Skip to content

Commit

Permalink
Add DoT support for DNS updates
Browse files Browse the repository at this point in the history 
DNS-over-TLS is a new standard for encrypting DNS traffic.

SSSD does not implement the DoT itself but relies on other
components of the system. This modification allows as to set
a DoT for dynamic DNS updates

:config: the `dyndns_server` option is extended so it can
  be in form of URI (dns+tls://1.2.3.4:853#servername).
  New set of options `dyndns_dot_cacert`,
  `dyndns_dot_cert` and `dyndns_dot_key` allows to configure
  DNS-over-TLS communication.

:relnote: The DoT for dynamic DNS updates is supported now.
  It requires new version of `nsupdate` from BIND 9.20.1+
  • Loading branch information
@thalman
thalman committed Nov 28, 2024
1 parent 58a2fee commit 98581d8
Show file tree
Hide file tree
Showing 16 changed files with 530 additions and 40 deletions.
3 changes: 3 additions & 0 deletions src/config/SSSDConfig/sssdoptions.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -207,6 +207,9 @@ def __init__(self):
'dyndns_force_tcp': _("Whether the nsupdate utility should default to using TCP"),
'dyndns_auth': _("What kind of authentication should be used to perform the DNS update"),
'dyndns_server': _("Override the DNS server used to perform the DNS update"),
'dyndns_dot_cacert': _("The file of the certificate authorities certificates for DoT"),
'dyndns_dot_cert': _("The certificate(s) file for authentication for the DoT transport"),
'dyndns_dot_key': _("The key file for authenticated encryption for the DoT transport"),
'subdomain_enumerate': _('Control enumeration of trusted domains'),
'subdomain_refresh_interval': _('How often should subdomains list be refreshed'),
'subdomain_refresh_interval_offset': _('Maximum period deviation when refreshing the subdomain list'),
Expand Down
6 changes: 6 additions & 0 deletions src/config/SSSDConfigTest.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -567,6 +567,9 @@ def testListOptions(self):
'dyndns_force_tcp',
'dyndns_auth',
'dyndns_server',
'dyndns_dot_cacert',
'dyndns_dot_cert',
'dyndns_dot_key',
'subdomain_enumerate',
'override_gid',
'case_sensitive',
Expand Down Expand Up @@ -928,6 +931,9 @@ def testRemoveProvider(self):
'dyndns_force_tcp',
'dyndns_auth',
'dyndns_server',
'dyndns_dot_cacert',
'dyndns_dot_cert',
'dyndns_dot_key',
'subdomain_enumerate',
'override_gid',
'case_sensitive',
Expand Down
3 changes: 3 additions & 0 deletions src/config/cfg_rules.ini
View file
Original file line number Diff line number Diff line change
Expand Up @@ -443,6 +443,9 @@ option = dyndns_force_tcp
option = dyndns_auth
option = dyndns_auth_ptr
option = dyndns_server
option = dyndns_dot_cacert
option = dyndns_dot_cert
option = dyndns_dot_key

# files provider specific options
option = passwd_files
Expand Down
3 changes: 3 additions & 0 deletions src/config/etc/sssd.api.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -216,6 +216,9 @@ dyndns_update_ptr = bool, None, false
dyndns_force_tcp = bool, None, false
dyndns_auth = str, None, false
dyndns_server = str, None, false
dyndns_dot_cacert = str, None, false
dyndns_dot_cert = str, None, false
dyndns_dot_key = str, None, false

# Special providers
[provider/permit]
Expand Down
68 changes: 66 additions & 2 deletions src/man/sssd-ad.5.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1328,12 +1328,26 @@ ad_gpo_map_deny = +my_pam_service
<para>
Setting this option makes sense for environments
where the DNS server is different from the identity
server.
server or when we use encrypted DNS.
</para>
<para>
The parameter can be a simple string containing
DNS name or IP address. It can also be an URI.
The URI can look like
<emphasis>dns://servername/</emphasis> or
<emphasis>dns+tls://1.2.3.4:853#servername/</emphasis>.
</para>
<para>
The second example enables DNS-over-TLS protocol for
DNS updates. The nsupdate utility must support DoT -
check the <emphasis>man nsupdate</emphasis> before
enabling it in SSSD.
</para>
<para>
Please note that this option will be only used in
fallback attempt when previous attempt using
autodetected settings failed.
autodetected settings failed or when DNS-over-TLS
is enabled.
</para>
<para>
Default: None (let nsupdate choose the server)
Expand All @@ -1356,6 +1370,56 @@ ad_gpo_map_deny = +my_pam_service
</listitem>
</varlistentry>

