Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add DoT support for DNS updates #7678

Closed
wants to merge 1 commit into from
Closed

Add DoT support for DNS updates #7678

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions src/config/SSSDConfig/sssdoptions.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -207,6 +207,9 @@ def __init__(self):
'dyndns_force_tcp': _("Whether the nsupdate utility should default to using TCP"),
'dyndns_auth': _("What kind of authentication should be used to perform the DNS update"),
'dyndns_server': _("Override the DNS server used to perform the DNS update"),
'dyndns_dot_cacert': _("The file of the certificate authorities certificates for DoT"),
'dyndns_dot_cert': _("The certificate(s) file for authentication for the DoT transport"),
'dyndns_dot_key': _("The key file for authenticated encryption for the DoT transport"),
'subdomain_enumerate': _('Control enumeration of trusted domains'),
'subdomain_refresh_interval': _('How often should subdomains list be refreshed'),
'subdomain_refresh_interval_offset': _('Maximum period deviation when refreshing the subdomain list'),
Expand Down
6 changes: 6 additions & 0 deletions src/config/SSSDConfigTest.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -567,6 +567,9 @@ def testListOptions(self):
'dyndns_force_tcp',
'dyndns_auth',
'dyndns_server',
'dyndns_dot_cacert',
'dyndns_dot_cert',
'dyndns_dot_key',
'subdomain_enumerate',
'override_gid',
'case_sensitive',
Expand Down Expand Up @@ -928,6 +931,9 @@ def testRemoveProvider(self):
'dyndns_force_tcp',
'dyndns_auth',
'dyndns_server',
'dyndns_dot_cacert',
'dyndns_dot_cert',
'dyndns_dot_key',
'subdomain_enumerate',
'override_gid',
'case_sensitive',
Expand Down
3 changes: 3 additions & 0 deletions src/config/cfg_rules.ini
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -443,6 +443,9 @@ option = dyndns_force_tcp
option = dyndns_auth
option = dyndns_auth_ptr
option = dyndns_server
option = dyndns_dot_cacert
option = dyndns_dot_cert
option = dyndns_dot_key

# files provider specific options
option = passwd_files
Expand Down
3 changes: 3 additions & 0 deletions src/config/etc/sssd.api.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -216,6 +216,9 @@ dyndns_update_ptr = bool, None, false
dyndns_force_tcp = bool, None, false
dyndns_auth = str, None, false
dyndns_server = str, None, false
dyndns_dot_cacert = str, None, false
dyndns_dot_cert = str, None, false
dyndns_dot_key = str, None, false

# Special providers
[provider/permit]
Expand Down
68 changes: 66 additions & 2 deletions src/man/sssd-ad.5.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1328,12 +1328,26 @@ ad_gpo_map_deny = +my_pam_service
<para>
Setting this option makes sense for environments
where the DNS server is different from the identity
server.
server or when we use encrypted DNS.
</para>
<para>
The parameter can be a simple string containing
DNS name or IP address. It can also be an URI.
The URI can look like
<emphasis>dns://servername/</emphasis> or
<emphasis>dns+tls://1.2.3.4:853#servername/</emphasis>.
</para>
<para>
The second example enables DNS-over-TLS protocol for
DNS updates. The nsupdate utility must support DoT -
check the <emphasis>man nsupdate</emphasis> before
enabling it in SSSD.
</para>
<para>
Please note that this option will be only used in
fallback attempt when previous attempt using
autodetected settings failed.
autodetected settings failed or when DNS-over-TLS
is enabled.
</para>
<para>
Default: None (let nsupdate choose the server)
Expand All @@ -1356,6 +1370,56 @@ ad_gpo_map_deny = +my_pam_service
</listitem>
</varlistentry>

<varlistentry>
<term>dyndns_dot_cacert (string)</term>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will it be possible to specify a directory? OpenSSL in CentOS Stream 10 and Fedora 41+ is switching to default not using a single file CA bundle due to performance issues, so we should expect people wanting to use a directory of certs as well for custom bundles.

Copy link
Member

@pbrezina pbrezina Nov 6, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, I don't see any option in nsupdate. https://bind9.readthedocs.io/en/v9.20.1/manpages.html#id126 It all expects a file.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

May be we should ask for that?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you open a ticket at https://gitlab.isc.org/isc-projects/bind9? You have more insights about it than I do.

