New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
plugin/sign: a plugin that signs zone #2993
Conversation
Thank you for your contribution. I've just checked the OWNERS files to find a suitable reviewer. This search was successful and I've asked superq (via If you have questions or suggestions for this bot, please file an issue against the miekg/dreck repository. The bot understands the commands that are listed here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Still want to go deeper on the code, currently swamped with other stuff, but added a few first thoughts and ideas.
@stp-ip think I fixed your comments. PTAL |
[ Quoting <notifications@github.com> in "Re: [coredns/coredns] plugin/sign: ..." ]
+Or use a single zone file for *multiple* zones, note that the **ZONES** are repeated for both plugins.
+Also note this outputs *multiple* signed output files. Here we use the default output directory
+`/var/lib/coredns`.
+
+~~~ corefile
+. {
+ file /var/lib/coredns/db.example.org.signed example.org
+ file /var/lib/coredns/db.example.net example.net
```suggestion
file /var/lib/coredns/db.example.net.signed example.net
```
applied.
thanks!
|
d5ebc4b
to
895c2d3
Compare
c6f311e
to
12aad48
Compare
Codecov Report
@@ Coverage Diff @@
## master #2993 +/- ##
==========================================
- Coverage 55.83% 55.76% -0.07%
==========================================
Files 206 213 +7
Lines 10417 10747 +330
==========================================
+ Hits 5816 5993 +177
- Misses 4183 4298 +115
- Partials 418 456 +38
Continue to review full report at Codecov.
|
OK, this should be relatively ready. Code without test is about 600 lines, which is not too bad. The meat of the thing is in signer.go. I'm running this branch on miek.nl (just for that zone, but I'll add the rest) to see how things go (eyeballing the log). I didn't change the default timers so this will take some while). |
It also needs a test to check that if, after startup, the zone needs
resigning because the signatures are almost expired. Currently I believe
this falls back on signer.last being zero, which is not the intent
…On Sun, 21 Jul 2019, 20:25 Codecov, ***@***.***> wrote:
Codecov <https://codecov.io/gh/coredns/coredns/pull/2993?src=pr&el=h1>
Report
Merging #2993
<https://codecov.io/gh/coredns/coredns/pull/2993?src=pr&el=desc> into
master
<https://codecov.io/gh/coredns/coredns/commit/01e13c622e087779d5e0e1e82378333ccca9b1fb?src=pr&el=desc>
will *decrease* coverage by 0.07%.
The diff coverage is 54.6%.
[image: Impacted file tree graph]
<https://codecov.io/gh/coredns/coredns/pull/2993?src=pr&el=tree>
@@ Coverage Diff @@
## master #2993 +/- ##
==========================================
- Coverage 56.2% 56.12% -0.08%
==========================================
Files 204 211 +7
Lines 10136 10462 +326
==========================================
+ Hits 5697 5872 +175
- Misses 4025 4139 +114
- Partials 414 451 +37
Impacted Files
<https://codecov.io/gh/coredns/coredns/pull/2993?src=pr&el=tree> Coverage
Δ
plugin/sign/sign.go
<https://codecov.io/gh/coredns/coredns/pull/2993/diff?src=pr&el=tree#diff-cGx1Z2luL3NpZ24vc2lnbi5nbw==> 0%
<0%> (ø)
plugin/sign/dnssec.go
<https://codecov.io/gh/coredns/coredns/pull/2993/diff?src=pr&el=tree#diff-cGx1Z2luL3NpZ24vZG5zc2VjLmdv> 100%
<100%> (ø)
plugin/sign/keys.go
<https://codecov.io/gh/coredns/coredns/pull/2993/diff?src=pr&el=tree#diff-cGx1Z2luL3NpZ24va2V5cy5nbw==> 40.32%
<40.32%> (ø)
plugin/sign/signer.go
<https://codecov.io/gh/coredns/coredns/pull/2993/diff?src=pr&el=tree#diff-cGx1Z2luL3NpZ24vc2lnbmVyLmdv> 52.67%
<52.67%> (ø)
plugin/sign/file.go
<https://codecov.io/gh/coredns/coredns/pull/2993/diff?src=pr&el=tree#diff-cGx1Z2luL3NpZ24vZmlsZS5nbw==> 54.16%
<54.16%> (ø)
plugin/sign/setup.go
<https://codecov.io/gh/coredns/coredns/pull/2993/diff?src=pr&el=tree#diff-cGx1Z2luL3NpZ24vc2V0dXAuZ28=> 64.7%
<64.7%> (ø)
plugin/sign/nsec.go
<https://codecov.io/gh/coredns/coredns/pull/2993/diff?src=pr&el=tree#diff-cGx1Z2luL3NpZ24vbnNlYy5nbw==> 72.22%
<72.22%> (ø)
plugin/route53/route53.go
<https://codecov.io/gh/coredns/coredns/pull/2993/diff?src=pr&el=tree#diff-cGx1Z2luL3JvdXRlNTMvcm91dGU1My5nbw==> 84.28%
<0%> (-2.15%) ⬇️
... and 5 more
<https://codecov.io/gh/coredns/coredns/pull/2993/diff?src=pr&el=tree-more>
------------------------------
Continue to review full report at Codecov
<https://codecov.io/gh/coredns/coredns/pull/2993?src=pr&el=continue>.