<varlistentry>
<term>dyndns_dot_cacert (string)</term>
<listitem>
<para>
This option specifies the file of the certificate
authorities certificates (in PEM format) in order
to verify the remote server TLS certificate when
using DoT.
</para>
<para>
Default: None (use global certificate store)
</para>
</listitem>
</varlistentry>

<varlistentry>
<term>dyndns_dot_cert (string)</term>
<listitem>
<para>
This option sets the certificate(s) file for
authentication for the DoT transport to the remote
server. The certificate chain file is expected to
be in PEM format.
</para>
<para>
The <emphasis>dyndns_dot_cert</emphasis> and
<emphasis>dyndns_dot_key</emphasis> options must be
both set to achive mutual TLS authentication.
</para>
<para>
Default: None (Do not use TLS authentication)
</para>
</listitem>
</varlistentry>

<varlistentry>
<term>dyndns_dot_key (string)</term>
<listitem>
<para>
This option sets the key file for authenticated
encryption for the DoT transport to the remote
server. The private key file is expected to
be in PEM format.
</para>
<para>
Default: None (Do not use TLS authentication)
</para>
</listitem>
</varlistentry>

<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/override_homedir.xml" />
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/homedir_substring.xml" />

Expand Down
68 changes: 66 additions & 2 deletions src/man/sssd-ipa.5.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -321,12 +321,26 @@
<para>
Setting this option makes sense for environments
where the DNS server is different from the identity
server.
server or when we use encrypted DNS.
</para>
<para>
The parameter can be a simple string containing
DNS name or IP address. It can also be an URI.
The URI can look like
<emphasis>dns://servername/</emphasis> or
<emphasis>dns+tls://1.2.3.4:853#servername/</emphasis>.
</para>
<para>
The second example enables DNS-over-TLS protocol for
DNS updates. The nsupdate utility must support DoT -
check the <emphasis>man nsupdate</emphasis> before
enabling it in SSSD.
</para>
<para>
Please note that this option will be only used in
fallback attempt when previous attempt using
autodetected settings failed.
autodetected settings failed or when DNS-over-TLS
is enabled.
</para>
<para>
Default: None (let nsupdate choose the server)
Expand All @@ -349,6 +363,56 @@
</listitem>
</varlistentry>

<varlistentry>
<term>dyndns_dot_cacert (string)</term>
<listitem>
<para>
This option specifies the file of the certificate
authorities certificates (in PEM format) in order
to verify the remote server TLS certificate when
using DoT.
</para>
<para>
Default: None (use global certificate store)
</para>
</listitem>
</varlistentry>

<varlistentry>
<term>dyndns_dot_cert (string)</term>
<listitem>
<para>
This option sets the certificate(s) file for
authentication for the DoT transport to the remote
server. The certificate chain file is expected to
be in PEM format.
</para>
<para>
The <emphasis>dyndns_dot_cert</emphasis> and
<emphasis>dyndns_dot_key</emphasis> options must be
both set to achive mutual TLS authentication.
</para>
<para>
Default: None (Do not use TLS authentication)
</para>
</listitem>
</varlistentry>

<varlistentry>
<term>dyndns_dot_key (string)</term>
<listitem>
<para>
This option sets the key file for authenticated
encryption for the DoT transport to the remote
server. The private key file is expected to
be in PEM format.
</para>
<para>
Default: None (Do not use TLS authentication)
</para>
</listitem>
</varlistentry>

<varlistentry>
<term>ipa_access_order (string)</term>
<listitem>
Expand Down
3 changes: 3 additions & 0 deletions src/providers/ad/ad_opts.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -325,6 +325,9 @@ struct dp_option ad_dyndns_opts[] = {
{ "dyndns_auth", DP_OPT_STRING, { "gss-tsig" }, NULL_STRING },
{ "dyndns_auth_ptr", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "dyndns_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "dyndns_dot_cacert", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "dyndns_dot_cert", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "dyndns_dot_key", DP_OPT_STRING, NULL_STRING, NULL_STRING },
DP_OPTION_TERMINATOR
};

Expand Down
Loading

0 comments on commit 98581d8

Please sign in to comment.