New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rectify zones via the API #5779

Merged
merged 8 commits into from Oct 18, 2017

Conversation

Projects
None yet
5 participants
@pieterlexis
Member

pieterlexis commented Oct 6, 2017

Short description

This PR adds zone rectification to the API. Work done:

  • Move the pdnsutil rectification code to the DNSSECKeeper
  • Generate DNSSEC keys for a zone when "dnssec" is true in an API POST/PATCH for zones
  • Rectify DNSSEC zones after POST/PATCH when API-RECTIFY metadata is 1
  • Allow setting this metadata via the "api-rectify" param in a Zone object
  • Show "nsec3param" and "nsec3narrow" in Zone API responses
  • Add an "rrsets" request parameter for a zone to skip sending RRSets in the response (Closes #5712)
  • Add checkNSEC3PARAM function
  • Add rectify endpoint in the API

This PR takes a lot of ideas and code from #3417 and subsequent development.

Closes #3417

Many thanks to Nils Wisiol (@nils-wisiol) for the initial implementation.

Checklist

I have:

  • read the CONTRIBUTING.md document
  • compiled and tested this code
  • included documentation (including possible behaviour changes)
  • documented the code
  • added or modified regression test(s)
  • added or modified unit test(s)

@pieterlexis pieterlexis added this to the auth-4.1.0 milestone Oct 6, 2017

@pieterlexis pieterlexis requested review from zeha and Habbie Oct 6, 2017

@nils-wisiol

This comment has been minimized.

Show comment
Hide comment
@nils-wisiol

nils-wisiol Oct 7, 2017

Contributor

@pieterlexis, thank you for completing this! 👍

Contributor

nils-wisiol commented Oct 7, 2017

@pieterlexis, thank you for completing this! 👍

@peterthomassen

This comment has been minimized.

Show comment
Hide comment
@peterthomassen

peterthomassen Oct 7, 2017

Contributor

@pieterlexis Does this also allow setting NSEC3 settings?

Contributor

peterthomassen commented Oct 7, 2017

@pieterlexis Does this also allow setting NSEC3 settings?

@pieterlexis

This comment has been minimized.

Show comment
Hide comment
@pieterlexis

pieterlexis Oct 7, 2017

Member

@pieterlexis Does this also allow setting NSEC3 settings?

yes

Member

pieterlexis commented Oct 7, 2017

@pieterlexis Does this also allow setting NSEC3 settings?

yes

Show outdated Hide outdated pdns/dbdnsseckeeper.cc Outdated
Show outdated Hide outdated docs/http-api/zone.rst Outdated
Show outdated Hide outdated pdns/ws-auth.cc Outdated
}
if (!dk.setNSEC3PARAM(zonename, ns3pr, boolFromJson(document, "nsec3narrow", false))) {
throw ApiException("NSEC3PARAMs provided for zone '" + zonename.toString() +
"' passed our basic sanity checks, but cannot be used with the current backend.");

This comment has been minimized.

@zeha

zeha Oct 7, 2017

Collaborator

s/current/hosting/?

@zeha

zeha Oct 7, 2017

Collaborator

s/current/hosting/?

This comment has been minimized.

@nils-wisiol

nils-wisiol Oct 8, 2017

Contributor

I believe current is the better word here; "hosting" over-specifies the backend and suggests there is more than one backend at a time.

@nils-wisiol

nils-wisiol Oct 8, 2017

Contributor

I believe current is the better word here; "hosting" over-specifies the backend and suggests there is more than one backend at a time.

Show outdated Hide outdated pdns/ws-auth.cc Outdated
@pieterlexis

This comment has been minimized.

Show comment
Hide comment
@pieterlexis

pieterlexis Oct 16, 2017

Member

@zeha I think the new commits will satisfy your comments?

Member

pieterlexis commented Oct 16, 2017

@zeha I think the new commits will satisfy your comments?

@zeha

zeha approved these changes Oct 17, 2017

pieterlexis added some commits Oct 4, 2017

API: Implement conditional rectification
This commit takes a lot of ideas and code from #3417 and subsequent
development and implements the following things:

 - Generate DNSSEC keys for a zone when "dnssec" is true in an API
   POST/PATCH for zones
 - Rectify DNSSEC zones after POST/PATCH when API-RECTIFY metadata is 1
 - Allow setting this metadata via the "api-rectify" param in a Zone
   object
 - Shows "nsec3param" and "nsec3narrow" in Zone API responses
 - Adds an "rrsets" request parameter for a zone to skip sending RRSets
   in the response (Closes #5712)

Closes #3417

Many thanks to Nils Wisiol (@nils-wisiol) for the initial
implementation.
Reuse UeberBackend in DNSSECKeeper::rectifyZone()
But use a full UeberBackend when needed.
Add doRectify bool to DNSSECKeeper::rectifyZone()
This is added so the API can wrap an update to a zone's records *and*
DNSSEC info into a single transaction.

@aerique aerique merged commit b7abf35 into PowerDNS:master Oct 18, 2017

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

@pieterlexis pieterlexis deleted the pieterlexis:api-rectify-version-2 branch Oct 18, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment