From 2dc78b7a6d2071b9fa706e616120388bc5064987 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sat, 25 Feb 2023 02:12:40 +0100 Subject: [PATCH 1/4] nixos/tests/kea: Test dhcp-ddns against knot Tests the propagation of DHCP hostnames into a DNS zone. --- nixos/tests/kea.nix | 120 ++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 115 insertions(+), 5 deletions(-) diff --git a/nixos/tests/kea.nix b/nixos/tests/kea.nix index b1d5894cc7c..b4095893b48 100644 --- a/nixos/tests/kea.nix +++ b/nixos/tests/kea.nix @@ -1,3 +1,10 @@ +# This test verifies DHCPv4 interaction between a client and a router. +# For successful DHCP allocations a dynamic update request is sent +# towards a nameserver to allocate a name in the lan.nixos.test zone. +# We then verify whether client and router can ping each other, and +# that the nameserver can resolve the clients fqdn to the correct IP +# address. + import ./make-test-python.nix ({ pkgs, lib, ...}: { meta.maintainers = with lib.maintainers; [ hexa ]; @@ -8,17 +15,17 @@ import ./make-test-python.nix ({ pkgs, lib, ...}: { virtualisation.vlans = [ 1 ]; networking = { - useNetworkd = true; useDHCP = false; firewall.allowedUDPPorts = [ 67 ]; }; systemd.network = { + enable = true; networks = { "01-eth1" = { name = "eth1"; networkConfig = { - Address = "10.0.0.1/30"; + Address = "10.0.0.1/29"; }; }; }; @@ -45,13 +52,115 @@ import ./make-test-python.nix ({ pkgs, lib, ...}: { }; subnet4 = [ { - subnet = "10.0.0.0/30"; + subnet = "10.0.0.0/29"; pools = [ { - pool = "10.0.0.2 - 10.0.0.2"; + pool = "10.0.0.3 - 10.0.0.3"; } ]; } ]; + + # Enable communication between dhcp4 and a local dhcp-ddns + # instance. + # https://kea.readthedocs.io/en/kea-2.2.0/arm/dhcp4-srv.html#ddns-for-dhcpv4 + dhcp-ddns = { + enable-updates = true; + }; + + ddns-send-updates = true; + ddns-qualifying-suffix = "lan.nixos.test."; }; }; + + services.kea.dhcp-ddns = { + enable = true; + settings = { + forward-ddns = { + # Configure updates of a forward zone named `lan.nixos.test` + # hosted at the nameserver at 10.0.0.2 + # https://kea.readthedocs.io/en/kea-2.2.0/arm/ddns.html#adding-forward-dns-servers + ddns-domains = [ { + name = "lan.nixos.test."; + # Use a TSIG key in production! + key-name = ""; + dns-servers = [ { + ip-address = "10.0.0.2"; + port = 53; + } ]; + } ]; + }; + }; + }; + }; + + nameserver = { config, pkgs, ... }: { + virtualisation.vlans = [ 1 ]; + + networking = { + useDHCP = false; + firewall.allowedUDPPorts = [ 53 ]; + }; + + systemd.network = { + enable = true; + networks = { + "01-eth1" = { + name = "eth1"; + networkConfig = { + Address = "10.0.0.2/29"; + }; + }; + }; + }; + + services.resolved.enable = false; + + # Set up an authoritative nameserver, serving the `lan.nixos.test` + # zone and configure an ACL that allows dynamic updates from + # the router's ip address. + # This ACL is likely insufficient for production usage. Please + # use TSIG keys. + services.knot = let + zone = pkgs.writeTextDir "lan.nixos.test.zone" '' + @ SOA ns.nixos.test nox.nixos.test 0 86400 7200 3600000 172800 + @ NS nameserver + nameserver A 10.0.0.3 + router A 10.0.0.1 + ''; + zonesDir = pkgs.buildEnv { + name = "knot-zones"; + paths = [ zone ]; + }; + in { + enable = true; + extraArgs = [ + "-v" + ]; + extraConfig = '' + server: + listen: 0.0.0.0@53 + + log: + - target: syslog + any: debug + + acl: + - id: dhcp_ddns + address: 10.0.0.1 + action: update + + template: + - id: default + storage: ${zonesDir} + zonefile-sync: -1 + zonefile-load: difference-no-serial + journal-content: all + + zone: + - domain: lan.nixos.test + file: lan.nixos.test.zone + acl: [dhcp_ddns] + ''; + }; + }; client = { config, pkgs, ... }: { @@ -70,6 +179,7 @@ import ./make-test-python.nix ({ pkgs, lib, ...