[PATCH 0/2] Provide default DNSSEC trust anchors for knot-resolver

  • Open
  • quality assurance status badge
Details
2 participants
  • Dale Mellor
  • Leo Nikkilä
Owner
unassigned
Submitted by
Leo Nikkilä
Severity
normal
L
L
Leo Nikkilä wrote on 20 Jan 22:23 +0100
(address . guix-patches@gnu.org)(name . Leo Nikkilä)(address . hello@lnikki.la)
20240120212542.17473-1-hello@lnikki.la
The default DNSSEC trust anchors for knot-resolver are currently
disabled through a build phase, but configured when you use the default
kresd.conf file provided by Guix.

If you write your own configuration, you might expect kresd to have
DNSSEC enabled by default since this is what upstream does [1]. On Guix,
DNSSEC is disabled unless you provide the same custom path in your own
configuration and install the file into the appropriate location.

This set updates the package to be built with the correct path as the
default, and the service to use that path and install the default trust
anchors at activation time when missing.


Leo Nikkilä (2):
gnu: knot-resolver: Re-enable default DNSSEC trust anchors.
services: knot-resolver: Use default DNSSEC trust anchors.

gnu/packages/dns.scm | 20 +++++++++++++-------
gnu/services/dns.scm | 17 +++++++++++++----
2 files changed, 26 insertions(+), 11 deletions(-)


base-commit: 9072f27f5d3514be22c6af208f2ad56ef4e112f4
--
2.41.0
L
D
D
Dale Mellor wrote on 23 Apr 17:59 +0200
Consolidating patches under this one issue number
(address . 68621@debbugs.gnu.org)
fad6df9ef4070589d84834ab60d26da71d2296bf.camel@rdmp.org
The patches that follow are:
* two patches which were originally supposed to accompany this issue
* a fix to quieten some guix lint warnings
* a package version micro-bump, to 5.7.2.
D
D
Dale Mellor wrote on 23 Apr 18:12 +0200
[PATCH v2 1/4] gnu: knot-resolver: Re-enable default DNSSEC trust anchors.
(address . 68621@debbugs.gnu.org)
20240423161226.973140-1-guix-devel-0brg6a@rdmp.org
From: Leo Nikkilä <hello@lnikki.la>

* gnu/packages/dns.scm (knot-resolver) [#:configure-flags]: Configure
root keys and managed TA.
[#:phases] Remove `'disable-default-ta', add `'install-root-keys'.
---
gnu/packages/dns.scm | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)

Toggle diff (42 lines)
diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scm
index 36d3eb8b7e..947a6e89ba 100644
--- a/gnu/packages/dns.scm
+++ b/gnu/packages/dns.scm
@@ -995,15 +995,13 @@ (define-public knot-resolver
(build-system meson-build-system)
(outputs '("out" "doc"))
(arguments
- '(#:configure-flags '("-Ddoc=enabled")
+ `(#:configure-flags
+ '("-Ddoc=enabled"
+ "-Dinstall_root_keys=disabled" ; installed manually outside store
+ "-Dkeyfile_default=/var/cache/knot-resolver/root.keys"
+ "-Dmanaged_ta=enabled")
#:phases
(modify-phases %standard-phases
- (add-before 'configure 'disable-default-ta
- (lambda _
- ;; Disable the default managed root TA, since we don't have
- ;; write access to the keyfile and its directory in store.
- (substitute* "daemon/lua/sandbox.lua.in"
- (("^trust_anchors\\.add_file.*") ""))))
(add-after 'build 'build-doc
(lambda _
(invoke "ninja" "doc")))
@@ -1021,6 +1019,14 @@ (define-public knot-resolver
'("doc/knot-resolver/examples"
"doc/knot-resolver/html"
"info")))))
+ (add-after 'install 'install-root-keys
+ (lambda* (#:key outputs #:allow-other-keys)
+ (let ((dir (string-append (assoc-ref outputs "out")
+ "/etc/knot-resolver")))
+ (mkdir-p dir)
+ (install-file (string-append "../knot-resolver-" ,version
+ "/etc/root.keys")
+ dir))))
(add-after 'install 'wrap-binary
(lambda* (#:key inputs outputs #:allow-other-keys)
(let* ((out (assoc-ref outputs "out"))
--
2.41.0
D
D
Dale Mellor wrote on 23 Apr 18:12 +0200
[PATCH v2 2/4] gnu: knot-resolver: Appease some guix lint complaints.
(address . 68621@debbugs.gnu.org)
20240423161226.973140-2-guix-devel-0brg6a@rdmp.org
From: Dale Mellor <black-hole@rdmp.org>

* gnu/packages/dns.scm (knot-resolver): Add bash-minimal to inputs, re-label
input items to 'lua5.1-bitop' and 'nghttp2:lib'.
---
gnu/packages/dns.scm | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)

