From 935eb8fa8dc9172965ed01eaf001548b1d510fc0 Mon Sep 17 00:00:00 2001 From: Qian Lei Date: Wed, 17 Dec 2014 14:31:34 +0800 Subject: dnssec-conf: Add new recipe DNSSEC configuration and priming tool. Dnssec-conf includes a commandline configuration client for Bind and Unbound, known DNSSEC keys, URL's to official publication pages of keys, and harvested keys, as well a script to harvest DNSKEY's from DNS. Signed-off-by: Qian Lei Signed-off-by: Martin Jansa --- .../dnssec-conf/dnssec-conf/dnskey-pull.1 | 118 ++++++++++++++ .../dnssec-conf/dnssec-conf/dnssec-configure.8 | 179 +++++++++++++++++++++ .../dnssec-conf/dnssec-conf_2.02.bb | 39 +++++ 3 files changed, 336 insertions(+) create mode 100644 meta-networking/recipes-support/dnssec-conf/dnssec-conf/dnskey-pull.1 create mode 100644 meta-networking/recipes-support/dnssec-conf/dnssec-conf/dnssec-configure.8 create mode 100644 meta-networking/recipes-support/dnssec-conf/dnssec-conf_2.02.bb diff --git a/meta-networking/recipes-support/dnssec-conf/dnssec-conf/dnskey-pull.1 b/meta-networking/recipes-support/dnssec-conf/dnssec-conf/dnskey-pull.1 new file mode 100644 index 0000000000..554c686874 --- /dev/null +++ b/meta-networking/recipes-support/dnssec-conf/dnssec-conf/dnskey-pull.1 @@ -0,0 +1,118 @@ +'\" t +.\" Title: DNSKEY-PULL +.\" Author: [see the "AUTHOR" section] +.\" Generator: DocBook XSL Stylesheets v1.78.1 +.\" Date: 7 November 2008 +.\" Manual: User\*(Aqs Manual +.\" Source: User's Manual +.\" Language: English +.\" +.TH "DNSKEY\-PULL" "1" "7 November 2008" "User's Manual" "User\*(Aqs Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +dnskey-pull \- fetch DNSKEY records from a zone, from all sub\-zones or from a webpage +.SH "SYNOPSIS" +.HP \w'\fBdnskey\-pull\fR\ 'u +\fBdnskey\-pull\fR [\-a] [\-t] [\-o\ \fI\fR] [\-s\ \fI\fR] \fIzone\fR \fI[\&.\&.]\fR +.HP \w'\fBdnskey\-pull\fR\ 'u +\fBdnskey\-pull\fR [\-o\ \fI\fR] \fIurl\fR \fI[\&.\&.]\fR +.SH "DESCRIPTION" +.PP +\fBdnskey\-pull\fR +obtains Key\-Signing\-Key (KSK) DNSKEY records for use as +\fItrust\-anchor\fR +with recursing nameserver that are setup to use +\fBDNSSEC\&.\fR +.PP +dnskey\-pull itself performs no DNSSEC validation\&. dnskey\-pull pulls KSK DNSKEY records for a single zone but can also be told, if it has +\fIzone\-transfer\fR +(AXFR) permission, to lookup KSK DNSKEY records for all NS records found in a zone\&. This latter feature can be used to find new DNSKEY\*(Aqs in TLD\*(Aqs\&. +.PP +The output of this command can be directly included in the configuration files for the +\fBBind\fR +and +\fBUnbound\fR +recursing nameservers as DNSSEC trust anchor\&. +.PP +dnskey\-pull ignores the system\*(Aqs +/etc/resolv\&.conf +setting for domain appending, and treats all zone arguments as FQDN\&. It does use the system\*(Aqs resolver settings for recursive lookups\&. +.SH "OPTIONS" +.PP +\fB\-a\fR +.RS 4 +Use a zone\-transfer (AXFR) to find all NS records in a zone and return any DNSKEY records found for these NS records in +\fItrusted\-key\fR +format\&. Note that AXFR is often blocked on nameservers\&. +.RE +.PP +\fB\-s\ \&<\fR\fInameserver>\fR +.RS 4 +Use the specified nameserver to perform the zone\-transfer (AXFR)\&. +.RE +.PP +\fB\-t\fR +.RS 4 +Return the resulting DNSKEY\*(Aqs within a +\fItrusted\-key { };\fR +statement, compatible for including with a +\fIbind\fR +or +\fIunbound\fR +nameserver configuration\&. +.RE +.SH "EXAMPLES" +.PP +Get all DNSKEY records for Top Level Domains (TLD\*(Aqs) in the Root ("\&.") zone, using the F root\-server that allows zone\-transfers: +.PP +\fB% dnskey\-pull \-t \-a \-s f\&.root\-servers\&.net \&.\fR +.PP +Get a trusted\-key statement for the xelerance\&.com zone: +.PP +\fB% dnskey\-pull \-t xelerance\&.com\fR +.PP +Get the trusted keys for the TLD\*(Aqs of Sweden, Brasil and Bulgaria: +.PP +\fB% dnskey\-pull se\&. br\&. bg\&.\fR +.PP +Find all secured +\fIENUM\fR +zones: +.PP +\fB% dnskey\-pull \-a \-s ns\-pri\&.ripe\&.net\&. e164\&.arpa\&.\fR +.PP +Find the keys on the webpage of the Brasil NIC: +.PP +\fB% dnskey\-pull https://registro\&.br/ksk/index\&.html\fR +.SH "EXIT STATUS" +.PP +dnskey\-pull returns 0 when it found one or more DNSKEY records, and non\-zero upon finding no DNSKEY records\&. +.SH "SEE ALSO" +.PP +\fBdnssec-configure\fR(1), +\fBsystem-config-dnssec\fR(1), +\fBnamed.conf\fR(8), +\fBunbound.conf\fR(8), +\fBautotrust\fR(8), +\fBunbound-host\fR(8)\&. +.SH "AUTHOR" +.PP +Paul Wouters diff --git a/meta-networking/recipes-support/dnssec-conf/dnssec-conf/dnssec-configure.8 b/meta-networking/recipes-support/dnssec-conf/dnssec-conf/dnssec-configure.8 new file mode 100644 index 0000000000..48291cb671 --- /dev/null +++ b/meta-networking/recipes-support/dnssec-conf/dnssec-conf/dnssec-configure.8 @@ -0,0 +1,179 @@ +'\" t +.\" Title: DNSSEC-CONFIGURE +.\" Author: [see the "AUTHOR" section] +.\" Generator: DocBook XSL Stylesheets v1.78.1 +.\" Date: 10 December 2008 +.\" Manual: User\(aas Manual +.\" Source: User\*(Aqs Manual +.\" Language: English +.\" +.TH "DNSSEC\-CONFIGURE" "8" "10 December 2008" "User\*(Aqs Manual" "User\(aas Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +dnssec-configure \- update recursive nameserver configuration options and keys for \fIDNSSEC\fR and \fIDLV\fR\&. Currently Bind (named) and Unbound are supported\&. +.SH "SYNOPSIS" +.HP \w'\fBdnssec\-configure\fR\ 'u +\fBdnssec\-configure\fR [\-u] [\-b] \-\-dnssec=\fIon\fR | \fIoff\fR \-\-dlv=\fIon\fR | \fIoff\fR | \fI\fR [\-\-basedir=\fI\fR] [\-\-norestart] [\-\-nocheck] [\-\-production] [\-\-testing] [\-\-harvest] [\-\-root] +.HP \w'\fBdnssec\-configure\fR\ 'u +\fBdnssec\-configure\fR \-\-show [\-u] [\-b] +.HP \w'\fBdnssec\-configure\fR\ 'u +\fBdnssec\-configure\fR \-u | \-b \-\-set=\fIsecion:optname:optval\fR +.HP \w'\fBdnssec\-configure\fR\ 'u +\fBdnssec\-configure\fR \-u | \-b \-\-query=\fIsecion:optname:optval\fR +.SH "DESCRIPTION" +.PP +dnssec\-configure shows or rewrites the configuration files of the +\fIBind (named)\fR +and/or the +\fIUnbound\fR +nameservers\&. It verifies the configuration before rewriting it, and restarts the nameserver(s) if neccessary\&. +.SH "OPTIONS" +.PP +\fB\-b (\-n)\fR +.RS 4 +Update the +\fIBind (named)\fR +nameserver configuration\&. +.RE +.PP +\fB\-u\fR +.RS 4 +Update the +\fIUnbound\fR +nameserver configuration\&. +.RE +.PP +If neither options are specified, +\fI\-b \-u\fR +is assumed\&. +.PP +\fB\-\-show\fR +.RS 4 +Show the current configuration(s) and do not rewrite any configuration files\&. All other options below are ignored\&. +.RE +.PP +\fB\-\-set=\fR +.RS 4 +Set the options optname to value in the specified section of the configuration file\&. This option cannot be used with \-\-dnssec, \-\-dlv, \-\-query or \-\-show\&. This option can be specified multiple times to set more then one option at once\&. +.RE +.PP +\fB\-\-set=\fR +.RS 4 +Query the setting optname in the specified section of the configuration file\&. This option cannot be used with \-\-dnssec, \-\-dlv, \-\-set or \-\-show\&. This option can be specified multiple times to query more then one option at once\&. +.RE +.PP +\fB\-\-dnssec=\fR +.RS 4 +This option will enable or disable all +\fIDNSSEC\fR +processing by the nameserver\&. When enabled, detected spoofed or otherwise verifiably false DNS answers will not be returned\&. Instead, a +\fISERVFAIL\fR +is returned\&. The application is responsible for further investigation\&. When disabled, classic DNS services run without any advanced protection\&. +.RE +.PP +\fB\-\-dlv=\fR +.RS 4 +This option will enable or disable +\fIDLV\fR, or "DNSSEC Lookaside Verification" (RFC 5074)\&. This is a method for using DNSSEC in TLD\*(Aqs that themselves do not support DNSSEC\&. It works by offloading DNS queries for all TLD\*(Aqs for which no DNSSEC keys are loaded to a DLV Registry\&. The Trusted Key for the DLV Registry must be available\&. The default DLV Registry (when using the value +\fIon\fR, is the +\fBISC DLV\fR +(http://dlv\&.isc\&.org/)i\&. The ISC DLV Key is pre\-installed with this software\&. You can specify your own DLV Registry, but you must make sure the +\fIdlvzone\fR\*(Aqs key is installed in +\fI/etc/pki/dnssec/dlv/dlvzone\&.key\fR\&. +.RE +.PP +\fB\-\-basedir\fR\fI\fR +.RS 4 +The basedir for Trusted Key files\&. The default is +\fI/etc/pki/dnssec\-keys/\fR\&. NOT YET IMPLEMENTED +.RE +.PP +\fB\-\-norestart\fR +.RS 4 +Do not attempt to restart any running DNS resolving nameservers\&. This is for use within initscripts, where dnssec\-configure is called to update the settings from within a DNS server initscript\&. Otherwise this would cause a loop\&. +.RE +.PP +\fB\-\-nocheck\fR +.RS 4 +Do not attempt to run unbound\-checkconf or bind\-checkconf\&. This is required for calls within package managers such as RPM where at least for unbound, we are still missing keys/certs and unbound\-checkconf would return an error\&. We cannot generate keys before running unbound\-checkconf, as we might not have enough entropy resulting in a stalled partial install\&. +.RE +.PP +The following options determine which Trusted Keys to preload with the nameserver software\&. Without Trusted Keys, no DNSSEC verification is possible\&. At some point, when the Root is signed, only one key would need to be preloaded\&. This is not yet the case\&. +.PP +\fB\-\-production\fR +.RS 4 +Include Trusted Keys that are in full production\&. These keys have been analysed by people in the DNS community or have been publicly announced by their TLD to be production ready\&. If no Trusted Keys options are specified, only this setting will be enabled\&. These keys can be found in +\fI/etc/pki/dnssec\-keys/production\&.conf\fR\&. +.RE +.PP +\fB\-\-testing\fR +.RS 4 +Include Trusted Keys that are in testing mode\&. These keys tend to be reasonably stable, or have been found and verified but not officially announced by its TLD\&. These are not included per default\&. These keys can be found in +\fI/etc/pki/dnssec\-keys/testing\&.conf\fR\&. +.RE +.PP +\fB\-\-harvest\fR +.RS 4 +Include Trusted Keys that are harvested and/or added by the local system administrator themselves\&. These keys can be found in +\fI/etc/pki/dnssec\-keys/harvest\&.conf\fR\&. +.RE +.PP +\fB\-\-root\fR +.RS 4 +Include the Trusted Keys for the Root Zone\&. Currently the root is not signed, and there is no root key available\&. A test Root key is available from IANA, but this requires using a separate resolver at IANA\*(Aqs\&. Do not use this option\&. +.RE +.SH "EXAMPLES" +.PP +Enable DNSSEC with production keys and ISC\*(Aqs DLV Registry for all nameserver software found on the machine +.PP +\fB# dnssec\-configure \-\-dnssec=on \-\-dlv=on\fR +.PP +For the Unbound nameserver, enable DNSSEC with production and testing keys, and use dlv\&.xelerance\&.com as the DLV Registry +.PP +\fB# dnssec\-configure \-u \-\-dnssec=on \-\-dlv=dlv\&.xelerance\&.com \-\-production \-\-testing\fR +.PP +For the Bind nameserver, disable dnssec +.PP +\fB# dnssec\-configure \-b \-\-dnssec=off\fR +.SH "REQUIREMENTS" +.PP +One or both of the known DNSSEC capable nameservers, Bind and Unbound, is required\&. To support +\fIRFC 5011\fR +style automatic key updates, the +\fIautotrust\fR +software is needed along with a cron daemon\&. +.SH "TRUSTED KEYS" +.PP +The format of the key files is carefully chosen to be compatible with both Bind and Unbound\&. Key files are stored in individual files so that they can be easilly verified and updated by autotrust\&. The keys are grouped in their respective categories production, testing and harvest\&. If you have local DNSSEC keys you wish to preload, you can add these to one of these three directories and re\-run dnssec\-configure to rebuild the production\&.conf, testing\&.conf and harvest\&.conf files based which are based on the contents of the +\fI/etc/pki/dnssec\-keys/{production,testing,harvest}\fR +directories\&. If you wish to use another DLV, add the key for the DLV zone to +\fI/etc/pki/dnssec\-keys/dlv/dlvzone\&.domain\&.key\fR\&. +.SH "SEE ALSO" +.PP +\fIdnskey\-pull\fR(1), +\fIunbound\-host\fR(1), +\fIsystem\-config\-dnssec\fR(8), +\fIautotrust\fR(8), +\fInamed\&.conf\fR(8), +\fIunbound\&.conf\fR(8)\&. +.SH "AUTHOR" +.PP +Paul Wouters diff --git a/meta-networking/recipes-support/dnssec-conf/dnssec-conf_2.02.bb b/meta-networking/recipes-support/dnssec-conf/dnssec-conf_2.02.bb new file mode 100644 index 0000000000..d915e0825c --- /dev/null +++ b/meta-networking/recipes-support/dnssec-conf/dnssec-conf_2.02.bb @@ -0,0 +1,39 @@ +SUMMARY = "DNSSEC and DLV configuration and priming tool" +DESCRIPTION = "\ +DNSSEC configuration and priming tool. Keys are required until the root \ +is signed, as well as for local unpublished DNSSEC keys to be preloaded \ +into the recursive nameserver. These DNSSEC configuration files can be \ +directly included in the bind or unbound nameserver configuration files. \ +dnssec-conf includes a commandline configuration client for Bind and \ +Unbound, known DNSSEC keys, URL's to official publication pages of keys, \ +and harvested keys, as well a script to harvest DNSKEY's from DNS. \ +See also: system-config-dnssec" +HOMEPAGE = "https://github.com/xelerance/dnssec-conf" +SECTION = "System Environment/Daemons" +LICENSE = "GPLv2+" +LIC_FILES_CHKSUM = "file://LICENSE;md5=0636e73ff0215e8d672dc4c32c317bb3" + +SRC_URI = "git://github.com/xelerance/dnssec-conf.git \ + file://dnskey-pull.1 \ + file://dnssec-configure.8" +SRCREV = "8e799683736b4a7b5e5e78f98fba0a6f48393537" + +S = "${WORKDIR}/git" + +do_configure () { + sed -i '/^\sxmlto man/s=^=#=' Makefile +} +do_install () { + rm -rf ${D} + mv ${WORKDIR}/dnskey-pull.1 ${WORKDIR}/dnssec-configure.8 ${S} + make PREFIX=${prefix} DESTDIR=${D} ETCDIR=${D}${sysconfdir} install + # We no longer ship trust anchors. Most of these are in the DLV Registry now. + # and it prevents the problem of shipping outdated trust anchors. + # For DLV, we ship the ISC DLV Registry key + rm -rf ${D}${sysconfdir}/pki/dnssec-keys/harvest/* + rm -rf ${D}${sysconfdir}/pki/dnssec-keys/production/reverse/* + install -d -m 0755 ${D}${sysconfdir}/sysconfig + install -m 0644 packaging/fedora/dnssec.sysconfig ${D}${sysconfdir}/sysconfig/dnssec +} + +RDEPENDS_${PN} = "python" -- cgit 1.2.3-korg