Add DoT support for DNS updates #7678
Conversation
|
Hi, this looks pretty straight-forwards. Code looks good, I will test it. I will also try to see if we can get dyndns tests into PR CI, but this one might be tricky. |
Is this tested in runtime? |
| </varlistentry> | ||
|
|
||
| <varlistentry> | ||
| <term>dyndns_dot_cacert (string)</term> |
There was a problem hiding this comment.
Will it be possible to specify a directory? OpenSSL in CentOS Stream 10 and Fedora 41+ is switching to default not using a single file CA bundle due to performance issues, so we should expect people wanting to use a directory of certs as well for custom bundles.
There was a problem hiding this comment.
No, I don't see any option in nsupdate. https://bind9.readthedocs.io/en/v9.20.1/manpages.html#id126 It all expects a file.
There was a problem hiding this comment.
May be we should ask for that?
There was a problem hiding this comment.
Could you open a ticket at https://gitlab.isc.org/isc-projects/bind9? You have more insights about it than I do.
|
@thalman Could you add a debug message that would show the nsupdate command line that is executed? Currently, it only shows the data we send. |
|
This PR does not work as is at the moment, it is necessary to specify -H, server and port, i.e.: Otherwise it tries to lookup the server using SOA record over port 53, which works. But then it continues and try to establish TLS on port 53 which timeouts... So right now, we need to explicitly set the hostname, server and port. However, documentation says that this should not be needed, so there's probably a bug in nsupdate. Opened: https://gitlab.isc.org/isc-projects/bind9/-/issues/5028 There is
|
|
To test this, you can install https://copr.fedorainfracloud.org/coprs/antorres/freeipa-unbound-dns/ on ipa container: on client container, renamed it so we have a dns name managed by ipa server: |
thalman
force-pushed
the
dot_nsupdate
branch
from
2010bd9 to
c019ad0
Compare
|
The code has been changed according to our discussion. |
thalman
force-pushed
the
dot_nsupdate
branch
from
c019ad0 to
40c22e4
Compare
|
We should include #7712 first and rebase to fit the changes. |
thalman
force-pushed
the
dot_nsupdate
branch
2 times, most recently
from
5090c4e to
f292ec5
Compare
thalman
force-pushed
the
dot_nsupdate
branch
2 times, most recently
from
8487350 to
d9b40dc
Compare
There was a problem hiding this comment.
The patch kind of works, but it still has issues.
First, I had to apply #7727 otherwise the arguments to nsupdate where added in reverse order nsupdate master.ipa.test -H ... which made nsupdate fail on the hostname.
Additionally, dns+tls should imply port 853 if other port is not set. Otherwise nsupdate will attempt to talk on port 53 which will fail. Until https://gitlab.isc.org/isc-projects/bind9/-/issues/5028 is fixed and backported, we need to workaround it.
And also see my previous comments.
I have prepared containers where you can test it:
services:
client:
image: ${REGISTRY}/dyndns-dot-client:f41
ipa:
image: quay.io/sssd/dyndns-dot-ipa:f41
You can add fake IP to the client:
sudo ip addr add 192.168.100.41 dev eth0
d9b40dc to
98581d8
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
thalman
force-pushed
the
dot_nsupdate
branch
2 times, most recently
from
2c7003e to
28f7e9e
Compare
|
dyndns-tests fails / upd fixed already, github did not refresh page properly |
DNS-over-TLS is a new standard for encrypting DNS traffic. SSSD does not implement the DoT itself but relies on other components of the system. This modification allows as to set a DoT for dynamic DNS updates :config: the `dyndns_server` option is extended so it can be in form of URI (dns+tls://1.2.3.4:853#servername). New set of options `dyndns_dot_cacert`, `dyndns_dot_cert` and `dyndns_dot_key` allows to configure DNS-over-TLS communication. :relnote: The DoT for dynamic DNS updates is supported now. It requires new version of `nsupdate` from BIND 9.19+.
There was a problem hiding this comment.
Ack, dynamic DNS update works using dyndns-dot-client and dyndns-dot-ipa containers with dyndns_server = dns+tls://172.16.100.10#master.ipa.test
Not necessary for this PR but IMO it would be nice to allow users to set dyndns_auth = DoT which will be detected as enabling DNS over DoT without the need to specify a URI (or I guess dyndns_auth = DoT, GSS-TSIG if both are used).
|
CI failure |
This was the original idea, unfortunately, nsupdate is buggy at the moment. See: https://gitlab.isc.org/isc-projects/bind9/-/issues/5028 |
pbrezina
added
Accepted
Ready to push
DNS-over-TLS is a new standard for encrypting DNS traffic.
SSSD does not implement the DoT itself but relies on other components of the system. This modification allows as to set a DoT for dynamic DNS updates
:config: New set of options
dyndns_dot,dyndns_dot_cacert,dyndns_dot_certanddyndns_dot_keyallows to enableDNS-over-TLS for DNS updates.
:relnote: The DoT for dynamic DNS updates is supported now.
It requires new version of
nsupdatefrom BIND 9.20.3+