freeipa
WIP: Add DNS over TLS support
Add DNS over TLS support using Unbound as a local resolver. This includes new options on both server and client side.
-
--dns-over-tls: enable DNS over TLS support. This option is present on both client and server. It deploys Unbound and configures BIND on the server to receive DoT requests. -
--dot-forwarder: the upstream DNS server with DoT support. It must be specified in the format1.2.3.4#dns.server.test -
--dns-over-tls-keyand--dns-over-tls-cert: in case user prefers to have the DoT certificate in BIND generated by themselves. If these are empty, IPA CA is used instead to request a new certificate.
Removed design commit as it will be handled in a separate PR https://github.com/freeipa/freeipa/pull/7384
Hi, is there some RPM/copr build I can use for testing?
Is it possible to enable DoT after installation or only during installation?
Hi @pbrezina
I maintain the https://copr.fedorainfracloud.org/coprs/antorres/freeipa-unbound-dns/ repo with the updated build from this repo. DoT can be enabled after installation using ipa-dns-install.
Hi @pbrezina I maintain the https://copr.fedorainfracloud.org/coprs/antorres/freeipa-unbound-dns/ repo with the updated build from this repo. DoT can be enabled after installation using
ipa-dns-install.
Cool, ipa-dns-install --dns-over-tls --dot-forwarder=1.1.1.1#one.one.one.one on a running system works nicely. It might be good to document the format of --dot-forwarder (ip#hostname). And man page does not seem to be updated, is that intentional so far?
Currently, --dns-over-tls implies that port 53 is inaccessible from the outside. This is the end goal, but there will be a transition period where some clients will talk over 53, some over DoT (including clients on older distros). There should be an option to allow/disable 53 during ipa-dns-install as well as in DNS configuration wui/cli. This behavior (whatever the default will be) must be documented.
I've separated spec changes and PRCI definitions into their own commits for easier backporting.
green run: http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/c6e0fd7e-b7c9-11ef-ba7e-fa163efeebc0/ Dropping temp commit.
Green run with latest changes: http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/8a5b6b96-dd71-11ef-8e92-fa163e61f856/ Dropping temp commit again.
Also, when we configure unbound, in the output shown by the ipa-client-install we should provide a guidance. Something like "DNS encryption support was enabled, with policy '%s'. Unbound is configured to listen on 127.0.0.55:53 and forward to upstream DoT servers."
When doing client install, I am unable to enroll into DoT-provisioned IPA because the client cannot resolve anything when using --dns-policy=enforced by the server.
2025-02-06T20:28:32Z DEBUG [IPA Discovery]
2025-02-06T20:28:32Z DEBUG Starting IPA discovery with domain=None, servers=None, hostname=c1.edns1.test
2025-02-06T20:28:32Z DEBUG Start searching for LDAP SRV record in "edns1.test" (domain of the hostname) and its sub-domains
2025-02-06T20:28:32Z DEBUG Search DNS for SRV record of _ldap._tcp.edns1.test
[hangs at this point until times out, doing enumeration of the root name servers trying to find the requested name]
I think we need:
- also provide
--dot-forwarderoption to the client - if
--dns-over-tlsand--dot-forwarderare available, make sure to set up unbound before performing any IPA server search in the client installer - add
--dns-over-tls-certtoipa-client-installto allow passing explicit DoT certificate chain for the enforced DNS policy.
[root@c1 /]# dig +short +tls srv _ldap._tcp.edns1.test @192.168.159.2
0 100 389 m1.edns1.test.
[root@c1 /]# dig +short srv _ldap._tcp.edns1.test @192.168.159.2
;; communications error to 192.168.159.2#53: connection refused
;; communications error to 192.168.159.2#53: connection refused
;; communications error to 192.168.159.2#53: connection refused
;; no servers could be reached
If I specify ipa-server-install --dns-over-tls --dns-policy=relaxed but didn't specify --dot-forwarder, I later get
File "/usr/lib/python3.13/site-packages/ipaserver/install/server/install.py", line 1020, in install
dns.install(False, False, options)
~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.13/site-packages/ipaserver/install/dns.py", line 459, in install
_setup_dns_over_tls(options)
~~~~~~~~~~~~~~~~~~~^^^^^^^^^
File "/usr/lib/python3.13/site-packages/ipaserver/install/dns.py", line 132, in _setup_dns_over_tls
forward_addrs = ["forward-addr: %s" % fw for fw in options.dot_forwarders]
^^^^^^^^^^^^^^^^^^^^^^
2025-02-10T13:41:28Z DEBUG The ipa-server-install command failed, exception: TypeError: 'NoneType' object is not iterable
2025-02-10T13:41:28Z ERROR 'NoneType' object is not iterable
I think this could be addressed by skipping forwarders if they aren't specified. This is needed for hermetic setups where IPA DNS server is the root of DNS in the test lab, for example. Or for configurations where we have pre-defined forwarders.
temp_commit is green: http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/1faab306-e7d0-11ef-afe9-fa163eb9ba11/
I re-tested my use case with intentionally not specified DoT forwarder and got IPA server properly deployed. It didn't resolve anything outside because unbound returned SERVFAIL as there was no forwarder to talk to but this is expected.
master:
- 3de127433c5552c1f9f82c6bb73f2a32caa03e9b Add DNS over TLS support
- 62c6c09689ad4e6f793a278c1a5637b1e7e60c3b ipatests: add tests for DNS over TLS
- 4d0aacaa05eacff9cb95c830a256de9381f7c56b PRCI: add definitions for DNS over TLS tests
- 432390086309b831f969c9f5892cb0a3ff2cad7e spec: add unbound requirement and template file
Hi @antoniotorresm
a manual backport is required for ipa-4-12 (probably because of the PRCI nightly definitions). Can you handle it? Thanks