Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add DoT support for DNS updates #7678

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

Add DoT support for DNS updates #7678

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions src/config/SSSDConfig/sssdoptions.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -205,6 +205,10 @@ def __init__(self):
'dyndns_force_tcp': _("Whether the nsupdate utility should default to using TCP"),
'dyndns_auth': _("What kind of authentication should be used to perform the DNS update"),
'dyndns_server': _("Override the DNS server used to perform the DNS update"),
'dyndns_dot': _("Use DNS over TLS for nsupdate"),
'dyndns_dot_cacert': _("The file of the certificate authorities certificates for DoT"),
'dyndns_dot_cert': _("The certificate(s) file for authentication for the DoT transport"),
'dyndns_dot_key': _("The key file for authenticated encryption for the DoT transport"),
'subdomain_enumerate': _('Control enumeration of trusted domains'),
'subdomain_refresh_interval': _('How often should subdomains list be refreshed'),
'subdomain_refresh_interval_offset': _('Maximum period deviation when refreshing the subdomain list'),
Expand Down
8 changes: 8 additions & 0 deletions src/config/SSSDConfigTest.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -566,6 +566,10 @@ def testListOptions(self):
'dyndns_force_tcp',
'dyndns_auth',
'dyndns_server',
'dyndns_dot',
'dyndns_dot_cacert',
'dyndns_dot_cert',
'dyndns_dot_key',
'subdomain_enumerate',
'override_gid',
'case_sensitive',
Expand Down Expand Up @@ -926,6 +930,10 @@ def testRemoveProvider(self):
'dyndns_force_tcp',
'dyndns_auth',
'dyndns_server',
'dyndns_dot',
'dyndns_dot_cacert',
'dyndns_dot_cert',
'dyndns_dot_key',
'subdomain_enumerate',
'override_gid',
'case_sensitive',
Expand Down
4 changes: 4 additions & 0 deletions src/config/cfg_rules.ini
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -442,6 +442,10 @@ option = dyndns_force_tcp
option = dyndns_auth
option = dyndns_auth_ptr
option = dyndns_server
option = dyndns_dot
option = dyndns_dot_cacert
option = dyndns_dot_cert
option = dyndns_dot_key

# files provider specific options
option = passwd_files
Expand Down
4 changes: 4 additions & 0 deletions src/config/etc/sssd.api.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -215,6 +215,10 @@ dyndns_update_ptr = bool, None, false
dyndns_force_tcp = bool, None, false
dyndns_auth = str, None, false
dyndns_server = str, None, false
dyndns_dot = bool, None, false
dyndns_dot_cacert = str, None, false
dyndns_dot_cert = str, None, false
dyndns_dot_key = str, None, false

# Special providers
[provider/permit]
Expand Down
65 changes: 65 additions & 0 deletions src/man/sssd-ad.5.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1356,6 +1356,71 @@ ad_gpo_map_deny = +my_pam_service
</listitem>
</varlistentry>

<varlistentry>
<term>dyndns_dot (boolean)</term>
<listitem>
<para>
This option enables DNS-over-TLS protocol for DNS
updates. The nsupdate utility must support DoT -
check the <emphasis>man nsupdate</emphasis> before
enabling it in SSSD.
</para>
<para>
Default: False (use the traditional DNS protocol)
</para>
</listitem>
</varlistentry>

<varlistentry>
<term>dyndns_dot_cacert (string)</term>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will it be possible to specify a directory? OpenSSL in CentOS Stream 10 and Fedora 41+ is switching to default not using a single file CA bundle due to performance issues, so we should expect people wanting to use a directory of certs as well for custom bundles.

<listitem>
<para>
This option specifies the file of the certificate
authorities certificates (in PEM format) in order
to verify the remote server TLS certificate when
using DoT.
</para>
<para>
Default: None (use global certificate store)
</para>
</listitem>
</varlistentry>

<varlistentry>
<term>dyndns_dot_cert (string)</term>
<listitem>
<para>
This option sets the certificate(s) file for
authentication for the DoT transport to the remote
server. The certificate chain file is expected to
be in PEM format.
</para>
<para>
The <emphasis>dyndns_dot_cert</emphasis> and
<emphasis>dyndns_dot_key</emphasis> options must be
both set to achive mutual TLS authentication.
</para>
<para>
Default: None (Do not use TLS authentication)
</para>
</listitem>
</varlistentry>

