Rectify zones via the API #5779
Conversation
|
@pieterlexis, thank you for completing this! 👍 |
|
@pieterlexis Does this also allow setting NSEC3 settings? |
|
pdns/dbdnsseckeeper.cc
Outdated
| return false; | ||
| } | ||
|
|
||
| UeberBackend B("default"); |
There was a problem hiding this comment.
DNSSECKeeper is supposed to have an UeberBackend instance already, so can you reuse that?
There was a problem hiding this comment.
Interestingly, re-using the UeberBackend in the DNSSECKeeper makes the bind-dnssec-both test fail because getSOAUncached() returns false for secure-delegated.dnssec-parent.com. Investigating
There was a problem hiding this comment.
confirmed, reverting 1d7630f makes all the tests pass.
There was a problem hiding this comment.
That sounds reaaaally bad. Like someone keeping a list() operation open or sth.
There was a problem hiding this comment.
ah, I think I got it. In pdnsutil.cc:1983 we create a DNSSECKeeper object without handing it an UeberBackend. So when rectifyZone (in pdnsutil) is called we indeed can not get a SOA from that dk.
There was a problem hiding this comment.
so this is a bug(ish) in pdnsutil, but it does mean that calling DNSSECKeeper::rectifyZone means we need the Ueber backend. Maybe it indeed makes more sense to move rectifyZone to the UeberBackend (but that has other pain points)
There was a problem hiding this comment.
Alright, I have made a solution that uses the existing UeberBackend if it works and allocates a new one when needed. C++ wizards are welcome to make this better......
docs/http-api/zone.rst
Outdated
|
|
||
| ``dnssec``, ``nsec3narrow``, ``nsec3param``, ``presigned`` are not yet implemented. | ||
| ``secure-zone`` and ``rectify-zone`` (if ``api_rectify`` is set to "1"). | ||
| This also applies to newly created zones. If ``presigned`` is ``true``, |
There was a problem hiding this comment.
the mismatch of 1 and true is quite ugly here. I think API consumers should not carry the burden of dealing with different truthiness values
There was a problem hiding this comment.
I think I do make a bool out of, but it is wrongly documented
There was a problem hiding this comment.
the code below indeed confused me. please check whats actually there and i think boolifying it is a good idea (:
There was a problem hiding this comment.
The POST/PUT and GET for api_rectify were not consistent. It is fully boolified on the API level in the upcoming push.
pdns/ws-auth.cc
Outdated
| if (k_algo != -1) { | ||
| int64_t id; | ||
| if (!dk.addKey(zonename, true, k_algo, id, k_size)) { | ||
| throw ApiException("No backend was able to secure '" + zonename.toString() + "', most likely because no DNSSEC" |
There was a problem hiding this comment.
This message is duplicated at least three times.
Also I can't say I like these super-long messages that suggest backend-specific config settings...
| } | ||
| if (!dk.setNSEC3PARAM(zonename, ns3pr, boolFromJson(document, "nsec3narrow", false))) { | ||
| throw ApiException("NSEC3PARAMs provided for zone '" + zonename.toString() + | ||
| "' passed our basic sanity checks, but cannot be used with the current backend."); |
There was a problem hiding this comment.
I believe current is the better word here; "hosting" over-specifies the backend and suggests there is more than one backend at a time.
pdns/ws-auth.cc
Outdated
| if (!dk.rectifyZone(zonename, error_msg)) | ||
| throw ApiException("Failed to rectify '" + zonename.toString() + "' " + error_msg); | ||
| } | ||
|
|
||
| di.backend->commitTransaction(); |
There was a problem hiding this comment.
dk.rectifyZone calls commitTransaction too, right? Maybe dk.rectifyZone shouldn't deal with backend lookups and transactions at all.
There was a problem hiding this comment.
That would mean that all callers are responsible for this? I would prefer dk.rectifyZone() to do some sanity checking and perform adding the ENTs in a safe way
There was a problem hiding this comment.
Probably. But it'd be great if the API could modify and rectify the zone in one TX, so no unrectified stuff is ever served by the DNS parts...
There was a problem hiding this comment.
that is a sexy idea......
There was a problem hiding this comment.
Will be implemented
pieterlexis
force-pushed
the
api-rectify-version-2
branch
from
e302b52 to
0448186
Compare
|
@zeha I think the new commits will satisfy your comments? |
pieterlexis
force-pushed
the
api-rectify-version-2
branch
from
8018aba to
b921754
Compare
This commit takes a lot of ideas and code from PowerDNS#3417 and subsequent development and implements the following things: - Generate DNSSEC keys for a zone when "dnssec" is true in an API POST/PATCH for zones - Rectify DNSSEC zones after POST/PATCH when API-RECTIFY metadata is 1 - Allow setting this metadata via the "api-rectify" param in a Zone object - Shows "nsec3param" and "nsec3narrow" in Zone API responses - Adds an "rrsets" request parameter for a zone to skip sending RRSets in the response (Closes PowerDNS#5712) Closes PowerDNS#3417 Many thanks to Nils Wisiol (@nils-wisiol) for the initial implementation.
But use a full UeberBackend when needed.
This is added so the API can wrap an update to a zone's records *and* DNSSEC info into a single transaction.
pieterlexis
force-pushed
the
api-rectify-version-2
branch
from
b921754 to
89a7e70
Compare
Short description
This PR adds zone rectification to the API. Work done:
This PR takes a lot of ideas and code from #3417 and subsequent development.
Closes #3417
Many thanks to Nils Wisiol (@nils-wisiol) for the initial implementation.
Checklist
I have: