Add authoritative zone handling #117
Conversation
karolyi
force-pushed
the
master
branch
3 times, most recently
from
df251b4 to
38178cc
Compare
There was a problem hiding this comment.
There's no documentation nor example, so I'm not sure if the intent is the same, but looking at the diff, it seems to address the same thing as something already documented.
The difference seems that the unbound instance can be set to listen to 0.0.0.0:553 and [::]:553.
So, maybe we should just introduce a flag that allows additional ip:port to be listened to? That can be useful if people want to expose an unencrypted DNS server on the regular port 53 as well.
| # --- FOR TESTING --- | ||
| # RUN apt-get update && apt-get install -y iproute2 less vim | ||
|
|
Dockerfile
Outdated
| @@ -64,6 +67,8 @@ RUN mkdir -p \ | |||
| COPY encrypted-dns.toml.in /opt/encrypted-dns/etc/ | |||
| COPY undelegated.txt /opt/encrypted-dns/etc/ | |||
|
|
|||
| RUN chmod a+r /opt/encrypted-dns/etc/undelegated.txt | |||
|
|
||
| init() { | ||
| if [ "$(is_initialized)" = yes ]; then | ||
| start | ||
| exit $? | ||
| fi | ||
|
|
||
| # TEMP=$(getopt --name "${SCRIPTNAME}" --options 'h?N:E:T:AM:' --longoptions 'unbound-on-all-interfaces' -- "$@") |
| anondns_enabled="false" | ||
| anondns_blacklisted_ips="" | ||
|
|
||
| metrics_address="127.0.0.1:9100" | ||
|
|
||
| while getopts "h?N:E:T:AM:" opt; do |
There was a problem hiding this comment.
I'm quite scared by changing getopts to getopt. If the behavior is not exactly the same as before, it will break severs from everybody running watchtower to automatically keep their containers up to date.
| @@ -2,6 +2,36 @@ | |||
|
|
|||
| KEYS_DIR="/opt/encrypted-dns/etc/keys" | |||
| ZONES_DIR="/opt/unbound/etc/unbound/zones" | |||
| AUTHZONES_DIR="/opt/unbound/etc/unbound/auth-zones" | |||
|
|
|||
| OIFS="${IFS}" | |||
There was a problem hiding this comment.
Why is IFS saved since it's not changed anywhere?
|
The documented part is for local-zones directives, that is very different from authoritative zones (auth-zone). They're not even handled on the same configuration level. I saw it from the get-go but unfortunately it's not what I need, as the server should be able to act authoritative for zones it gets IXFR/AXFR-ed.
The chmod was necessary because that file it The leftovers are for documentation and testing purposes, just ignore them, don't be too picky about them. IFS is changed so multi-line configuration snippets aren't parsed as arrays. As you can see, when the setup is done, IFS is changed back. |
|
Interesting, I thought I defined an empty IFS which I didn't. At some point I got errors because they were parsed as arrays. I'm too tired for today (was working today the entire day on this) but I'll check tomorrow if that OIFS/IFS can be removed. On second thought, that could've been because I was testing restarting the service from within the container, where the default IFS can be different. I'll test tomorrow. |
|
But couldn't |
Not that I know of. |
karolyi
force-pushed
the
master
branch
2 times, most recently
from
554ae6e to
3effd2d
Compare
|
Okay, so did a test now. I can't recall for what reason, but sometimes the IFS value was making my modification with the multi-line string behave as an array, so just to be sure, I've added setting/resetting its value before setting the proper variables. If you agree this is acceptable, I'll make the documentation changes in hopes of a timely merge and release. |
|
Hey, I'm abandoning this PR. It turned out that unbound is unable to transfer zones with using TSIG signatures and so the only method is to restrict by IP that is insecure: IPs can be faked by a powerful enough adversary. Feel free to integrate or close this PR. |
Hey,
so this would address #116.
I've changed using
getoptstogetoptthat allows for long option parameters (see the commented out lines as to why). I don't use it right now but the time may come so why not put it in ahead of time. Also I fixed a startup error.The way it works is, when you mount the
/etc/dnscrypt-server/auth-zonesdirectory, it gets picked up by the startup script and generate a different configuration in terms of what interfaces to listen on, and what queries to answer to, depending on where they arrive from.I've tested this variant on my local VM, seems to be working.
Documentation is still missing; this is just a WIP version. Add your input if you'd like, but to my taste this is already good enough to go. If nothing else, I'll add the documentation part, and then you can merge (and hopefully release ASAP).