Bug 566676

Summary: dnssec-conf mangles /etc/named.conf -- using includes as alternative
Product: [Fedora] Fedora Reporter: Oron Peled <oron>
Component: dnssec-confAssignee: Paul Wouters <pwouters>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: bill-bugzilla.redhat.com, pwouters
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-08-26 18:34:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 566585    
Attachments:
Description Flags
dnssec-configure that do not clobber /etc/named.conf none

Description Oron Peled 2010-02-19 11:08:14 UTC 
Description of problem:
The current dnssec-conf strategy is to edit /etc/named.conf which already
caused numerous bugs documented in blocker bug 566585 (dnssecmods).

Some fixes were proposed for the parsing problems:
 * Paul Wouters tried to use pyparsing
 * I attached a 3 lines fix to bug 505754 that solve the current problems.

However, these solutions are wrong on several accounts:
 * A package should never mess with another package files (dnssec-conf
   modifies a file owned by bind).

 * Scripts should never modify human editable files.

 * There should be single canonical parser for a file (in this case it's
   embedded in bind)

Proposed solution (adapted from my earlier proposal in bug 505754):
 * bind 'Requires' dnssec-conf (as it is now).

 * The default /etc/named.conf in bind, should have:
       ---- cut -----------------------------------------
       options {
            ...
       include /etc/named/options-dnssec.conf
       };
       ...
       include "/etc/named/dnssec.keys";
       ---- cut -----------------------------------------

  * Upgrading bind would install this as /etc/named.conf.rpmnew

  * Handling /etc/named/options-dnssec.conf:
    - Should be owned by dnssec-conf package and look something like:
       ---- cut -----------------------------------------
       # All manual edits will be lost.
       # Please read /etc/sysconfig/dnssec
       dnssec-enable no;
       dnssec-validation no;
       ---- cut -----------------------------------------
    - A setup script would overwrite it according to /etc/sysconfig/dnssec
      This script can be simple shell script, as there's no need to parse
      the previous contents.
    - In chroot, the /etc/named directory is bind-mounted to the chroot
      environment, so it does not create a new problem.

  * Handling /etc/named/dnssec.keys:
    - Should be owned by dnssec-conf package
    - The same setup script that is used for /etc/named/options-dnssec.conf
      would either copy it from /etc/pki/dnssec-keys//named.dnssec.keys
      (if dnssec is on), or empty it (if dnssec is off).
    - Since the copied file is in /etc/named, it should work cleanly in
      chroot environment (and also no need for two bind-mounts, only /etc/named)
Comment 1 Oron Peled 2010-02-19 11:19:39 UTC 
Optional improvement:
 * Since the proposed setup script runs from /etc/init.d/named, it can
   optionally test that /etc/named.conf contains the required includes.
 * If the includes are missing, simply issue a warning (via both echo(1)
   and logger(1)) --
      "DNSSEC isn't functional as /etc/named.conf misses required include files."
 * Since this is only warning, the risks from false positive/negative are
   minimal.
Comment 2 Oron Peled 2010-02-20 01:09:09 UTC 
Created attachment 395203 [details]
dnssec-configure that do not clobber /etc/named.conf

1. The attached dnssec-configure does not write to /etc/named.conf

2. It generates two files into /etc/named (so we separate outputs from inputs):
   - /etc/named/options-dnssec.conf
   - /etc/named/named.dnssec.keys

3. It reads /etc/named.conf to verify that the first of these
   files is included inside the options {} block and the second
   is included outside of the options {} block:
   - Any missing include cause a warning to be printed (not failure).
   - We still try hard to prevent false warnings (by striping comments,
     counting braces, etc)

4. In chroot environment, /etc/pki/dnssec-keys still need to be mounted
   since its files are included in the generated /etc/named/named.dnssec.keys
   However, we may decide to mount it readonly.
Comment 3 Oron Peled 2010-02-20 01:34:14 UTC 
For clean transition to the suggested scheme, we would need the following
small changes to the bind package.

In /etc/init.d/named:
 1. Removing the requirement of /etc/sysconfig/dnssec to be newer
    than /etc/named.conf. It's simpler now:

    if [ -x /usr/sbin/dnssec-configure -a -r /etc/named.conf ]; then
      /usr/sbin/dnssec-configure -b --norestart --dnssec="$DNSSEC" --dlv="$DLV"
    fi

 2. For safety, make sure the required includes always exist (even empty):

    for i in options-dnssec.conf named.dnssec.keys
    do
      [ -r /etc/named/$i ] || touch $i || :
    done

3. Ship with a %config(noreplace) /etc/named.conf that contains the two
   suggested include lines (one inside the options{} block and the other
   outside). Documenting them would be helpful too:

    options {
       ...
       // The following file is (re)generated by dnssec-configure
       // that is run from /etc/init.d/named
       include "/etc/named/options.dnssec.conf";
    };
    ...
    // The following file is (re)generated by dnssec-configure
    // that is run from /etc/init.d/named
    include "/etc/named/named.dnssec.keys";
Comment 4 Paul Wouters 2010-08-26 18:34:06 UTC 
This is now a dead package. It has been obsoleted and should no longer be present on any fedora system