Open hexchen opened 2 years ago
Thanks for the report. Using the archived dnssec-keymgr
repo isn’t good either. NLnet Labs has published their own tool for managing keys called LDNS. I will remove bind tools in favor of this. My registrar does not support DNSSec :( so you will have to test everything once it is done.
systemd[1]: Started DNSSEC key rollover. nsd-dnssec-start[492709]: /nix/store/57fladh8c6dnzcva1fy7qq9wik5vw0bq-unit-script-nsd-dnssec-start/bin/nsd-dnssec-start: line 7: /nix/store/3h8ayi2ksj6kmfxb1qj8f2wj06a1jiay-bind-9.18.7/bin/dnssec-keymgr: No such file or directory systemd[1]: nsd-dnssec.service: Main process exited, code=exited, status=127/n/a
I would be happy to test.
Hi. Sorry, I completely forgot about this. I am currently looking into it. LDNS is just a C library for DNS programming. It offers example programs that include everything to setup DNSSEC. It does however lack the automatic key management and rollover functionalities of binds keymgr.
NSD is suggesting(?) to use OpenDNSSEC for policy based key management, like dnssec-keymgr is doing it. The project however, seems kinda dead. The Wiki with all the documentation does not work. The source repo however has seen some kind of activity.
I still can’t use DNSSEC so my knowledge about it is minimal. Does one of you know any best practices regarding DNSSEC and NSD? Should we use OpenDNSSEC or the simple LDNS tools and dismiss key-rollover/mimic it somehow. Is there another better tool that is broadly used?
Do you have examples for using/setting it up?
Thanks for the pointer to OpenDNSSEC! Can't believe I've missed that. The wiki at https://wiki.opendnssec.org/ indeed gives a 503 atm but that might have no relation with the state of the project itself.
It seems that in NixOS only the LDNS library (and the binary 'drill') is built, not the example tools that are included in the source: https://www.nlnetlabs.nl/projects/ldns/documentation/ These example tools might actually be of use: I had to install 'bind' now for tools like 'dnssec-keygen'.
I'll give it a try next week, and get back if I have something to show.
The examples are packaged in the ldns.examples
output.
Hey all. Any pointers / any progress on how to solve this?
I have an ugly fix ... In the file nixos/modules/services/networking/nsd.nix
replace the single line
dnssecTools = pkgs.bind.override { enablePython = true; };
with this big hack
dnssecTools =
(pkgs.bind.overrideAttrs (_: rec {
pname = "bind";
version = "9.16.50";
patches = [];
outputs = ["out"]; # These two lines are needed because without them, I get this error:
postInstall = ""; # error: cycle detected in build of ... in the references of output 'dev' from output 'out'
postFixup = ''
sitepackages=$(find $out/lib -name site-packages -print)
substituteInPlace $out/bin/dnssec-keymgr \
--replace-fail \
'import isc.keymgr' \
"$(printf '%s\n%s\n' \
'sys.path.insert(1, "'$sitepackages'")' \
'import isc.keymgr')"
'';
src = pkgs.fetchurl {
url = "https://downloads.isc.org/isc/bind9/${version}/${pname}-${version}.tar.xz";
hash = "sha256-gW26o8EVAZ8w/OvZ6O+Pdjf0rd6Rx52qCZsDUlWhV5U=";
};
}))
.override {enablePython = true;};
I have no idea how it worked without the fixup step before.
If anyone knows a better way to fixup the reference to the python library built by the package, let me know.
It would probably be best to switch to using ldns.examples
... it might be difficult to recreate the exact same options the module has now.
Great stuff, thanks for the reply. I have since moved on to using Knot DNS (the other non BIND nameserver used on root servers), and it worked wonderfully for me, no workarounds needed.
Describe the bug
BIND 9.18.0 removed the python-based dnssec-keymgr, leading to failures in the nsd-dnssec unit.
Steps To Reproduce
Enable dnssec handling via
services.nsd.zones.<name>.dnssec
Expected behavior
dnssec is properly handled
Additional context
The deprecation of the dnssec-keymgr tool is documented here: https://downloads.isc.org/isc/bind9/9.18.2/doc/arm/html/notes.html#removed-features
Potential fix: package up https://gitlab.isc.org/isc-projects/dnssec-keymgr and use it instead of the no-longer included tools.
Notify maintainers
@hrdinka
Metadata
Please run
nix-shell -p nix-info --run "nix-info -m"
and paste the result.current nixpkgs hash: 1ffba9f2f683063c2b14c9f4d12c55ad5f4ed887