<varlistentry>
<term>dyndns_dot_key (string)</term>
<listitem>
<para>
This option sets the key file for authenticated
encryption for the DoT transport to the remote
server. The private key file is expected to
be in PEM format.
</para>
<para>
Default: None (Do not use TLS authentication)
</para>
</listitem>
</varlistentry>

<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/override_homedir.xml" />
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/homedir_substring.xml" />

Expand Down
79 changes: 79 additions & 0 deletions src/man/sssd-ipa.5.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -349,6 +349,85 @@
</listitem>
</varlistentry>

<varlistentry>
<term>dyndns_dot (boolean)</term>
<listitem>
<para>
The DNS
update. In most setups, it's recommended to leave
this option unset.
</para>
<para>
Default: None (let nsupdate choose the server)
</para>
</listitem>
</varlistentry>

<varlistentry>
<term>dyndns_dot (boolean)</term>
<listitem>
<para>
This option enables DNS-over-TLS protocol for DNS
updates. The nsupdate utility must support DoT -
check the <emphasis>man nsupdate</emphasis> before
enabling it in SSSD.
</para>
<para>
Default: False (use the traditional DNS protocol)
</para>
</listitem>
</varlistentry>

<varlistentry>
<term>dyndns_dot_cacert (string)</term>
<listitem>
<para>
This option specifies the file of the certificate
authorities certificates (in PEM format) in order
to verify the remote server TLS certificate when
using DoT.
</para>
<para>
Default: None (use global certificate store)
</para>
</listitem>
</varlistentry>

<varlistentry>
<term>dyndns_dot_cert (string)</term>
<listitem>
<para>
This option sets the certificate(s) file for
authentication for the DoT transport to the remote
server. The certificate chain file is expected to
be in PEM format.
</para>
<para>
The <emphasis>dyndns_dot_cert</emphasis> and
<emphasis>dyndns_dot_key</emphasis> options must be
both set to achive mutual TLS authentication.
</para>
<para>
Default: None (Do not use TLS authentication)
</para>
</listitem>
</varlistentry>

<varlistentry>
<term>dyndns_dot_key (string)</term>
<listitem>
<para>
This option sets the key file for authenticated
encryption for the DoT transport to the remote
server. The private key file is expected to
be in PEM format.
</para>
<para>
Default: None (Do not use TLS authentication)
</para>
</listitem>
</varlistentry>

<varlistentry>
<term>ipa_access_order (string)</term>
<listitem>
Expand Down
4 changes: 4 additions & 0 deletions src/providers/ad/ad_opts.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -325,6 +325,10 @@ struct dp_option ad_dyndns_opts[] = {
{ "dyndns_auth", DP_OPT_STRING, { "gss-tsig" }, NULL_STRING },
{ "dyndns_auth_ptr", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "dyndns_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "dyndns_dot", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "dyndns_dot_cacert", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "dyndns_dot_cert", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "dyndns_dot_key", DP_OPT_STRING, NULL_STRING, NULL_STRING },
DP_OPTION_TERMINATOR
};

Expand Down
71 changes: 66 additions & 5 deletions src/providers/be_dyndns.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -971,13 +971,21 @@ struct be_nsupdate_state {
static void be_nsupdate_done(struct tevent_req *subreq);
static char **be_nsupdate_args(TALLOC_CTX *mem_ctx,
enum be_nsupdate_auth auth_type,
bool force_tcp);
bool force_tcp,
bool use_dot,
const char *dot_cacert,
const char *dot_cert,
const char *dot_key);

struct tevent_req *be_nsupdate_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
enum be_nsupdate_auth auth_type,
char *nsupdate_msg,
bool force_tcp)
bool force_tcp,
bool use_dot,
const char *dot_cacert,
const char *dot_cert,
const char *dot_key)
{
int pipefd_to_child[2] = PIPE_INIT;
pid_t child_pid;
Expand Down Expand Up @@ -1025,7 +1033,8 @@ struct tevent_req *be_nsupdate_send(TALLOC_CTX *mem_ctx,
}
}

args = be_nsupdate_args(state, auth_type, force_tcp);
args = be_nsupdate_args(state, auth_type, force_tcp,
use_dot, dot_cacert, dot_cert, dot_key);
if (args == NULL) {
ret = ENOMEM;
goto done;
Expand Down Expand Up @@ -1070,12 +1079,18 @@ struct tevent_req *be_nsupdate_send(TALLOC_CTX *mem_ctx,
static char **
be_nsupdate_args(TALLOC_CTX *mem_ctx,
enum be_nsupdate_auth auth_type,
bool force_tcp)
bool force_tcp,
bool use_dot,
const char *dot_cacert,
const char *dot_cert,
const char *dot_key)
{
char **argv;
int argc = 0;
bool have_dot_cert;
bool have_dot_key;