<listitem>
<para>
This option specifies the file of the certificate
authorities certificates (in PEM format) in order
pbrezina marked this conversation as resolved.
Show resolved Hide resolved
to verify the remote server TLS certificate when
using DoT.
</para>
<para>
Default: None (use global certificate store)
</para>
</listitem>
</varlistentry>

<varlistentry>
<term>dyndns_dot_cert (string)</term>
<listitem>
<para>
This option sets the certificate(s) file for
authentication for the DoT transport to the remote
server. The certificate chain file is expected to
be in PEM format.
</para>
<para>
The <emphasis>dyndns_dot_cert</emphasis> and
<emphasis>dyndns_dot_key</emphasis> options must be
both set to achieve mutual TLS authentication.
</para>
<para>
Default: None (Do not use TLS authentication)
</para>
</listitem>
</varlistentry>

<varlistentry>
<term>dyndns_dot_key (string)</term>
<listitem>
<para>
This option sets the key file for authenticated
encryption for the DoT transport to the remote
server. The private key file is expected to
be in PEM format.
</para>
<para>
Default: None (Do not use TLS authentication)
</para>
</listitem>
</varlistentry>

<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/override_homedir.xml" />
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/homedir_substring.xml" />

Expand Down
68 changes: 66 additions & 2 deletions src/man/sssd-ipa.5.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -321,12 +321,26 @@
<para>
Setting this option makes sense for environments
where the DNS server is different from the identity
server.
server or when we use encrypted DNS.
</para>
<para>
The parameter can be a simple string containing
DNS name or IP address. It can also be an URI.
The URI can look like
<emphasis>dns://servername/</emphasis> or
<emphasis>dns+tls://1.2.3.4:853#servername/</emphasis>.
</para>
<para>
The second example enables DNS-over-TLS protocol for
DNS updates. The nsupdate utility must support DoT -
check the <emphasis>man nsupdate</emphasis> before
enabling it in SSSD.
</para>
<para>
Please note that this option will be only used in
fallback attempt when previous attempt using
autodetected settings failed.
autodetected settings failed or when DNS-over-TLS
is enabled.
</para>
<para>
Default: None (let nsupdate choose the server)
Expand All @@ -349,6 +363,56 @@
</listitem>
</varlistentry>

<varlistentry>
<term>dyndns_dot_cacert (string)</term>
<listitem>
<para>
This option specifies the file of the certificate
authorities certificates (in PEM format) in order
to verify the remote server TLS certificate when
using DoT.
</para>
<para>
Default: None (use global certificate store)
</para>
</listitem>
</varlistentry>

<varlistentry>
<term>dyndns_dot_cert (string)</term>
<listitem>
<para>
This option sets the certificate(s) file for
authentication for the DoT transport to the remote
server. The certificate chain file is expected to
be in PEM format.
</para>
<para>
The <emphasis>dyndns_dot_cert</emphasis> and
<emphasis>dyndns_dot_key</emphasis> options must be
both set to achieve mutual TLS authentication.
</para>
<para>
Default: None (Do not use TLS authentication)
</para>
</listitem>
</varlistentry>

<varlistentry>
<term>dyndns_dot_key (string)</term>
<listitem>
<para>
This option sets the key file for authenticated
encryption for the DoT transport to the remote
server. The private key file is expected to
be in PEM format.
</para>
<para>
Default: None (Do not use TLS authentication)
</para>
</listitem>
</varlistentry>

<varlistentry>
<term>ipa_access_order (string)</term>
<listitem>
Expand Down
3 changes: 3 additions & 0 deletions src/providers/ad/ad_opts.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -325,6 +325,9 @@ struct dp_option ad_dyndns_opts[] = {
{ "dyndns_auth", DP_OPT_STRING, { "gss-tsig" }, NULL_STRING },
{ "dyndns_auth_ptr", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "dyndns_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "dyndns_dot_cacert", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "dyndns_dot_cert", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "dyndns_dot_key", DP_OPT_STRING, NULL_STRING, NULL_STRING },
DP_OPTION_TERMINATOR
};

Expand Down
Loading
Loading