dnscontrol
dnscontrol copied to clipboard
StackExchange
GetDomainCorrections vs DNSSEC
While updating GANDI_V5 in #673 I hit a snag and opted to skip DNSSEC support.
The comments above GetDomainCorrections warn that it needs to be identical, because it's disappearing in the future. Yet without modifying it, I don't see how to support non-record operations on a domain, such as enabling or disabling DNSSEC.
GANDI support auto-DNSSEC, and the Go library we're using supports it (SignDomain() / GetDomainKeys() / DeleteDomainKey()) but these are non-record updates to the zone, even if the ultimate effect obviously shows up as records.
If you're close to switching to the new layout and my holding off for a little bit would make life easier, I can do so, but I suspect that we'd have to have a regression in DNSimple in that case.
I'm tentatively thinking of:
func (client *api) GetDomainCorrections(dc *models.DomainConfig) ([]*models.Correction, error) {
existing, err := client.GetZoneRecords(dc.Name)
if err != nil {
return nil, err
}
zoneInfo, err := client.GetZoneInfo(dc.Name)
if err != nil {
return nil, err
}
models.PostProcessRecords(existing)
clean := PrepFoundRecords(existing)
PrepDesiredRecords(dc)
return client.GenerateDomainCorrections(dc, zoneInfo, clean)
}
That invents .GetZoneInfo and passes the result to GenerateDomainCorrections(). A suitable stub would be to just immediately return nil from the former.
Does this look acceptable? Is there something you'd rather I do instead?
GetDomainCorrections is still in flux, so this is a good time to make such changes.
I think adding a GetZoneInfo() is a good way to standardize DNSSEC updates and it might help if we try to manage other things (registration locks maybe?)
Tom
The code is definitely not ready to merge yet (ran into stumbling blocks with Gandi's API, I think) but the shape of it is in https://github.com/ConnectEverything/dnscontrol/commit/d4e0b7a56a61e9d4278b4a3ab51198d1e3764bd8
I opted for interface{} to leave the data as provider-specific but able to pass in and out, so that the function can be pulled out later.
Okay, I will need to revisit this when I revisit Gandi DNSSEC support, or perhaps some other provider. At present, my conclusion is that the API is not yet mature enough to be safe for us to use. I'm going to detail the reasons here so that if someone is searching in future, they can see what went wrong today and have a chance to figure out what's been fixed or is still broken.
I will look "sooner rather than later" to see if there's another registrar I can add DNSSEC support to, so that I can get the GetDomainCorrections API fixes in at least.
Whereas enabling DNSSEC via the web does all the registrar glue needed, enabling keys via the API does not. Which would not be a show-stopper, it would just become a registrar action to be taken, other API limitations block it. But the moment that we take on the registrar actions responsibility for DNSSEC, we would then need to be able to make changes in future, which includes safety checks around roll-overs etc, which is a much bigger can of worms to open. Nevertheless, I x-rayed the can of worms by asking Gandi Support some other questions.
This is one email to Support and one reply.
Me:
If a domain has Gandi as the registrar and DNS provider, does anything need to be done after the POST to
/v5/livedns/domains/{fqdn}/keysfor the key to start being used? I can't find any API documentation, for LiveDNS or the Domains API, to activate the use of a given key. Should it be automatic? On what sort of timescale?
Gandi:
For now, our API is still under development and not all methods are available yet. So you can generate KSK and ZSK keys, but you can't automatically activate DNSSEC with these keys via API.
You have to connect to your Gandi v5 account and then activate DNSSEC as described on this page of our documentation : https://docs.gandi.net/en/domain_names/advanced_users/dnssec.html
Me:
If a domain does have a DNSSEC key, is there a way to reliably determine via your APIs if the key is still registered with the parent zone via DS records, or in a delay window after the key was present, to know that it's safe to delete now? Or does the act of asking for it to be deleted leave it still in use until the relevant timers all expire, so that everything happens safely automatically?
Gandi:
For the same reason as above, it's not possible for now, but it will be in the future.
Me:
Via the API, I have created a DNSSEC signing key (UUID "cf93bc6b-ad48- 4237-b0e4-bbff30cfb422") for "pennocktech.us". Via the web interface, I can find no sign of this. I still get prompted to enable DNSSEC (and get told this will create a new key).
Is the v5 interface current and complete for DNSSEC or should I be using some other API?
Gandi:
DNSSEC is marked as inactive because your key was created on LiveDNS server only, and was not pushed to the registry.
Your keys won't be displayed on this page if you use LiveDNS, and you will only be able to manage these keys through the API. It's a choice which was made on our side, for our less technicals customers.
Me:
If a domain is hosted elsewhere and I have a DNSKEY (and so can generate whatever DS keys are needed), how do I register these records with Gandi via the API? I can find nothing in https://api.gandi.net/docs/domains/ documenting DNSKEY management.
Gandi:
Here again, it's not available yet, but it will be in the future.
I am at your disposal should you need any further information.
So: there's no API to manage DS records for delegation in the Registrar side, while the DNS side can't auto-enable DNSSEC, it has to be done via the web UI, and the controls are both too fine-grained and insufficient.
Because the API exposes individual DNSSEC keys, we're responsible for all tasks around rollover, but the API doesn't provide anywhere near enough features to actually manage any of this.
Compare/contrast to DNSimple where we enable DNSSEC and then everything else, including key rollovers, is their responsibility.
Related: https://github.com/StackExchange/dnscontrol/issues/747 https://github.com/StackExchange/dnscontrol/issues/752
Update: GenerateDomainCorrections() is replaced by GetZoneRecords() and GetZoneRecordsCorrections().