argv = talloc_zero_array(mem_ctx, char *, 6);
argv = talloc_zero_array(mem_ctx, char *, 13);
if (argv == NULL) {
return NULL;
}
Expand Down Expand Up @@ -1129,6 +1144,48 @@ be_nsupdate_args(TALLOC_CTX *mem_ctx,
argc++;
}

if (use_dot) {
DEBUG(SSSDBG_FUNC_DATA, "DoT option is set\n");
argv[argc] = talloc_strdup(argv, "-S");
if (argv[argc] == NULL) {
goto fail;
}
argc++;

/* DoT CA cert file */
if (dot_cacert != NULL && dot_cacert[0] != 0) {
argv[argc] = talloc_strdup(argv, "-A");
argv[argc + 1] = talloc_strdup(argv, dot_cacert);
if (argv[argc] == NULL || argv[argc+1] == NULL) {
goto fail;
}
argc += 2;
}

/* DoT cert and key must be set both or none */
have_dot_cert = (dot_cert != NULL && dot_cert[0] != 0);
have_dot_key = (dot_key != NULL && dot_key[0] != 0);
if (have_dot_key != have_dot_cert) {
DEBUG(SSSDBG_OP_FAILURE, "The dyndns_dot_cert and dyndns_dot_key must be set both (or none of them)\n");
goto fail;
}
if (have_dot_cert && have_dot_key) {
/* we have both, key and cert file paths */
argv[argc] = talloc_strdup(argv, "-E");
argv[argc + 1] = talloc_strdup(argv, dot_cert);
if (argv[argc] == NULL || argv[argc+1] == NULL) {
goto fail;
}
argc += 2;

argv[argc] = talloc_strdup(argv, "-K");
argv[argc + 1] = talloc_strdup(argv, dot_key);
if (argv[argc] == NULL || argv[argc+1] == NULL) {
goto fail;
}
argc += 2;
}
}
return argv;

fail:
Expand Down Expand Up @@ -1208,6 +1265,10 @@ static struct dp_option default_dyndns_opts[] = {
{ "dyndns_auth", DP_OPT_STRING, { "gss-tsig" }, NULL_STRING },
{ "dyndns_auth_ptr", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "dyndns_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "dyndns_dot", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "dyndns_dot_cacert", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "dyndns_dot_cert", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "dyndns_dot_key", DP_OPT_STRING, NULL_STRING, NULL_STRING },

DP_OPTION_TERMINATOR
};
Expand Down
10 changes: 9 additions & 1 deletion src/providers/be_dyndns.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,10 @@ enum dp_dyndns_opts {
DP_OPT_DYNDNS_AUTH,
DP_OPT_DYNDNS_AUTH_PTR,
DP_OPT_DYNDNS_SERVER,
DP_OPT_DYNDNS_DOT,
DP_OPT_DYNDNS_DOT_CACERT,
DP_OPT_DYNDNS_DOT_CERT,
DP_OPT_DYNDNS_DOT_KEY,

DP_OPT_DYNDNS /* attrs counter */
};
Expand Down Expand Up @@ -109,7 +113,11 @@ struct tevent_req *be_nsupdate_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
enum be_nsupdate_auth auth_type,
char *nsupdate_msg,
bool force_tcp);
bool force_tcp,
bool use_dot,
const char *dot_cacert,
const char *dot_cert,
const char *dot_key);
errno_t be_nsupdate_recv(struct tevent_req *req, int *child_status);

struct tevent_req * nsupdate_get_addrs_send(TALLOC_CTX *mem_ctx,
Expand Down
4 changes: 4 additions & 0 deletions src/providers/ipa/ipa_opts.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,10 @@ struct dp_option ipa_dyndns_opts[] = {
{ "dyndns_auth", DP_OPT_STRING, { "gss-tsig" }, NULL_STRING },
{ "dyndns_auth_ptr", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "dyndns_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "dyndns_dot", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "dyndns_dot_cacert", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "dyndns_dot_cert", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "dyndns_dot_key", DP_OPT_STRING, NULL_STRING, NULL_STRING },
DP_OPTION_TERMINATOR
};

Expand Down
Loading
Loading