Toggle diff (26 lines)
diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scm
index 947a6e89ba..bb86fd34f8 100644
--- a/gnu/packages/dns.scm
+++ b/gnu/packages/dns.scm
@@ -1051,15 +1051,16 @@ (define-public knot-resolver
python-sphinx-rtd-theme
texinfo))
(inputs
- `(("fstrm" ,fstrm)
+ `(("bash-minimal" ,bash-minimal)
+ ("fstrm" ,fstrm)
("gnutls" ,gnutls)
("knot:lib" ,knot "lib")
("libuv" ,libuv)
("lmdb" ,lmdb)
("luajit" ,luajit)
;; TODO: Add optional lua modules: basexx and psl.
- ("lua-bitop" ,lua5.1-bitop)
- ("nghttp2" ,nghttp2 "lib")
+ ("lua5.1-bitop" ,lua5.1-bitop)
+ ("nghttp2:lib" ,nghttp2 "lib")
("python" ,python)))
(home-page "https://www.knot-resolver.cz/")
(synopsis "Caching validating DNS resolver")
--
2.41.0
D
D
Dale Mellor wrote on 23 Apr 18:12 +0200
[PATCH v2 3/4] services: knot-resolver: Use default DNSSEC trust anchors.
(address . 68621@debbugs.gnu.org)
20240423161226.973140-3-guix-devel-0brg6a@rdmp.org
From: Leo Nikkilä <hello@lnikki.la>

* gnu/services/dns.scm (%kresd.conf): Use default anchors.
(knot-resolver-activation): Install default anchors when missing.
---
gnu/services/dns.scm | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)

Toggle diff (38 lines)
diff --git a/gnu/services/dns.scm b/gnu/services/dns.scm
index 6608046909..f83c5b6594 100644
--- a/gnu/services/dns.scm
+++ b/gnu/services/dns.scm
@@ -655,7 +655,6 @@ (define-record-type* <knot-resolver-configuration>
(define %kresd.conf
(plain-file "kresd.conf" "-- -*- mode: lua -*-
-trust_anchors.add_file('/var/cache/knot-resolver/root.keys')
net = { '127.0.0.1', '::1' }
user('knot-resolver', 'knot-resolver')
modules = { 'hints > iterate', 'stats', 'predict' }
@@ -676,10 +675,20 @@ (define %knot-resolver-accounts
(define (knot-resolver-activation config)
#~(begin
(use-modules (guix build utils))
- (let ((rundir "/var/cache/knot-resolver")
- (owner (getpwnam "knot-resolver")))
+ (let* ((rundir "/var/cache/knot-resolver")
+ (keyfile (string-append rundir "/root.keys"))
+ (owner (getpwnam "knot-resolver")))
(mkdir-p rundir)
- (chown rundir (passwd:uid owner) (passwd:gid owner)))))
+ (chown rundir (passwd:uid owner) (passwd:gid owner))
+
+ ;; Install initial trust anchors when missing.
+ (unless (file-exists? keyfile)
+ (copy-file #$(file-append (knot-resolver-configuration-package
+ config)
+ "/etc/knot-resolver/root.keys")
+ keyfile)
+ (chown keyfile (passwd:uid owner) (passwd:gid owner))
+ (chmod keyfile #o755)))))
(define knot-resolver-shepherd-services
(match-lambda
--
2.41.0
D
D
Dale Mellor wrote on 23 Apr 18:12 +0200
[PATCH v2 4/4] gnu: knot-resolver: version to 5.7.2
(address . 68621@debbugs.gnu.org)
20240423161226.973140-4-guix-devel-0brg6a@rdmp.org
From: Dale Mellor <black-hole@rdmp.org>

* gnu/packages/dns.scm (knot-resolver): Version to 5.7.2.
---
gnu/packages/dns.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

Toggle diff (23 lines)
diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scm
index bb86fd34f8..d8b3606f10 100644
--- a/gnu/packages/dns.scm
+++ b/gnu/packages/dns.scm
@@ -984,14 +984,14 @@ (define (move source target file)
(define-public knot-resolver
(package
(name "knot-resolver")
- (version "5.7.1")
+ (version "5.7.2")
(source (origin
(method url-fetch)
(uri (string-append "https://secure.nic.cz/files/knot-resolver/"
"knot-resolver-" version ".tar.xz"))
(sha256
(base32
- "18n3jh17d22xmzpg8syw2dm85vv7jchdc4hzk5x78lqxqqav856s"))))
+ "03wszdrx5wcd0gz9h4p0ggn67n59almnb2h2m38c5m7wj1rj4sjz"))))
(build-system meson-build-system)
(outputs '("out" "doc"))
(arguments
--
2.41.0
D
D
Dale Mellor wrote on 23 Apr 20:33 +0200
[PATCH v2 0/4] Allow use of DNSSEC in knot-resolver service
(address . 68621@debbugs.gnu.org)
41e6590d7cd82331d8782e71782de90f049015ac.camel@rdmp.org
As per previous messages.
?