566676 – dnssec-conf mangles /etc/named.conf -- using includes as alternative

Bug 566676 - dnssec-conf mangles /etc/named.conf -- using includes as alternative

Summary: dnssec-conf mangles /etc/named.conf -- using includes as alternative

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	dnssec-conf
Sub Component:
Version:	12
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Paul Wouters
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	dnssecmods
TreeView+	depends on / blocked

Reported:	2010-02-19 11:08 UTC by Oron Peled
Modified:	2010-08-26 18:34 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2010-08-26 18:34:06 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
dnssec-configure that do not clobber /etc/named.conf (23.53 KB, text/plain) 2010-02-20 01:09 UTC, Oron Peled	no flags	Details
View All

Description Oron Peled 2010-02-19 11:08:14 UTC

Description of problem:
The current dnssec-conf strategy is to edit /etc/named.conf which already
caused numerous bugs documented in blocker bug 566585 (dnssecmods).

Some fixes were proposed for the parsing problems:
 * Paul Wouters tried to use pyparsing
 * I attached a 3 lines fix to bug 505754 that solve the current problems.

However, these solutions are wrong on several accounts:
 * A package should never mess with another package files (dnssec-conf
   modifies a file owned by bind).

 * Scripts should never modify human editable files.

 * There should be single canonical parser for a file (in this case it's
   embedded in bind)

Proposed solution (adapted from my earlier proposal in bug 505754):
 * bind 'Requires' dnssec-conf (as it is now).

 * The default /etc/named.conf in bind, should have:
       ---- cut -----------------------------------------
       options {
            ...
       include /etc/named/options-dnssec.conf
       };
       ...
       include "/etc/named/dnssec.keys";
       ---- cut -----------------------------------------

  * Upgrading bind would install this as /etc/named.conf.rpmnew

  * Handling /etc/named/options-dnssec.conf:
    - Should be owned by dnssec-conf package and look something like:
       ---- cut -----------------------------------------
       # All manual edits will be lost.
       # Please read /etc/sysconfig/dnssec
       dnssec-enable no;
       dnssec-validation no;
       ---- cut -----------------------------------------
    - A setup script would overwrite it according to /etc/sysconfig/dnssec
      This script can be simple shell script, as there's no need to parse
      the previous contents.
    - In chroot, the /etc/named directory is bind-mounted to the chroot
      environment, so it does not create a new problem.

  * Handling /etc/named/dnssec.keys:
    - Should be owned by dnssec-conf package
    - The same setup script that is used for /etc/named/options-dnssec.conf
      would either copy it from /etc/pki/dnssec-keys//named.dnssec.keys
      (if dnssec is on), or empty it (if dnssec is off).
    - Since the copied file is in /etc/named, it should work cleanly in
      chroot environment (and also no need for two bind-mounts, only /etc/named)

Comment 1 Oron Peled 2010-02-19 11:19:39 UTC

Optional improvement:
 * Since the proposed setup script runs from /etc/init.d/named, it can
   optionally test that /etc/named.conf contains the required includes.
 * If the includes are missing, simply issue a warning (via both echo(1)
   and logger(1)) --
      "DNSSEC isn't functional as /etc/named.conf misses required include files."
 * Since this is only warning, the risks from false positive/negative are
   minimal.

Comment 2 Oron Peled 2010-02-20 01:09:09 UTC

Created attachment 395203 [details]
dnssec-configure that do not clobber /etc/named.conf

1. The attached dnssec-configure does not write to /etc/named.conf

2. It generates two files into /etc/named (so we separate outputs from inputs):
   - /etc/named/options-dnssec.conf
   - /etc/named/named.dnssec.keys

3. It reads /etc/named.conf to verify that the first of these
   files is included inside the options {} block and the second
   is included outside of the options {} block:
   - Any missing include cause a warning to be printed (not failure).
   - We still try hard to prevent false warnings (by striping comments,
     counting braces, etc)

4. In chroot environment, /etc/pki/dnssec-keys still need to be mounted
   since its files are included in the generated /etc/named/named.dnssec.keys
   However, we may decide to mount it readonly.

Comment 3 Oron Peled 2010-02-20 01:34:14 UTC

For clean transition to the suggested scheme, we would need the following
small changes to the bind package.

In /etc/init.d/named:
 1. Removing the requirement of /etc/sysconfig/dnssec to be newer
    than /etc/named.conf. It's simpler now:

    if [ -x /usr/sbin/dnssec-configure -a -r /etc/named.conf ]; then
      /usr/sbin/dnssec-configure -b --norestart --dnssec="$DNSSEC" --dlv="$DLV"
    fi

 2. For safety, make sure the required includes always exist (even empty):

    for i in options-dnssec.conf named.dnssec.keys
    do
      [ -r /etc/named/$i ] || touch $i || :
    done

3. Ship with a %config(noreplace) /etc/named.conf that contains the two
   suggested include lines (one inside the options{} block and the other
   outside). Documenting them would be helpful too:

    options {
       ...
       // The following file is (re)generated by dnssec-configure
       // that is run from /etc/init.d/named
       include "/etc/named/options.dnssec.conf";
    };
    ...
    // The following file is (re)generated by dnssec-configure
    // that is run from /etc/init.d/named
    include "/etc/named/named.dnssec.keys";

Comment 4 Paul Wouters 2010-08-26 18:34:06 UTC

This is now a dead package. It has been obsoleted and should no longer be present on any fedora system

Note You need to log in before you can comment on or make changes to this bug.