FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 02-17-2011, 03:07 AM
Robert Edmonds
 
Default for those who care about unbound (resolvconf and DNSSEC)

hi,

i'd like to get some feedback on whether i should implement some changes
in the unbound debian packaging:

* integration with resolvconf as a provider of recursive DNS
resolution. (#562031)

* retrieving a list of upstream recursive DNS servers from
resolvconf and automatically configuring these servers as
forwarders, and deconfiguring them when they are no longer
available. (#567879)

* enabling DNSSEC validation by default. (#594911)

i'm inclined to implement all three of these features and make them each
individually toggle-able via /etc/default/unbound, and to enable these
features by default, but i would like to hear some wider opinions. (i
have never even used resolvconf before.)

there are some sub-issues such as:

* automatically creating key material and configuration for
unbound-control (a la bind9 and rndc) so that unbound-control can
be used to reload the forwarder configuration without dumping the
cache.

* making sure we don't accidentally attempt to configure ourselves
as a forwarder.

* how, or whether to include the root trust anchor. unbound now has
a utility called unbound-anchor which attempts to fetch an updated
root trust anchor from https://data.iana.org/root-anchors/, using
a built-in copy of the ICANN HTTPS cert (so, it doesn't rely on
x509 PKI); failing that, it writes out a built-in copy of the root
trust anchor.

it would be possible to invoke unbound-anchor in the unbound
postinst in order to write out a trust anchor file into e.g.
/var/cache/unbound, which is then referenced by the unbound config
file, and it would also be possible to re-invoke unbound-anchor in
the unbound init script. this would mean that a DNS server with
the unbound package would cause HTTPS connections to be made,
although if these connections failed there would be a fall-back
trust anchor used.

it's possible that at some point in the future old versions of
unbound-anchor would no longer be able to securely generate an
up-to-date root trust anchor file, but i believe this could be
adequately handled by a stable-security or stable point release
update.

--
Robert Edmonds
edmonds@debian.org
 
Old 02-17-2011, 06:53 AM
Daniel Baumann
 
Default for those who care about unbound (resolvconf and DNSSEC)

On 02/17/2011 05:07 AM, Robert Edmonds wrote:
> i'm inclined to implement all three of these features and make them each
> individually toggle-able via /etc/default/unbound, and to enable these
> features by default

in order to do that for the first two that involve resolvconf, does that
mean you're going to add a depends on resolvconf (rather than e.g. a
recommends)? i'd prefere to not have resolvconf pulled in hard.

--
Address: Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email: daniel.baumann@progress-technologies.net
Internet: http://people.progress-technologies.net/~daniel.baumann/


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4D5CD40E.8030006@progress-technologies.net">http://lists.debian.org/4D5CD40E.8030006@progress-technologies.net
 
Old 02-17-2011, 07:46 AM
Robert Edmonds
 
Default for those who care about unbound (resolvconf and DNSSEC)

On 2011-02-17, Daniel Baumann <daniel.baumann@progress-technologies.net> wrote:
> On 02/17/2011 05:07 AM, Robert Edmonds wrote:
>> i'm inclined to implement all three of these features and make them each
>> individually toggle-able via /etc/default/unbound, and to enable these
>> features by default
>
> in order to do that for the first two that involve resolvconf, does that
> mean you're going to add a depends on resolvconf (rather than e.g. a
> recommends)? i'd prefere to not have resolvconf pulled in hard.

let me rephrase: the resolvconf options would be enabled by default, but
would be no-ops unless resolvconf is installed. and i think the package
would only Suggest: resolvconf.

--
Robert Edmonds
edmonds@debian.org


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: ijina1$b0k$1@dough.gmane.org">http://lists.debian.org/ijina1$b0k$1@dough.gmane.org
 
Old 02-17-2011, 09:21 AM
Michael Tokarev
 
Default for those who care about unbound (resolvconf and DNSSEC)

17.02.2011 07:07, Robert Edmonds wrote:
> hi,
>
> i'd like to get some feedback on whether i should implement some changes
> in the unbound debian packaging:
>
> * integration with resolvconf as a provider of recursive DNS
> resolution. (#562031)
>
> * retrieving a list of upstream recursive DNS servers from
> resolvconf and automatically configuring these servers as
> forwarders, and deconfiguring them when they are no longer
> available. (#567879)

Yes, both of these are really useful. I have this done long
ago locally on some notebook - trivially doable based on bind9
scripts. I just can't find it right now.

