Skip to content

Add signzone command. #8

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ximon18 merged 333 commits into from
Jun 2, 2025
Merged

Add signzone command. #8

ximon18 merged 333 commits into from
Jun 2, 2025

Conversation

@ximon18
Copy link
Member

@ximon18 ximon18 commented Oct 17, 2024
edited
Loading

Currently depends on domain branch initial-nsec3-generation, which has had multiple branches/PRs merged into it (see NLnetLabs/domain#416)

Supports:

  • The basic command line arguments zonefile key [key [key]] and the NSEC3 arguments -n, -a, -t, -s and -p.
  • Additional command line arguments -o, -i, d, -e, -f,-u, -A, -U and -v.
  • -z and -Z for ZONEMD

Partially supports:

  • Command line argument -b (support for Bubble Babble DS comment output is not planned at present).

Lacks but should have support for:

Lacks and do not plan to add support for:

  • OpenSSL engine related arguments.
  • Bubble Babble DS comment output.

Other:

  • Partial signing and re-signing: LDNS has strange behaviour here, so dnst removes DNSSEC records on loading already signed zonefiles.
  • Verify that it is expected that the -U option causes a warning from dnssec-verify (it also does so for the original ldns-signzone when using -U so I think this is fine). We should think do we want to support the -U option for dnst signzone?
  • Rendering zonefile entries may not exactly match the output of ldns-signzone as the behaviour is determined by the domain crate. (see ldns_rr2buffer_str_fmt() in LDNS). Known differences are:
    • Some RDATA values are cased differently, but all known examples relate to RFCs that say that the text in question is "case-insensitive", so this is a difference but not an error.

Additional related DRAFT PRs:

This PR adds automated tests but has also been tested manually against the original ldns-signzone and dnssec-signzone.

@ximon18 ximon18 requested a review from a team October 17, 2024 13:32
@ximon18 ximon18 marked this pull request as ready for review October 17, 2024 13:32
@ximon18 ximon18 changed the title Add ldns-sign-zone like support. Add ldns-signzone like support. Oct 17, 2024
@ximon18 ximon18 mentioned this pull request Oct 17, 2024
Open
12 tasks
@ximon18 ximon18 marked this pull request as draft October 28, 2024 12:55
bal-e
bal-e requested changes Nov 5, 2024
View reviewed changes
Copy link
Contributor

@bal-e bal-e left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good work, @ximon18! We'll have to see whether the argument parsing needs to be changed to separate ldns / dnst, but the code generally looks good.

@ximon18 ximon18 changed the title Add ldns-signzone like support. Add signzone command. Nov 13, 2024
@ximon18 ximon18 self-assigned this Nov 13, 2024
@mozzieongit
Copy link
Member

mozzieongit commented Nov 14, 2024

dnst-signzone currently allows not specifying a key to sign with. In that case it just copies the original zone over into the .signed file (with no signatures ofc).

@bal-e bal-e mentioned this pull request Nov 15, 2024
Merged
@ximon18
Copy link
Member Author

ximon18 commented Nov 20, 2024
edited
Loading

dnst-signzone currently allows not specifying a key to sign with. In that case it just copies the original zone over into the .signed file (with no signatures ofc).

That's a bug.

Update: Fixed in 907a634.

mozzieongit
mozzieongit reviewed Nov 20, 2024
View reviewed changes
ximon18 added 16 commits November 25, 2024 15:56
@ximon18
Add missing import.
e2f1d86
@ximon18
Improved LDNS compatibility: Use DNSKEY RRs that correspond to loaded…
add8bdb 
… private keys else fall back to loading public keys.
@ximon18
Change 'A' custom dnst option to 'P' because 'A' is needed for an exi…
0cc0535 
…sting LDNS option.
@ximon18
Remove commented out code.
084d9a4
@ximon18
Move ? operator to more logical location: attached to the fn call it …
3d16bb3 
…relates to.
@ximon18
Pass an is_ldns flag to commands.
5894db7
@ximon18
Factor out ANSI colourisation support.
6297442
@ximon18
Add LDNS style warnings about chosen iteration counts.
724846a
@ximon18
Cargo fmt.
221bba1
@ximon18
Fix lifetime error.
d68c919
@ximon18
Update help texts to match updated key discovery behaviour.
5ec8127
@ximon18
Removed outdated TODO comment.
fd08b03
@ximon18
Remove incorrect formatting logic.
b0b4c10
@ximon18
Remove unused code.
8ec7479
@ximon18
Remove duplicate comment.
a7503e4
@ximon18
Remove commented out code.
7b2659f
@ximon18 ximon18 mentioned this pull request May 15, 2025
Merged
@ximon18 ximon18 mentioned this pull request May 16, 2025
Open
60 tasks
ximon18 and others added 22 commits May 19, 2025 13:33
@ximon18
Add tests for -H. (#74)
e51c4a1 
- Don't permit signing keys to be passed as arguments when using `-H`.
- Don't attempt to process signing keys when using `-H`.
@ximon18
Add integration tests using -p. (#73)
0a9bf48
@ximon18
Add test for dnst signzone -L. (#71)
ebbef78
@ximon18
Add a test of the -d command line argument. (#69)
aea36ea
@Philip-NLnetLabs
Remove signzone minus capital m (#79)
f3aebfa 
* Remove -M option.

* Fallout of merging.
@ximon18 @Philip-NLnetLabs
Add a test of '-u'. (#72)
afd2d28 
- Add a test of '-u' that sets the SOA SERIAL to the Epoch time now if ahead of the SOA SERIAL, or increments the SOA SERIAL otherwise.
- Change the code that determines the serial now to do so with its own mockable source of time from the environment, instead of using Serial::now() which hard-codes use of the real system clock.
- Extend the concept of Env to support seconds since the epoch which can be overridden when using FakeEnv.

---------

Co-authored-by: Philip-NLnetLabs <[email protected]>
@ximon18
Add tests for -b. (#70)
1c2ce14
@ximon18
Minimally update dnst signzone man page. (#77)
9090043 
* Add missing arguments and re-order arguments to match -h output, plus some argument re-ordering to better group related arguments together in -h output.

* Remove orphaned comment.

* Note that we don't attempt to detect a zone file origin if not defined, unlike ldns-signzone which will use the owner of the first SOA RR as the origin. To support this would require a change in the `domain` zonefile parser which we are not convinced would be right, but may revisit this if there appears to be actual users out there depending on and wanting this detection logic.
@ximon18
signzone command line argument cleanup and additional checks. (#75)
cd5ba26 
- Be consistent with trailing periods (not shown in -h but the inconsistencies are visible via --help).
- Document in --help output arguments that have dependencies on other arguments.
- Encode some inter-argument dependencies via Clap rules.
- Also makes LDNS mode error message the same as the real ldns-signzone.
@ximon18
Remove/update outdated comments referring to '-b'.
87b81e4
@ximon18
Removed/updated more outdated comments.
278c9ab
@ximon18
Fix signing of zones with early glue. (#67)
dbd9a96 
- Require `-o` for `dnst signzone`, but for `ldns-signzone` allow it to be missing and then use the owner name first SOA found as the apex. This avoids unreliable apex detection in `dnst`, while keeping maximum backward compatibility with `ldns`.
- Removed the no longer necessary separation of `execute()` into an extra `go_further()` fn, which was previously needed as a workaround for using the right generic values.
- Did some cleanup in affected/related code, e.g. bump the SOA SERIAL and use only that bumped SOA RR rather than use two different SOA RRs, refer to `new_default_rr_ttl` instead of `soa_rr.ttl()` to make it clear that it's not per se the SOA RR TTL we are interested in, this is just the default we choose to use, and make more use of the `apex` variable.
- Improved an error message.
- Added some tests for the case of early glue showing that the wrong apex is no longer searched for a SOA by the signer.
@ximon18
Merge branch 'main' into add-ldns-like-sign-zone-support
d6aa935
@ximon18
Resolve warning "warning: use of deprecated method `tempfile::TempDir…
315f404 
…::into_path`: use TempDir::keep()".
@ximon18
Merge branch 'main' into add-ldns-like-sign-zone-support
046f39d
@ximon18
Remove -L argument to ldns-signzone, as the original ldns-signzone do…
7207608 
…esn't have this option.
@ximon18
Fix compilation error with minimal versions by upgrading the tempfile…
9ce8180 
… dependency.
@ximon18
Remove unused function.
d4d6c5d
@Philip-NLnetLabs
Fix comment to match code.
d12b709
@Philip-NLnetLabs
Improve comment about KSKs and ZSKs.
aef1092
@Philip-NLnetLabs
Reformulated list of supported algorithms.
b448e2f
@Philip-NLnetLabs
A bit of text about about public keys.
2939b63
@ximon18 ximon18 mentioned this pull request May 28, 2025
Merged
@ximon18
Copy link
Member Author

ximon18 commented Jun 2, 2025

We agreed to ignore the Windows CI failures for the moment for this PR and so are ready to merge this as is.

@ximon18 ximon18 merged commit 7ec5de2 into main Jun 2, 2025
11 of 29 checks passed
@ximon18 ximon18 deleted the add-ldns-like-sign-zone-support branch June 2, 2025 12:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tertsdiepraam tertsdiepraam tertsdiepraam left review comments

@mozzieongit mozzieongit mozzieongit left review comments

@Philip-NLnetLabs Philip-NLnetLabs Philip-NLnetLabs left review comments

@bal-e bal-e bal-e requested changes

Assignees

@ximon18 ximon18

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@ximon18 @mozzieongit @Philip-NLnetLabs @tertsdiepraam @bal-e @partim