Skip to content

DNSSEC-Provisioning/multi-signer-controller

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

38 Commits
.gitignore
.gitignore
 
 
EXAMPLE.md
EXAMPLE.md
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
add_cmd.go
add_cmd.go
 
 
automate_cmd.go
automate_cmd.go
 
 
cmd.go
cmd.go
 
 
config.go
config.go
 
 
config_cmd.go
config_cmd.go
 
 
daemon_cmd.go
daemon_cmd.go
 
 
desec.go
desec.go
 
 
desec_updater.go
desec_updater.go
 
 
go.mod
go.mod
 
 
group_cmd.go
group_cmd.go
 
 
help_cmd.go
help_cmd.go
 
 
home.html
home.html
 
 
main.go
main.go
 
 
nsupdate_updater.go
nsupdate_updater.go
 
 
remove_cmd.go
remove_cmd.go
 
 
signer_cmd.go
signer_cmd.go
 
 
status_cmd.go
status_cmd.go
 
 
sync_cmd.go
sync_cmd.go
 
 
test_desec_cmd.go
test_desec_cmd.go
 
 
test_update_cmd.go
test_update_cmd.go
 
 
updater.go
updater.go
 
 
wait_cmd.go
wait_cmd.go
 
 
websocket.go
websocket.go
 
 

Repository files navigation

multi-signer-controller

Control of a DNSSEC multi-signer group

Configuration

All configuration option values are either a string or an array of string.

Current list of configuration options:

  • groups: An array of all multi-signer groups as FQDNs
  • signers:<fqdn>: An array of all signer names in a group.
  • signer:<name>: The <host|ip>:port of the authority name-server of a signer.
  • signer-group:<name>: The FQDN of the group a signer is part of.
  • signer-type:<name>: The type of Updater to use for the signer, default nsupdate.
  • signer-ns:<name>: The FQDN of the NS for a signer.
  • signer-tsigkey:<name>: The name of the TSIG key to use.
  • signer-desec:<name>: The name of the deSEC.io token to use.
  • signer-leaving:<name>: Exists if the signer is leaving the group.
  • parent:<fqdn>: The <host|ip>:port of the parent of a group.
  • group-ttl:<fqdn>: The TTL to use when creating new resource records for a group.
  • group-dnskeys-synced:<fqdn>: Exists if the DNSKEYs are synced within a group.
  • group-cdscdnskeys-synced:<fqdn>: Exists if the CDS/CDNSKEYs are synced within a group.
  • group-nses-synced:<fqdn>: Exists if the NSes are synced within a group.
  • group-parent-ds-synced:<fqdn>: Exists if the parent's DS is in sync with the group.
  • group-parent-ns-synced:<fqdn>: Exists if the parent's NS is in sync with the group.
  • group-wait-ds:<fqdn>: An RFC3399 date that exists if the group is waiting for DS records to propagate.
  • group-wait-ns:<fqdn>: An RFC3399 date that exists if the group is waiting for NS records to propagate.
  • automate-stage:<fqdn>: The current stage of the automation.
  • automate-error:<fqdn>: Exists if the automation ran into an error, if so it contains the string of an error.
  • dnskey-origin:<dnskey>: Set during sync when new DNSKEYs are detected, will contain the signer it was seen in.
  • ns-origin:<ns fqdn>: Set during sync when new NSes are detected, will contain the signer it was seen in.
  • tsigkey-<name>: The secret of a TSIG key.
  • desectoken-<name>: The secret of a deSEC.io token.
  • debug-updater: Set to yes to enable debug output of updaters.

Updaters

To update the signers there are different kinds of updaters, using the Updater interface.

Available updaters:

  • nsupdate: Uses dynamic updates to change zone information, requires a valid TSIG key to be configured.
  • desec: Uses deSEC.io API, not implemented yet.

Automation Stages

Following automation stages exists.

  • ready: The group is ready for to receive changes.

  • manual: Can be used to mark a group as manually changed.

  • error: The automation encountered an error, see command automate-error.

  • join-sync-dnskeys: A new signer has joined and the DNSKEYs needs to be synced.

  • join-dnskeys-synced: Check that the DNSKEYs are in sync.

  • join-sync-cdscdnskeys: The CDS/CDNSKEYs needs to be created/synced.

  • join-cdscdnskeys-synced: Check that the CDS/CDNSKEYs are in sync.

  • join-parent-ds-synced: Check that the parent's DS are in sync.

  • join-remove-cdscdnskeys: Remove CDS/CDNSKEYs.

  • join-wait-ds: Wait for DS to propagate.

  • join-sync-nses: The NSes needs to be created/synced.

  • join-nses-synced: Check that the NSes are in sync.

  • join-add-csync: Add CSYNC.

  • join-parent-ns-synced: Check that the parent's NS are in sync.

  • join-remove-csync: Remove CSYNC.

  • leave-sync-nses: A signer is leaving and the NSes needs to be synced.

  • leave-nses-synced: Check that the NSes are in sync.

  • leave-add-csync: Add CSYNC.

  • leave-parent-ns-synced: Check that the parent's NS are in sync.

  • leave-remove-csync: Remove CSYNC.

  • leave-wait-ns: Wait for NS to propagate.

  • leave-sync-dnskeys: The DNSKEYs needs to be removed/synced.

  • leave-dnskeys-synced: Check that the DNSKEYs are in sync.

  • leave-sync-cdscdnskeys: The CDS/CDNSKEYs needs to be created/synced.

  • leave-cdscdnskeys-synced: Check that the CDS/CDNSKEYs are in sync.

  • leave-parent-ds-synced: Check that the parent's DS are in sync.

  • leave-remove-cdscdnskeys: Remove CDS/CDNSKEYs.

Runtime

multi-signer-controller requires -conf to be specified at runtime, you can see all runtime options by using -help.

Running a daemon

multi-signer-controller can be run as a daemon with daemon command, once started another multi-signer-controller can communicate with that daemon by using -remote.

When running as daemon you can also enable the web-based status interface by specifying a HTTP listening address and port using -http.

Commands

All commands help and required parameters can be view using the help command (without dash).

Example: How to run

See EXAMPLE.md.

local go

mkdir -p go/1.16.5; wget -O - https://storage.googleapis.com/golang/go1.16.5.linux-amd64.tar.gz | tar -C go/1.16.5 -zxv
export GOROOT="$HOME/go/1.16.5/go" GOPATH="$HOME/go"
export PATH="$PATH:$GOROOT/bin"

build

make
./multi-signer-controller

Known Issues

  • TSIG keys hardcoded to HMAC-SHA256
  • deSEC.io support not implemented yet

About

Control of a DNSSEC multi-signer group

Resources

Readme
Activity
Custom properties

Stars

3 stars

Watchers

6 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages