Skip to content

Pdnssec #24

Merged
3 commits merged into from Jun 8, 2012

5 participants

@stasic
stasic commented Jun 1, 2012

FEATURE: pdnssec enabled domains
If a Domain is dnssec enabled, or uses features as
e.g. ALSO-NOTIFY, ALLOW-AXFR-FROM, TSIG-ALLOW-AXFR
following has to be executed
pdnssec rectify-zone $domain
todo:
change install: - add pdnssec_command in config.inc.php
- add "GRANT SELECT on domainmetadata to poweradmin"

stasic added some commits Jun 1, 2012
@stasic stasic FEATURE: pdnssec enabled domains
If a Domain is dnssec enabled, or uses features as
e.g. ALSO-NOTIFY, ALLOW-AXFR-FROM, TSIG-ALLOW-AXFR
following has to be executed
pdnssec rectify-zone $domain
todo:
  change install: - add pdnssec_command in config.inc.php
                  - add "GRANT SELECT on domainmetadata to poweradmin"
b6892df
@stasic stasic unintentionally removed a "=" 685180a
@ghost ghost was assigned Jun 1, 2012
@stasic

this will be caught at the function get_zone_name_from_id it self

function get_zone_name_from_id($zid)
{
        global $db;

        if (is_numeric($zid))
        {
                $result = $db->query("SELECT name FROM domains WHERE id=".$db->quote($zid, 'integer'));
                $rows = $result->numRows() ;
                if ($rows == 1) {
                        $r = $result->fetchRow();
                        return $r["name"];
                } elseif ($rows == "0") {
                        error(sprintf("Zone does not exist."));
                        return false;
                } else {
                        error(sprintf(ERR_INV_ARGC, "get_zone_name_from_id", "more than one domain found?! whaaa! BAD! BAD! Contact admin!"));
                        return false;
                }
        }
        else
        {
                error(sprintf(ERR_INV_ARGC, "get_zone_name_from_id", "Not a valid domainid: $zid"));
        }
}
@stasic

could you please test this?

@stasic

done checkout latest commit: 111282f

@stasic

done checkout latest commit: 111282f

@stasic

done checkout latest commit: 111282f

@ghost ghost merged commit 97e3321 into poweradmin:master Jun 8, 2012
@oxc
oxc commented Jul 8, 2012

I don't like the way this is implemented. Calculating the ordername value is trivial (see Rules for filling out fields in database backends), at least for NSEC mode.

The auth column should be editable by the user (except for the SOA entry maybe) using a checkbox, at least in those zones that are dnssec enabled.

EDIT: For example, my poweradmin is running on a different host than my pdns server. Now I would have to install pdns binaries and configure pdns on the webserver, just so that poweradmin can call rectify-zone. That's not really an elegant solution, and I'm not even sure yet if it will work.

@stasic
stasic commented Jul 9, 2012

oxc you are right for just dnssec-stuff, but rectify-zone is also needed if you use things like ALSO-NOTIFY. ALSO-NOTIFY is only performed by using rectify-zone. So with rectify-zone i get more than just dnssec.

@oxc
oxc commented Jul 9, 2012

@stasic: Actually I'm not sure where this information comes from. This is not mentioned in the documentation, and I couldn't see it in a quick source-code check either. Afaict, also-notify is handled by the same mechanism that sends out notifications in the first place. Or am I missing something here? Can you elaborate on this?

@stasic
stasic commented Jul 9, 2012

@oxc: I found this behaviour myself and i got it confirmed on IRC.

@Habbie
Habbie commented Dec 19, 2012

You need gmysql-dnssec (or similar for other backends) to make domainmetadata, like ALSO-NOTIFY, work.

If you have gmysql-dnssec, your zones need to be rectified, either via rectify-zone or by having PowerAdmin put in the right data.

@Habbie
Habbie commented Dec 19, 2012

Also, @oxc, the auth column should not be editable by users. It should be set correctly by PowerAdmin, always.

@oxc
oxc commented Dec 19, 2012

If you have gmysql-dnssec, your zones need to be rectified, either via rectify-zone or by having PowerAdmin put in the right data.

Yes, exactly. I much prefer the latter, for above-mentioned reasons. Relying on the webserver to be able to call a (correctly-configured) rectify-zone is clearly not a good solution, especially when the manual implementation is not that difficult and well-defined.

the auth column should not be editable by users. It should be set correctly by PowerAdmin, always.

Are you sure? Why is there an auth field then in the first place? What would be the exact rules to determine when an entry is authoritative and when not.

@Habbie
Habbie commented Dec 19, 2012

The exact rules are at http://doc.powerdns.com/dnssec-modes.html#dnssec-direct-database

(and yes, I'm sure - I wrote that part of the manual).

The auth field is there because determining its value at run time is prohibitively expensive (at least given the current PowerDNS design) so PowerDNS needs it to be in the database. What rectify-zone does, in fact, is fill the auth and, if necessary, ordername fields.

@Habbie
Habbie commented Dec 19, 2012

(Additionally, from powerdns 3.2, rectify-zone might also insert empty non-terminals, also detailed on that page.)

@oxc
oxc commented Dec 19, 2012

Ah, I see, thanks for the explanation. So PowerAdmin could easily fill in the fields exactly like rectify-zone does it, without relying on external tools.

@Habbie
Habbie commented Dec 21, 2012

Yes, that would certainly be best!

@ThomasLobker

There is another problem in this fix. For a DNSSEC enable PDNS server, all the zones need to be rectified after editing (not just the signed zones), or else the replication will fail. Rectifying a zone can do no harm, so I would suggest to just do a rectify-zone every time you edit a zone. Only if the the host has been configured as DNSSEC enabled of course.

--- ./inc/record.inc.php.orig   2012-11-13 07:26:00.000000000 +0100
+++ ./inc/record.inc.php    2013-07-29 13:16:17.921903784 +0200
@@ -1556,14 +1556,7 @@ function do_rectify_zone ($domain_id) {

    $output = array();

-   /* If there is any entry at domainmetadata table for this domain,
-    * we do perform pdnssec rectify-zone $domain */
-   $query = "SELECT COUNT(id) FROM domainmetadata WHERE domain_id = " . $db->quote($domain_id, 'integer');
-   $count = $db->queryOne($query);
-
-   if (PEAR::isError($count)) { error($count->getMessage()); return false; }
-
-    if ($count >= 1 && isset($pdnssec_command)) {
+   if (isset($pdnssec_command)) {
        $domain = get_zone_name_from_id($domain_id);
        $command = $pdnssec_command . " rectify-zone " . $domain;
@frootmig

I can confirm, that the patch from ThomasLobker is required, if you want to use Poweradmin (with MySQL backend) and current DNSSEC enabled pdns version. If you don't all pdns Instances will complain with the error "Should not get here (RECORD|ZONEID): please run pdnssec rectify-zone ZONE" and the query will.

@Habbie
Habbie commented Jan 17, 2014

As a workaround (for zones that are NOT using DNSSEC!!), setting auth=1,ordername=NULL emulates the behaviour of PowerDNS without gmysql-dnssec in the configuration.

@frootmig

I'm using DNSSEC. Pretty cool that all zones are signed automated. Using ThomasLobker's patch.

@ghost ghost added the feature label Feb 26, 2014
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.