wildcard
1dyndns-update-add-invalid-record
1dyndns-update-add-soa
1dyndns-update-deep-add-delete
1dyndns-update-deep-delegate
1dyndns-update-delegate
1dyndns-update-delegate-in-between
1dyndns-update-delete-add-host
1dyndns-update-delete-multi-add-host
1dyndns-update-delete-mx-prio
1dyndns-update-delete-ns
1dyndns-update-delete-parent-delegate
1dyndns-update-delete-soa
1dyndns-update-in-between
1dyndns-update-nsec3params
1dyndns-update-nsec3params-with-others
1dyndns-update-replace-a-host
1dyndns-update-replace-cname
1dyndns-update-replace-mx
1dyndns-update-srv
1dyndns-update-update-ttl
2dyndns-update-replace-soa
tsig-axfr
tsig-axfr-algorithm-mismatch
tsig-axfr-key-mismatch
tsig-ixfr
tsig-ixfr-algorithm-mismatch
tsig-ixfr-key-mismatch

I can edit the commit messages if desired.

Please let me know if any more editing is needed in order to pass this PR.

Habbie
Habbie reviewed Feb 20, 2016
View reviewed changes
pdns/pdnsutil.cc Outdated
cerr<<"Adding NSEC ordering information "<<endl;
else if(!narrow) {
if(!isOptOut)
cerr<<"Adding NSEC3 hashed ordering information for '"<<zone.toString()<<"'"<<endl;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like these messages are completely gone after your pull?

@zeha
Copy link
Collaborator

zeha commented Feb 20, 2016

Thank you for submitting this PR. It's a long-standing TODO and indeed we should be doing this sooner than later. As @Habbie noted elsewhere, we've been holding off doing this for various reasons, but we can work on them later after it works as imagined :-)

I have some comments on your changes; if you want/need clarifications or help feel free to drop by on IRC for a more real-time interaction.

  • 550dd18 and 7a9dd50 should be a single commit, because those two just move code around.
  • Creating slave zones via API appears to fail now (see travis)
  • Please add at least one test in regression-tests.api with, say, dnssec=true and ensuring that the zone is indeed set up correctly afterwards. More tests, probably with different nsec3param, nsec3narrow settings would be good as well.
  • Calling stringFromJson with an empty string as the default is equivalent to just calling document["nsec3param"].string_value().
  • In apiServerZones all checking and throwing needs to go before B.createDomain, as otherwise a broken domain is left over in the DB.
  • The error messages for dk.addKey and dk.isSecuredZone failing could be more specific. With pdnsutil there is/was probably more output, and an admin might just look into config files or the DB for clues, where with the API the user might only get that single error message.
  • Error checking on the rectifyZone call in patchZone is missing.

@zeha
Copy link
Collaborator

zeha commented Feb 20, 2016

Documentation also needs an update saying what's supported now. (Incl. a warning that turning off dnssec or back on is not supported yet?)

@Habbie
Copy link
Member

Habbie commented Feb 20, 2016

By the way, all gmysql tests pass for us on master. If they don't pass for you, perhaps you are missing some tools (like nsupdate).

@Habbie
Copy link
Member

Habbie commented Feb 20, 2016

What @zeha is referring to that I said elsewhere is: we've always felt that the right approach is to do a surgically small rectify around the actual update (and I still feel that way). However, because of that idea, we basically forgot to consider your approach, i.e. a full rectify after each update. We have given this some thought today and indeed we want to go forward with your approach. For small zones it will be just fine, for big zones it will make updates slower, but most people have small zones and thus a full rectify is much better than no rectify. Great work!

@nils-wisiol
Copy link
Contributor Author

Thanks for the feedback, it is highly appreciated. I'll start working on the mentioned points as soon as possible and then get back to you.

@pieterlexis pieterlexis added this to the auth-4.0.0 milestone Feb 25, 2016
@nils-wisiol
Copy link
Contributor Author

@zeha, I would like to move error checking in ApiServerZones before B.createDomain. Error checking though is partially done by DNSSECKeeper::setNSEC3PARAM, which in turn returns false if some database query fails. The query requires the nsec3data to be in the database, which I believe requires the domain to exist.

Why is B.createDomain called before the transaction is started? Can't we fix this by enclosing the creation of the domain in the transaction as well?

DNSSECKeeper::setNSEC3PARAM btw sometimes throws, sometimes returns false on failure. Do we need to handle them differently?

@nils-wisiol
Copy link
Contributor Author

@zeha, I did some research on the dk.addKey and dk.isSecuredZone errors. Essentially addKey fails, if DNSSEC is not supported by any backend (this is what the current error message says). isSecuredZone fails, if the zone was presigned (which we check before) or the zone has too many non-empty terminals (which I now included into the error msg).

I'd leave the addKey message unchanged, but I'm also open for concrete suggestions.

@nils-wisiol nils-wisiol force-pushed the api-sign-rectify branch 4 times, most recently from 581a0e8 to 2a105a3 Compare February 28, 2016 11:51
@zeha
Copy link
Collaborator

zeha commented Feb 28, 2016

@zeha, I would like to move error checking in ApiServerZones before B.createDomain. Error checking though is partially done by DNSSECKeeper::setNSEC3PARAM, which in turn returns false if some database query fails. The query requires the nsec3data to be in the database, which I believe requires the domain to exist.
Okay, that's a bit unfortunate. I think the only part that we can and should care about is the max-nsec3-iterations check. Maybe we can split setNSEC3PARAM into one function for checking and one for setting.

Why is B.createDomain called before the transaction is started? Can't we fix this by enclosing the creation of the domain in the transaction as well?
It's my understanding that beginTransaction already needs the zone Id, and we get that by calling createDomain.

DNSSECKeeper::setNSEC3PARAM btw sometimes throws, sometimes returns false on failure. Do we need to handle them differently?

It appears to return false on catastrophic failure/misconfiguration. That's odd. Maybe it's behaviour will be a lot clearer if the function is split as suggested above.

Thanks!

@Habbie
Copy link
Member

Habbie commented Apr 8, 2016

This branch has conflicts

@nils-wisiol nils-wisiol mentioned this pull request Jun 13, 2016
Open
@Habbie Habbie modified the milestones: auth-4.1.0, auth-4.0.0 Jul 7, 2016
This was referenced Jul 6, 2017
Closed
Open
@Habbie
Copy link
Member

Habbie commented Aug 16, 2017

This branch still has conflicts.

@Habbie Habbie modified the milestones: auth-4.2.0, former-auth-4.1.0 Aug 16, 2017
@nils-wisiol
feat(api): sign zone on POST if dnssec=true
6a433cb 
If a POST request contains the "dnssec" parameter set to true, we
sign the zone with DNSSECKeeper.addKey and algorithms and parameters
given in the
- default-ksk-algorithms
- default-zsk-algorithms
- default-ksk-size
- default-zsk-size
config paratmers.

If the configured algorithms cannot be used, we throw an
ApiException.

The zone will not yet be automatically rectified.
@nils-wisiol
feat(dnsseckeeper): move recitfyZone() to DNSSECKeeper
15ea6e3 
Copied code from pdnsutil to DNSSECKeeper in order to reuse it.
@nils-wisiol
feat(api): rectify zone on POST and PATCH
28fbda3
@nils-wisiol nils-wisiol force-pushed the api-sign-rectify branch 3 times, most recently from 9b96283 to ddeffb0 Compare August 19, 2017 06:13
@aerique aerique mentioned this pull request Sep 11, 2017
Closed
@aerique aerique modified the milestones: auth-4.1.0, auth-4.2.0 Sep 11, 2017
@pieterlexis pieterlexis self-assigned this Sep 11, 2017
pieterlexis added a commit to pieterlexis/pdns that referenced this pull request Oct 6, 2017
@pieterlexis
API: Implement conditional rectification
2b96006 
This commit takes a lot of ideas and code from PowerDNS#3417 and subsequent
development and implements the following things:

 - Generate DNSSEC keys for a zone when "dnssec" is true in an API
   POST/PATCH for zones
 - Rectify DNSSEC zones after POST/PATCH when API-RECTIFY metadata is 1
 - Allow setting this metadata via the "api-rectify" param in a Zone
   object
 - Shows "nsec3param" and "nsec3narrow" in Zone API responses
 - Adds an "rrsets" request parameter for a zone to skip sending RRSets
   in the response (Closes PowerDNS#5712)

Closes PowerDNS#3417

Many thanks to Nils Wisiol (@nils-wisiol) for the initial
implementation.
pieterlexis added a commit to pieterlexis/pdns that referenced this pull request Oct 6, 2017
@pieterlexis
API: Implement conditional rectification
eabc537 
This commit takes a lot of ideas and code from PowerDNS#3417 and subsequent
development and implements the following things:

 - Generate DNSSEC keys for a zone when "dnssec" is true in an API
   POST/PATCH for zones
 - Rectify DNSSEC zones after POST/PATCH when API-RECTIFY metadata is 1
 - Allow setting this metadata via the "api-rectify" param in a Zone
   object
 - Shows "nsec3param" and "nsec3narrow" in Zone API responses
 - Adds an "rrsets" request parameter for a zone to skip sending RRSets
   in the response (Closes PowerDNS#5712)

Closes PowerDNS#3417

Many thanks to Nils Wisiol (@nils-wisiol) for the initial
implementation.
@pieterlexis pieterlexis mentioned this pull request Oct 6, 2017
Merged
6 tasks
pieterlexis added a commit to pieterlexis/pdns that referenced this pull request Oct 16, 2017
@pieterlexis
API: Implement conditional rectification
e503326 
This commit takes a lot of ideas and code from PowerDNS#3417 and subsequent
development and implements the following things:

 - Generate DNSSEC keys for a zone when "dnssec" is true in an API
   POST/PATCH for zones
 - Rectify DNSSEC zones after POST/PATCH when API-RECTIFY metadata is 1
 - Allow setting this metadata via the "api-rectify" param in a Zone
   object
 - Shows "nsec3param" and "nsec3narrow" in Zone API responses
 - Adds an "rrsets" request parameter for a zone to skip sending RRSets
   in the response (Closes PowerDNS#5712)

Closes PowerDNS#3417

Many thanks to Nils Wisiol (@nils-wisiol) for the initial
implementation.
pieterlexis added a commit to pieterlexis/pdns that referenced this pull request Oct 17, 2017
@pieterlexis
API: Implement conditional rectification
986e485 
This commit takes a lot of ideas and code from PowerDNS#3417 and subsequent
development and implements the following things:

 - Generate DNSSEC keys for a zone when "dnssec" is true in an API
   POST/PATCH for zones
 - Rectify DNSSEC zones after POST/PATCH when API-RECTIFY metadata is 1
 - Allow setting this metadata via the "api-rectify" param in a Zone
   object
 - Shows "nsec3param" and "nsec3narrow" in Zone API responses
 - Adds an "rrsets" request parameter for a zone to skip sending RRSets
   in the response (Closes PowerDNS#5712)

Closes PowerDNS#3417

Many thanks to Nils Wisiol (@nils-wisiol) for the initial
implementation.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@pieterlexis pieterlexis

Labels
auth enhancement rest-api
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@nils-wisiol @zeha @Habbie @aerique @pieterlexis