Commit 0fb716f1 authored by Daniel Salzman's avatar Daniel Salzman
Browse files

mod-geoip: add explicit DNSSEC configuration

parent ed5f0c4d
Pipeline #85399 passed with stages
in 72 minutes and 6 seconds
......@@ -34,6 +34,8 @@
#define MOD_CONFIG_FILE "\x0B""config-file"
#define MOD_TTL "\x03""ttl"
#define MOD_MODE "\x04""mode"
#define MOD_DNSSEC "\x06""dnssec"
#define MOD_POLICY "\x06""policy"
#define MOD_GEODB_FILE "\x0A""geodb-file"
#define MOD_GEODB_KEY "\x09""geodb-key"
......@@ -57,11 +59,13 @@ static const char* mode_key[] = {
};
const yp_item_t geoip_conf[] = {
{ MOD_CONFIG_FILE, YP_TSTR, YP_VNONE },
{ MOD_TTL, YP_TINT, YP_VINT = { 0, UINT32_MAX, 60, YP_STIME } },
{ MOD_MODE, YP_TOPT, YP_VOPT = { modes, MODE_SUBNET} },
{ MOD_GEODB_FILE, YP_TSTR, YP_VNONE },
{ MOD_GEODB_KEY, YP_TSTR, YP_VSTR = { "country/iso_code" }, YP_FMULTI },
{ MOD_CONFIG_FILE, YP_TSTR, YP_VNONE },
{ MOD_TTL, YP_TINT, YP_VINT = { 0, UINT32_MAX, 60, YP_STIME } },
{ MOD_MODE, YP_TOPT, YP_VOPT = { modes, MODE_SUBNET} },
{ MOD_DNSSEC, YP_TBOOL, YP_VNONE },
{ MOD_POLICY, YP_TREF, YP_VREF = { C_POLICY }, YP_FNONE, { knotd_conf_check_ref } },
{ MOD_GEODB_FILE, YP_TSTR, YP_VNONE },
{ MOD_GEODB_KEY, YP_TSTR, YP_VSTR = { "country/iso_code" }, YP_FMULTI },
{ NULL }
};
......@@ -933,7 +937,10 @@ int geoip_load(knotd_mod_t *mod)
}
// Is DNSSEC used on this zone?
conf = knotd_conf_zone(mod, C_DNSSEC_SIGNING, knotd_mod_zone(mod));
conf = knotd_conf_mod(mod, MOD_DNSSEC);
if (conf.count == 0) {
conf = knotd_conf_zone(mod, C_DNSSEC_SIGNING, knotd_mod_zone(mod));
}
ctx->dnssec = conf.single.boolean;
if (ctx->dnssec) {
int ret = knotd_mod_dnssec_init(mod);
......
......@@ -18,8 +18,15 @@ The module can be enabled only per zone.
DNSSEC support
--------------
There are two ways to enable DNSSEC signing of tailored responses.
If automatic DNSSEC signing is enabled, record signatures are precomputed when the module is loaded.
There are several ways to enable DNSSEC signing of tailored responses.
Full zone signing
.................
If :ref:`automatic DNSSEC signing <zone_dnssec-signing>` is enabled,
the whole zone is signed by the server and all alternative RRsets, which are responded
by the module, are pre-signed when the module is loaded.
This has a speed benefit, however note that every RRset configured in the module should
have a **default** RRset of the same type contained in the zone, so that the NSEC(3)
chain can be built correctly. Also, it is STRONGLY RECOMMENDED to use
......@@ -28,10 +35,41 @@ as the corresponding zone has to be reloaded when the signing key changes and to
have better control over key synchronization to all instances of the server.
.. NOTE::
If the GeoIP module is used with automatic DNSSEC signing, the keys for computing record signatures
MUST exist or be generated before the server is launched, otherwise the module fails to
DNSSEC keys for computing record signatures MUST exist in the KASP database
or be generated before the module is launched, otherwise the module fails to
compute the signatures and does not load.
Module signing
..............
If :ref:`automatic DNSSEC signing <zone_dnssec-signing>` is disabled,
it's possible to combine externally pre-signed zone with module pre-signing
of the alternative RRsets when the module is loaded. In this mode, only ZSK
has to be present in the KASP database. Also in this mode every RRset configured
in the module should have a **default** RRset of the same type contained in the zone.
Example:
::
policy:
- id: presigned_zone
manual: on
unsafe-operation: no-check-keyset
mod-geoip:
- id: geo_dnssec
...
dnssec: on
policy: presigned_zone
zone:
- domain: example.com.
module: mod-geoip/geo_dnssec
Online signing
..............
Alternatively, the :ref:`geoip<mod-geoip>` module may be combined with the
:ref:`onlinesign<mod-onlinesign>` module and the tailored responses can be signed
on the fly. This approach is much more computationally demanding for the server.
......@@ -42,7 +80,10 @@ on the fly. This approach is much more computationally demanding for the server.
Example
-------
* An example configuration.::
An example configuration:
::
mod-geoip:
- id: default
......@@ -167,6 +208,8 @@ Module reference
config-file: STR
ttl: TIME
mode: geodb | subnet | weighted
dnssec: BOOL
policy: policy_id
geodb-file: STR
geodb-key: STR ...
......@@ -211,6 +254,34 @@ Possible values:
*Default:* subnet
.. _mod-geoip_dnssec:
dnssec
......
If explicitly enabled, the module signs positive responses based on the module policy
(:ref:`mod-geoip_policy`). If explicitly disabled, positive responses from the
module are not signed even if the zone is pre-signed or signed by the server
(:ref:`zone_dnssec-signing`).
.. WARNING::
This configuration must be used carefully. Otherwise the zone responses
can be bogus.
DNSKEY rotation isn't supported. So :ref:`policy_manual` mode is highly
recommended.
*Default:* current value of :ref:`zone_dnssec-signing` with :ref:`zone_dnssec-policy`
.. _mod-geoip_policy:
policy
......
A :ref:`reference<policy_id>` to DNSSEC signing policy which is used if
:ref:`mod-geoip_dnssec` is enabled.
*Default:* an imaginary policy with all default values
.. _mod-geoip_geodb-file:
geodb-file
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment