plugin/sign: a plugin that signs zone #2993
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Thank you for your contribution. I've just checked the OWNERS files to find a suitable reviewer. This search was successful and I've asked superq (via If you have questions or suggestions for this bot, please file an issue against the miekg/dreck repository. The bot understands the commands that are listed here. |
stickler-ci
reviewed
Jul 11, 2019
stp-ip
reviewed
Jul 11, 2019
stp-ip
reviewed
Jul 11, 2019
|
@stp-ip think I fixed your comments. PTAL |
stickler-ci
reviewed
Jul 17, 2019
chrisohaver
reviewed
Jul 17, 2019
|
[ Quoting <notifications@github.com> in "Re: [coredns/coredns] plugin/sign: ..." ]
+Or use a single zone file for *multiple* zones, note that the **ZONES** are repeated for both plugins.
+Also note this outputs *multiple* signed output files. Here we use the default output directory
+`/var/lib/coredns`.
+
+~~~ corefile
+. {
+ file /var/lib/coredns/db.example.org.signed example.org
+ file /var/lib/coredns/db.example.net example.net
```suggestion
file /var/lib/coredns/db.example.net.signed example.net
```
applied.
thanks!
|
miekg
force-pushed
the
dnssec-file
branch
4 times, most recently
from
d5ebc4b
to
895c2d3
Compare
stickler-ci
reviewed
Jul 20, 2019
stickler-ci
reviewed
Jul 20, 2019
miekg
force-pushed
the
dnssec-file
branch
3 times, most recently
from
c6f311e
to
12aad48
Compare
Codecov Report
@@ Coverage Diff @@
## master #2993 +/- ##
==========================================
- Coverage 55.83% 55.76% -0.07%
==========================================
Files 206 213 +7
Lines 10417 10747 +330
==========================================
+ Hits 5816 5993 +177
- Misses 4183 4298 +115
- Partials 418 456 +38
Continue to review full report at Codecov.
|
|
OK, this should be relatively ready. Code without test is about 600 lines, which is not too bad. The meat of the thing is in signer.go. I'm running this branch on miek.nl (just for that zone, but I'll add the rest) to see how things go (eyeballing the log). I didn't change the default timers so this will take some while). |
|
It also needs a test to check that if, after startup, the zone needs
resigning because the signatures are almost expired. Currently I believe
this falls back on signer.last being zero, which is not the intent
…On Sun, 21 Jul 2019, 20:25 Codecov, ***@***.***> wrote:
Codecov <https://codecov.io/gh/coredns/coredns/pull/2993?src=pr&el=h1>
Report
Merging #2993
<https://codecov.io/gh/coredns/coredns/pull/2993?src=pr&el=desc> into
master
<https://codecov.io/gh/coredns/coredns/commit/01e13c622e087779d5e0e1e82378333ccca9b1fb?src=pr&el=desc>
will *decrease* coverage by 0.07%.
The diff coverage is 54.6%.
[image: Impacted file tree graph]
<https://codecov.io/gh/coredns/coredns/pull/2993?src=pr&el=tree>
@@ Coverage Diff @@
## master #2993 +/- ##
==========================================
- Coverage 56.2% 56.12% -0.08%
==========================================
Files 204 211 +7
Lines 10136 10462 +326
==========================================
+ Hits 5697 5872 +175
- Misses 4025 4139 +114
- Partials 414 451 +37
Impacted Files
<https://codecov.io/gh/coredns/coredns/pull/2993?src=pr&el=tree> Coverage
Δ
plugin/sign/sign.go
<https://codecov.io/gh/coredns/coredns/pull/2993/diff?src=pr&el=tree#diff-cGx1Z2luL3NpZ24vc2lnbi5nbw==> 0%
<0%> (ø)
plugin/sign/dnssec.go
<https://codecov.io/gh/coredns/coredns/pull/2993/diff?src=pr&el=tree#diff-cGx1Z2luL3NpZ24vZG5zc2VjLmdv> 100%
<100%> (ø)
plugin/sign/keys.go
<https://codecov.io/gh/coredns/coredns/pull/2993/diff?src=pr&el=tree#diff-cGx1Z2luL3NpZ24va2V5cy5nbw==> 40.32%
<40.32%> (ø)
plugin/sign/signer.go
<https://codecov.io/gh/coredns/coredns/pull/2993/diff?src=pr&el=tree#diff-cGx1Z2luL3NpZ24vc2lnbmVyLmdv> 52.67%
<52.67%> (ø)
plugin/sign/file.go
<https://codecov.io/gh/coredns/coredns/pull/2993/diff?src=pr&el=tree#diff-cGx1Z2luL3NpZ24vZmlsZS5nbw==> 54.16%
<54.16%> (ø)
plugin/sign/setup.go
<https://codecov.io/gh/coredns/coredns/pull/2993/diff?src=pr&el=tree#diff-cGx1Z2luL3NpZ24vc2V0dXAuZ28=> 64.7%
<64.7%> (ø)
plugin/sign/nsec.go
<https://codecov.io/gh/coredns/coredns/pull/2993/diff?src=pr&el=tree#diff-cGx1Z2luL3NpZ24vbnNlYy5nbw==> 72.22%
<72.22%> (ø)
plugin/route53/route53.go
<https://codecov.io/gh/coredns/coredns/pull/2993/diff?src=pr&el=tree#diff-cGx1Z2luL3JvdXRlNTMvcm91dGU1My5nbw==> 84.28%
<0%> (-2.15%) ⬇️
... and 5 more
<https://codecov.io/gh/coredns/coredns/pull/2993/diff?src=pr&el=tree-more>
------------------------------
Continue to review full report at Codecov
<https://codecov.io/gh/coredns/coredns/pull/2993?src=pr&el=continue>.
