NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
18.03k stars 14.03k forks source link

NSD DNSSec broken after BIND 9.18.0 #169442

Open hexchen opened 2 years ago

hexchen commented 2 years ago

Describe the bug

BIND 9.18.0 removed the python-based dnssec-keymgr, leading to failures in the nsd-dnssec unit.

Apr 20 12:41:12 koryaksky nsd-dnssec-start[4182876]: /nix/store/0rm8aws5rfxj4crab61yzffqldvc6xg2-unit-script-nsd-dnssec-start/bin/nsd-dnssec-start: line 7: /nix/store/57knpqw2siwi6saz3vws91hq33pvsg51-bind-9.18.1/bin/dnssec-keymgr: No such 
file or directory

Steps To Reproduce

Enable dnssec handling via services.nsd.zones.<name>.dnssec

Expected behavior

dnssec is properly handled

Additional context

The deprecation of the dnssec-keymgr tool is documented here: https://downloads.isc.org/isc/bind9/9.18.2/doc/arm/html/notes.html#removed-features

Potential fix: package up https://gitlab.isc.org/isc-projects/dnssec-keymgr and use it instead of the no-longer included tools.

Notify maintainers

@hrdinka

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

 - system: `"x86_64-linux"`
 - host os: `Linux 5.15.34, NixOS, 22.05 (Quokka), 22.05pre-git`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.7.0`
 - nixpkgs: `/etc/src/nixpkgs`

current nixpkgs hash: 1ffba9f2f683063c2b14c9f4d12c55ad5f4ed887

hrdinka commented 2 years ago

Thanks for the report. Using the archived dnssec-keymgr repo isn’t good either. NLnet Labs has published their own tool for managing keys called LDNS. I will remove bind tools in favor of this. My registrar does not support DNSSec :( so you will have to test everything once it is done.

sanderhollaar commented 2 years ago

systemd[1]: Started DNSSEC key rollover. nsd-dnssec-start[492709]: /nix/store/57fladh8c6dnzcva1fy7qq9wik5vw0bq-unit-script-nsd-dnssec-start/bin/nsd-dnssec-start: line 7: /nix/store/3h8ayi2ksj6kmfxb1qj8f2wj06a1jiay-bind-9.18.7/bin/dnssec-keymgr: No such file or directory systemd[1]: nsd-dnssec.service: Main process exited, code=exited, status=127/n/a

I would be happy to test.

hrdinka commented 2 years ago

Hi. Sorry, I completely forgot about this. I am currently looking into it. LDNS is just a C library for DNS programming. It offers example programs that include everything to setup DNSSEC. It does however lack the automatic key management and rollover functionalities of binds keymgr.

NSD is suggesting(?) to use OpenDNSSEC for policy based key management, like dnssec-keymgr is doing it. The project however, seems kinda dead. The Wiki with all the documentation does not work. The source repo however has seen some kind of activity.

I still can’t use DNSSEC so my knowledge about it is minimal. Does one of you know any best practices regarding DNSSEC and NSD? Should we use OpenDNSSEC or the simple LDNS tools and dismiss key-rollover/mimic it somehow. Is there another better tool that is broadly used?

Do you have examples for using/setting it up?

sanderhollaar commented 2 years ago

Thanks for the pointer to OpenDNSSEC! Can't believe I've missed that. The wiki at https://wiki.opendnssec.org/ indeed gives a 503 atm but that might have no relation with the state of the project itself.

It seems that in NixOS only the LDNS library (and the binary 'drill') is built, not the example tools that are included in the source: https://www.nlnetlabs.nl/projects/ldns/documentation/ These example tools might actually be of use: I had to install 'bind' now for tools like 'dnssec-keygen'.

I'll give it a try next week, and get back if I have something to show.

ncfavier commented 2 years ago

The examples are packaged in the ldns.examples output.

imol-ai commented 3 months ago

Hey all. Any pointers / any progress on how to solve this?

volfyd commented 1 month ago

I have an ugly fix ... In the file nixos/modules/services/networking/nsd.nix replace the single line

  dnssecTools = pkgs.bind.override { enablePython = true; };

with this big hack

  dnssecTools =
    (pkgs.bind.overrideAttrs (_: rec {
      pname = "bind";
      version = "9.16.50";
      patches = [];
      outputs = ["out"]; # These two lines are needed because without them, I get this error:
      postInstall = ""; # error: cycle detected in build of ... in the references of output 'dev' from output 'out'
      postFixup = ''
        sitepackages=$(find $out/lib -name site-packages -print)
        substituteInPlace $out/bin/dnssec-keymgr \
          --replace-fail \
            'import isc.keymgr' \
            "$(printf '%s\n%s\n' \
              'sys.path.insert(1, "'$sitepackages'")' \
              'import isc.keymgr')"
      '';
      src = pkgs.fetchurl {
        url = "https://downloads.isc.org/isc/bind9/${version}/${pname}-${version}.tar.xz";
        hash = "sha256-gW26o8EVAZ8w/OvZ6O+Pdjf0rd6Rx52qCZsDUlWhV5U=";
      };
    }))
    .override {enablePython = true;};

I have no idea how it worked without the fixup step before.

If anyone knows a better way to fixup the reference to the python library built by the package, let me know.

It would probably be best to switch to using ldns.examples ... it might be difficult to recreate the exact same options the module has now.

imol-ai commented 1 month ago

Great stuff, thanks for the reply. I have since moved on to using Knot DNS (the other non BIND nameserver used on root servers), and it worked wonderfully for me, no workarounds needed.