*Legend* - Click here to learn more
<https://docs.codecov.io/docs/codecov-delta>
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov
<https://codecov.io/gh/coredns/coredns/pull/2993?src=pr&el=footer>. Last
update 01e13c6...12aad48
<https://codecov.io/gh/coredns/coredns/pull/2993?src=pr&el=lastupdated>.
Read the comment docs <https://docs.codecov.io/docs/pull-request-comments>
.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#2993?email_source=notifications&email_token=AACWIWZDCRUQTQDVCIPRFI3QASZZDA5CNFSM4IAWMGO2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD2OJ5TI#issuecomment-513580749>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AACWIW5LCL2SL6ZMC7AOZE3QASZZDANCNFSM4IAWMGOQ>
.
|
Seeing a lot of transfers happing
|
2a25c35
to
f7933cb
Compare
after some simplifications I've now moved all my signed zones over:
We'll see what happens |
3e8c0fe
to
03d4a69
Compare
2795789
to
817c79e
Compare
any problems with merging this? (@stp-ip) Has been running stable on my server. (as said, this needs followup PRs to make delegations work) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
Added a few comments.
Will try to carve out some additional time to do another run over signer.go and test a few more things.
} | ||
} | ||
i++ | ||
if i > 100 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why specifically 100 records?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it should be 1, but the RFC doesn't mandate the SOA being first. 100 seemed like a crazy enough number that makes sense? Open to suggestions.
(I'll add comment on why the current value)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
100 seems reasonable high to catch the edge cases of the SOA not being first I agree.
Comment for the reasoning sounds good. 100 were too arbitrary without a comment in my view.
Sign is a plugin that signs zone data (on disk). The README.md details what exactly happens to should be accurate related to the code. Signs are signed with a CSK, resigning and first time signing is all handled by *sign* plugin. Logging with a test zone looks something like this: ~~~ txt [INFO] plugin/sign: Signing "miek.nl." because open plugin/sign/testdata/db.miek.nl.signed: no such file or directory [INFO] plugin/sign: Signed "miek.nl." with key tags "59725" in 11.670985ms, saved in "plugin/sign/testdata/db.miek.nl.signed". Next: 2019-07-20T15:49:06.560Z [INFO] plugin/file: Successfully reloaded zone "miek.nl." in "plugin/sign/testdata/db.miek.nl.signed" with serial 1563636548 [INFO] plugin/sign: Signing "miek.nl." because resign was: 10m0s ago [INFO] plugin/sign: Signed "miek.nl." with key tags "59725" in 2.055895ms, saved in "plugin/sign/testdata/db.miek.nl.signed". Next: 2019-07-20T16:09:06.560Z [INFO] plugin/file: Successfully reloaded zone "miek.nl." in "plugin/sign/testdata/db.miek.nl.signed" with serial 1563637748 ~~~ Signed-off-by: Miek Gieben <miek@miek.nl>
Signed-off-by: Miek Gieben <miek@miek.nl>
Signed-off-by: Miek Gieben <miek@miek.nl>
Did a few more manual tests and another run on the signer.go file. /lgtm |
Co-Authored-By: Michael Grosser <development@stp-ip.net>
lgtm at the end of a line isn't detected. But noted and thanks :) |
Damn that was supposed to have a newline ;) |
Sign is a plugin that signs zone data (on disk). The README.md details
what exactly happens to should be accurate related to the code.
There are a couple of things missing, documented in TODO; these mostly
deal with setup and tear down. But also some more important things like
adding NSEC and not signing glue records. Also more tests need be added.
The current test signs db.miek.nl and puts the result in
db.miek.nl.signed in the current directory.
The change to file/* need to be backed out, once some other changes in
another PR are in - these are just here to make things work now.
Pushing this now if someone feels inclined to review as new plugins are
usually a lot of code at once - currently this is still manageable, I
hope.