}: { router.wait_for_unit("kea-dhcp4-server.service") client.wait_for_unit("systemd-networkd-wait-online.service") client.wait_until_succeeds("ping -c 5 10.0.0.1") - router.wait_until_succeeds("ping -c 5 10.0.0.2") + router.wait_until_succeeds("ping -c 5 10.0.0.3") + nameserver.wait_until_succeeds("kdig +short client.lan.nixos.test @10.0.0.2 | grep -q 10.0.0.3") ''; }) From 66579946d38ee882304f0e96235423290c65dec9 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sat, 25 Feb 2023 02:14:30 +0100 Subject: [PATCH 2/4] knot-dns: Test interaction with kea dhcp-ddns Tests dynamic updates from kea's dhcp-ddns server. --- pkgs/servers/dns/knot-dns/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/servers/dns/knot-dns/default.nix b/pkgs/servers/dns/knot-dns/default.nix index 539dbd6a806..9ed93e623b9 100644 --- a/pkgs/servers/dns/knot-dns/default.nix +++ b/pkgs/servers/dns/knot-dns/default.nix @@ -59,7 +59,7 @@ stdenv.mkDerivation rec { passthru.tests = { inherit knot-resolver; } // lib.optionalAttrs stdenv.isLinux { - inherit (nixosTests) knot; + inherit (nixosTests) knot kea; # Some dependencies are very version-sensitive, so the might get dropped # or embedded after some update, even if the nixPackagers didn't intend to. # For non-linux I don't know a good replacement for `ldd`. From 1fc6f2c41209b51f7c9b4ea87f7ab8e3d53cc275 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sat, 25 Feb 2023 02:41:25 +0100 Subject: [PATCH 3/4] nixos/tests/knot: Use automatic-acl and drop explicit acls This is more in line with expected production usage and if people use this tests as a reference it should reflect that. --- nixos/tests/knot.nix | 20 +++++--------------- 1 file changed, 5 insertions(+), 15 deletions(-) diff --git a/nixos/tests/knot.nix b/nixos/tests/knot.nix index 203fd03fac2..820ee21c42f 100644 --- a/nixos/tests/knot.nix +++ b/nixos/tests/knot.nix @@ -31,7 +31,7 @@ let # DO NOT USE pkgs.writeText IN PRODUCTION. This put secrets in the nix store! tsigFile = pkgs.writeText "tsig.conf" '' key: - - id: slave_key + - id: xfr_key algorithm: hmac-sha256 secret: zOYgOgnzx3TGe5J5I/0kxd7gTcxXhLYMEq3Ek3fY37s= ''; @@ -64,22 +64,17 @@ in { server: listen: 0.0.0.0@53 listen: ::@53 - - acl: - - id: slave_acl - address: 192.168.0.2 - key: slave_key - action: transfer + automatic-acl: true remote: - id: slave address: 192.168.0.2@53 + key: xfr_key template: - id: default storage: ${knotZonesEnv} notify: [slave] - acl: [slave_acl] dnssec-signing: on # Input-only zone files # https://www.knot-dns.cz/docs/2.8/html/operation.html#example-3 @@ -122,21 +117,16 @@ in { server: listen: 0.0.0.0@53 listen: ::@53 - - acl: - - id: notify_from_master - address: 192.168.0.1 - action: notify + automatic-acl: true remote: - id: master address: 192.168.0.1@53 - key: slave_key + key: xfr_key template: - id: default master: master - acl: [notify_from_master] # zonefileless setup # https://www.knot-dns.cz/docs/2.8/html/operation.html#example-2 zonefile-sync: -1 From 487b6a38f3af412550a0bdcdbb384f8635136752 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sat, 25 Feb 2023 02:47:52 +0100 Subject: [PATCH 4/4] nixos/tests/knot: Use more appropriate terminology --- nixos/tests/knot.nix | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/nixos/tests/knot.nix b/nixos/tests/knot.nix index 820ee21c42f..2ecbf69194b 100644 --- a/nixos/tests/knot.nix +++ b/nixos/tests/knot.nix @@ -43,7 +43,7 @@ in { nodes = { - master = { lib, ... }: { + primary = { lib, ... }: { imports = [ common ]; # trigger sched_setaffinity syscall @@ -67,14 +67,14 @@ in { automatic-acl: true remote: - - id: slave + - id: secondary address: 192.168.0.2@53 key: xfr_key template: - id: default storage: ${knotZonesEnv} - notify: [slave] + notify: [secondary] dnssec-signing: on # Input-only zone files # https://www.knot-dns.cz/docs/2.8/html/operation.html#example-3 @@ -100,7 +100,7 @@ in { ''; }; - slave = { lib, ... }: { + secondary = { lib, ... }: { imports = [ common ]; networking.interfaces.eth1 = { ipv4.addresses = lib.mkForce [ @@ -120,13 +120,13 @@ in { automatic-acl: true remote: - - id: master + - id: primary address: 192.168.0.1@53 key: xfr_key template: - id: default - master: master + master: primary # zonefileless setup # https://www.knot-dns.cz/docs/2.8/html/operation.html#example-2 zonefile-sync: -1 @@ -164,19 +164,19 @@ in { }; testScript = { nodes, ... }: let - master4 = (lib.head nodes.master.config.networking.interfaces.eth1.ipv4.addresses).address; - master6 = (lib.head nodes.master.config.networking.interfaces.eth1.ipv6.addresses).address; + primary4 = (lib.head nodes.primary.config.networking.interfaces.eth1.ipv4.addresses).address; + primary6 = (lib.head nodes.primary.config.networking.interfaces.eth1.ipv6.addresses).address; - slave4 = (lib.head nodes.slave.config.networking.interfaces.eth1.ipv4.addresses).address; - slave6 = (lib.head nodes.slave.config.networking.interfaces.eth1.ipv6.addresses).address; + secondary4 = (lib.head nodes.secondary.config.networking.interfaces.eth1.ipv4.addresses).address; + secondary6 = (lib.head nodes.secondary.config.networking.interfaces.eth1.ipv6.addresses).address; in '' import re start_all() client.wait_for_unit("network.target") - master.wait_for_unit("knot.service") - slave.wait_for_unit("knot.service") + primary.wait_for_unit("knot.service") + secondary.wait_for_unit("knot.service") def test(host, query_type, query, pattern): @@ -185,7 +185,7 @@ in { assert re.search(pattern, out), f'Did not match "{pattern}"' - for host in ("${master4}", "${master6}", "${slave4}", "${slave6}"): + for host in ("${primary4}", "${primary6}", "${secondary4}", "${secondary6}"): with subtest(f"Interrogate {host}"): test(host, "SOA", "example.com", r"start of authority.*noc\.example\.com\.") test(host, "A", "example.com", r"has no [^ ]+ record") @@ -201,6 +201,6 @@ in { test(host, "RRSIG", "www.example.com", r"RR set signature is") test(host, "DNSKEY", "example.com", r"DNSSEC key is") - master.log(master.succeed("systemd-analyze security knot.service | grep -v '✓'")) + primary.log(primary.succeed("systemd-analyze security knot.service | grep -v '✓'")) ''; })