Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add DoT support for DNS updates #7678

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

Add DoT support for DNS updates #7678

wants to merge 1 commit into from

Conversation

thalman
Copy link
Contributor

@thalman thalman commented Nov 1, 2024

DNS-over-TLS is a new standard for encrypting DNS traffic.

SSSD does not implement the DoT itself but relies on other components of the system. This modification allows as to set a DoT for dynamic DNS updates

:config: New set of options dyndns_dot, dyndns_dot_cacert,
dyndns_dot_cert and dyndns_dot_key allows to enable
DNS-over-TLS for DNS updates.

:relnote: The DoT for dynamic DNS updates is supported now.
It requires new version of nsupdate from BIND 9.20.3+

@thalman
Add DoT support for DNS updates
dd200ed 
DNS-over-TLS is a new standard for encrypting DNS traffic.

SSSD does not implement the DoT itself but relies on other
components of the system. This modification allows as to set
a DoT for dynamic DNS updates

:config: New set of options `dyndns_dot`, `dyndns_dot_cacert`,
  `dyndns_dot_cert` and `dyndns_dot_key` allows to enable
  DNS-over-TLS for DNS updates.

:relnote: The DoT for dynamic DNS updates is supported now.
  It requires new version of `nsupdate` from BIND 9.20.3+
@thalman thalman requested a review from pbrezina November 1, 2024 14:28
@pbrezina pbrezina self-assigned this Nov 1, 2024
@pbrezina
Copy link
Member

pbrezina commented Nov 4, 2024

Hi, this looks pretty straight-forwards. Code looks good, I will test it.

I will also try to see if we can get dyndns tests into PR CI, but this one might be tricky.

@alexey-tikhonov
Copy link
Member

It requires new version of nsupdate from BIND 9.20.3+

Is this tested in runtime?

abbra
abbra reviewed Nov 4, 2024
View reviewed changes
src/man/sssd-ad.5.xml
</varlistentry>

<varlistentry>
<term>dyndns_dot_cacert (string)</term>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will it be possible to specify a directory? OpenSSL in CentOS Stream 10 and Fedora 41+ is switching to default not using a single file CA bundle due to performance issues, so we should expect people wanting to use a directory of certs as well for custom bundles.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@abbra abbra abbra left review comments

@pbrezina pbrezina Awaiting requested review from pbrezina

Assignees

@pbrezina pbrezina

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@thalman @pbrezina @alexey-tikhonov @abbra