But indeed, this (#567879) needs unbound-control working, or
else it's impossible to change unbound config at runtime.
This is not a problem IMHO, to enable unbound-control by
default in new install. Check for 'control-enable: no'
in unbound.conf (ie, if it is explicitly disabled) before
enabling it, and log a warning if updating list of
forwarders failed in dhcp script (if updating is enabled
in /etc/default/unbound)

> * enabling DNSSEC validation by default. (#594911)

This is very useful, but questionable, since it makes
unbound to require writable files (now it does not write
anything except of the pid file). This in turn makes it
difficult to chroot it properly - it can only be chrooted
into /etc, and I'd rather keep /etc read-only during normal
operations. However, debian initscript does not have
provisions for chrooting it.

> i'm inclined to implement all three of these features and make them each
> individually toggle-able via /etc/default/unbound, and to enable these
> features by default, but i would like to hear some wider opinions. (i
> have never even used resolvconf before.)
>
> there are some sub-issues such as:
>
> * automatically creating key material and configuration for
> unbound-control (a la bind9 and rndc) so that unbound-control can
> be used to reload the forwarder configuration without dumping the
> cache.
>
> * making sure we don't accidentally attempt to configure ourselves
> as a forwarder.

What do you mean here?

> * how, or whether to include the root trust anchor. unbound now has
> a utility called unbound-anchor which attempts to fetch an updated
> root trust anchor from https://data.iana.org/root-anchors/, using
> a built-in copy of the ICANN HTTPS cert (so, it doesn't rely on
> x509 PKI); failing that, it writes out a built-in copy of the root
> trust anchor.
>
> it would be possible to invoke unbound-anchor in the unbound
> postinst in order to write out a trust anchor file into e.g.
> /var/cache/unbound, which is then referenced by the unbound config
> file, and it would also be possible to re-invoke unbound-anchor in
> the unbound init script. this would mean that a DNS server with
> the unbound package would cause HTTPS connections to be made,
> although if these connections failed there would be a fall-back
> trust anchor used.
>
> it's possible that at some point in the future old versions of
> unbound-anchor would no longer be able to securely generate an
> up-to-date root trust anchor file, but i believe this could be
> adequately handled by a stable-security or stable point release
> update.

That's all good points. Maybe a debconf question (whenever to enable
dnssec and to fetch the root keys etc) is in order.

Thanks!

/mjt


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4D5CF693.5090403@msgid.tls.msk.ru">http://lists.debian.org/4D5CF693.5090403@msgid.tls.msk.ru
 
Old 02-17-2011, 06:35 PM
Daniel Baumann
 
Default for those who care about unbound (resolvconf and DNSSEC)

On 02/17/2011 09:46 AM, Robert Edmonds wrote:
> let me rephrase: the resolvconf options would be enabled by default, but
> would be no-ops unless resolvconf is installed. and i think the package
> would only Suggest: resolvconf.

thanks.

--
Address: Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email: daniel.baumann@progress-technologies.net
Internet: http://people.progress-technologies.net/~daniel.baumann/


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4D5D789E.6040300@progress-technologies.net">http://lists.debian.org/4D5D789E.6040300@progress-technologies.net
 
Old 02-22-2011, 12:46 AM
Robert Edmonds
 
Default for those who care about unbound (resolvconf and DNSSEC)

Robert Edmonds wrote:
> i'd like to get some feedback on whether i should implement some changes
> in the unbound debian packaging:

i'm also looking into building the python bindings for libunbound.
unfortunately upstream uses autotools / libtool to build and link the
python module, which results in the python extension module being linked
against every library the configure script can find.

short of rewriting the upstream build system i could only come up with
the following to make the build link against only the required
libraries:

# XXX gross hack to prevent python module from linking against everything
rm -f _unbound.la
sed -i -e 's/^dependency_libs=.*/dependency_libs='/' libunbound.la
make _unbound.la LIBS=""
install -m 0644 .libs/_unbound.so.2.*.*
debian/python-unbound/usr/lib/pyshared/python2.6/_unbound.so

but that's really gross.

--
Robert Edmonds
edmonds@debian.org
 

Thread Tools




All times are GMT. The time now is 08:57 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org