*Legend* - Click here to learn more
<https://docs.codecov.io/docs/codecov-delta>
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov
<https://codecov.io/gh/coredns/coredns/pull/2993?src=pr&el=footer>. Last
update 01e13c6...12aad48
<https://codecov.io/gh/coredns/coredns/pull/2993?src=pr&el=lastupdated>.
Read the comment docs <https://docs.codecov.io/docs/pull-request-comments>
.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#2993?email_source=notifications&email_token=AACWIWZDCRUQTQDVCIPRFI3QASZZDA5CNFSM4IAWMGO2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD2OJ5TI#issuecomment-513580749>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AACWIW5LCL2SL6ZMC7AOZE3QASZZDANCNFSM4IAWMGOQ>
.
|
|
Seeing a lot of transfers happing |
miekg
force-pushed
the
dnssec-file
branch
2 times, most recently
from
2a25c35
to
f7933cb
Compare
|
after some simplifications I've now moved all my signed zones over: We'll see what happens |
miekg
force-pushed
the
dnssec-file
branch
2 times, most recently
from
3e8c0fe
to
03d4a69
Compare
miekg
force-pushed
the
dnssec-file
branch
3 times, most recently
from
2795789
to
817c79e
Compare
|
any problems with merging this? (@stp-ip) Has been running stable on my server. (as said, this needs followup PRs to make delegations work) |
stp-ip
requested changes
Aug 28, 2019
| } | ||
| } | ||
| i++ | ||
| if i > 100 { |
There was a problem hiding this comment.
it should be 1, but the RFC doesn't mandate the SOA being first. 100 seemed like a crazy enough number that makes sense? Open to suggestions.
(I'll add comment on why the current value)
There was a problem hiding this comment.
100 seems reasonable high to catch the edge cases of the SOA not being first I agree.
Comment for the reasoning sounds good. 100 were too arbitrary without a comment in my view.
Sign is a plugin that signs zone data (on disk). The README.md details what exactly happens to should be accurate related to the code. Signs are signed with a CSK, resigning and first time signing is all handled by *sign* plugin. Logging with a test zone looks something like this: ~~~ txt [INFO] plugin/sign: Signing "miek.nl." because open plugin/sign/testdata/db.miek.nl.signed: no such file or directory [INFO] plugin/sign: Signed "miek.nl." with key tags "59725" in 11.670985ms, saved in "plugin/sign/testdata/db.miek.nl.signed". Next: 2019-07-20T15:49:06.560Z [INFO] plugin/file: Successfully reloaded zone "miek.nl." in "plugin/sign/testdata/db.miek.nl.signed" with serial 1563636548 [INFO] plugin/sign: Signing "miek.nl." because resign was: 10m0s ago [INFO] plugin/sign: Signed "miek.nl." with key tags "59725" in 2.055895ms, saved in "plugin/sign/testdata/db.miek.nl.signed". Next: 2019-07-20T16:09:06.560Z [INFO] plugin/file: Successfully reloaded zone "miek.nl." in "plugin/sign/testdata/db.miek.nl.signed" with serial 1563637748 ~~~ Signed-off-by: Miek Gieben <miek@miek.nl>
Signed-off-by: Miek Gieben <miek@miek.nl>
Signed-off-by: Miek Gieben <miek@miek.nl>
stp-ip
reviewed
Aug 29, 2019
|
Did a few more manual tests and another run on the signer.go file. /lgtm |
Co-Authored-By: Michael Grosser <development@stp-ip.net>
|
lgtm at the end of a line isn't detected. But noted and thanks :) |
|
Damn that was supposed to have a newline ;) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Sign is a plugin that signs zone data (on disk). The README.md details
what exactly happens to should be accurate related to the code.
There are a couple of things missing, documented in TODO; these mostly
deal with setup and tear down. But also some more important things like
adding NSEC and not signing glue records. Also more tests need be added.
The current test signs db.miek.nl and puts the result in
db.miek.nl.signed in the current directory.
The change to file/* need to be backed out, once some other changes in
another PR are in - these are just here to make things work now.
Pushing this now if someone feels inclined to review as new plugins are
usually a lot of code at once - currently this is still manageable, I
hope.