Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Zone signer #911

Merged
merged 51 commits into from
Mar 21, 2023
Merged

Zone signer #911

merged 51 commits into from
Mar 21, 2023

Conversation

jschlyter
Copy link
Contributor

Add zone signer with support for NSEC. A default RRset signer with support for KSK/ZSK split is included, but can be overridden if needed.

jschlyter and others added 30 commits March 9, 2023 17:44
@jschlyter
first cut at NSEC support
77a228e
@jschlyter
use transactions, fix delegations
4751dd4
@jschlyter
rename to add_nsec_to_zone
1440992
@jschlyter
optimize NSEC generation
5f702a3
@jschlyter
split out function to get all secure names (could be useful for NSEC3…
39babf4 
… later)
@jschlyter
add Bitmap.from_rdtypes() and add missing typing
d5c5e3b
@jschlyter
more typing
61babe2
@jschlyter
add missing import
20ab42e
@jschlyter
add more typing
08c1b36
@jschlyter
fix tok type
0f2d5cf
@jschlyter
Merge branch 'bitmap_fixes' into nsecify
b3aeeb6
@jschlyter
Merge branch 'master' into nsecify
90fea5a
@jschlyter
remove _get_secure_names, optimize
d41fc43
@jschlyter
better zone testing (compare as text)
2767a75 
add test example with delegation below other delegation
@jschlyter
include NSEC itself in the bitmap
e067703
@rthalley @jschlyter
lint
aa8aafb
@rthalley @jschlyter
Add names iteration to transactions via iterate_names().
afcd347 
Also make rdataset iteration more obvious by adding an
explicit iterate_rdatasets() API.
@jschlyter
use iterate_names()
443ae33
@jschlyter
typo
8874587
@jschlyter
black
550a578
@jschlyter
use single iteration
2174d13
@jschlyter
better type fix
eb4bbe9
@jschlyter
add optional transaction to add_nsec_to_zone
2336c4f
@jschlyter
idea for zone signer
ca04b03
@jschlyter
do not sign RRSIGs
7f9b394
@jschlyter
fix signer
1dcd167
@jschlyter
correctly sign DS
e010b85
@jschlyter
simplify
e95d540
@jschlyter
simplify by passing rrset to signer
6d35c16
@jschlyter
fix typing
14f5dff
bwelling
bwelling requested changes Mar 20, 2023
View reviewed changes
Copy link
Collaborator

@bwelling bwelling left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this looks good overall, although I haven't tried serving a signed zone to ensure that a validating resolver will be able to verify responses from it.

dns/dnssec.py Outdated Show resolved Hide resolved
tests/test_dnssec.py Show resolved Hide resolved
@jschlyter jschlyter requested a review from bwelling March 20, 2023 19:24
@jschlyter
Copy link
Contributor Author

@bwelling I did test signing a zone and verified it with dnssec-verify:

Loading zone '.' from file 'signed.zone'

Verifying the zone using the following algorithms:
- ED25519
Zone fully signed:
Algorithm: ED25519: KSKs: 1 active, 0 stand-by, 0 revoked
                    ZSKs: 1 active, 0 stand-by, 0 revoked

@rthalley rthalley merged commit 454d21c into rthalley:master Mar 21, 2023
@rthalley
Copy link
Owner

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bwelling bwelling bwelling approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jschlyter @rthalley @bwelling