Commit 06fbec8b authored by Ales Mrazek's avatar Ales Mrazek

added new ipv6 regex Fixes #3 ; trust-anchor correction in generator and converter

parent f985e9fb
Pipeline #41798 passed with stages
in 58 seconds
......@@ -88,19 +88,19 @@ module ``socket`` is used to ask for IP address of this Name. For Unbound is use
# DataModel:
"options": {
"glue-checking": "strict" | "normal" | "permissive",
"glue-checking": true | false,
}
# KnotResolver:
mode('strict' | 'normal' | 'permissive') # Conversion: no conversion
mode('strict' | 'normal' | 'permissive') # Conversion: true -> "strict"
false -> "normal"
# Unbound:
harden-glue: yes | no # Conversion: "strict" -> yes
# "normal" | "permissive" -> no
harden-glue: yes | no # Conversion: no conversion
Knot Resolver has three options of ``glue-checking``, but to simplify the data model, there is conversion to two options like it is in Unbound.
This setting is taken directly from the Knot resolver.
So there is no conversion to the Knot Resolver configuration.
Unbound has only two options for ``glue-checking``.
logging
^^^^^^^
......
......@@ -43,7 +43,7 @@
}
],
"options": {
"glue-checking": "strict",
"glue-checking": true,
"qname-minimisation": true,
"query-loopback": false
}
......@@ -52,25 +52,26 @@
"verbosity": 2
},
"dnssec": {
"trust-anchors": {
"key-files": [
{
"domain": ".",
"file": "/var/tmp/root.keys",
"read-only": false
}
]
},
"trust-anchors": [
{
"domain": ".",
"key-file": "/var/tmp/root.keys",
"auto-update": true
}
],
"negative-trust-anchors": [
"bad.example.com",
"worse.example.com"
]
},
"cache": {
"max-size": "104857600",
"max-size": 104857600,
"max-ttl": 172800,
"min-ttl": 0
},
"debugging":{
"cznic-resolver-unbound:val-override-date": "2018-10-28T13:15:30Z"
},
"dns64": {
"prefix": "64:ff9b::/96"
}
......
......@@ -82,15 +82,13 @@
"verbosity": 2
},
"dnssec": {
"trust-anchors": {
"key-files": [
{
"domain": ".",
"file": "/var/tmp/root.keys",
"read-only": false
}
]
},
"trust-anchors": [
{
"domain": ".",
"key-file": "/var/tmp/root.keys",
"auto-update": true
}
],
"negative-trust-anchors": [
"bad.example.com",
"worse.example.com"
......
......@@ -20,7 +20,7 @@ class Converter:
self.network = {'listen-interfaces': []}
self.resolver = {'stub-zones': [], 'options': {}}
self.logging = {}
self.dnssec = {'trust-anchors': {}, 'negative-trust-anchors': []}
self.dnssec = {'trust-anchors': [], 'negative-trust-anchors': []}
self.cache = {}
self.debugging = {}
self.dns64 = {}
......@@ -40,20 +40,27 @@ class Converter:
ipv4_addr = compile('^(([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}'
+ '([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])$')
# TODO: not working very well, for example 20001:503:ba3e::2:30 and 20001:503:ba3e::::2:30 are allowed
ipv6_addr = compile('^(((:|[0-9a-fA-F]{0,4}):)([0-9a-fA-F]{0,4}:){0,5}'
+ '((([0-9a-fA-F]{0,4}:)?(:|[0-9a-fA-F]{0,4}))|'
+ '(((25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])\.){3}'
+ '(25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])))'
+ ')|(([^:]+:){6}(([^:]+:[^:]+)|(.*\..*)))|'
+ '((([^:]+:)*[^:]+)?::(([^:]+:)*[^:]+)?)(%.+)?$')
ipv6_prefix = compile('^((:|[0-9a-fA-F]{0,4}):)([0-9a-fA-F]{0,4}:){0,5}'
+ '((([0-9a-fA-F]{0,4}:)?(:|[0-9a-fA-F]{0,4}))|'
+ '(((25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])\.){3}'
+ '(25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])))'
+ '(/(([0-9])|([0-9]{2})|(1[0-1][0-9])|(12[0-8])))$')
ipv6_addr = compile('^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}'
+ '|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}'
+ ':[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4})'
+ '{1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}'
+ ':){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}'
+ '|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:'
+ '(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|'
+ '(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|'
+ '([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}'
+ '(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$')
ipv6_prefix = compile('^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}'
+ '|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}'
+ ':[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4})'
+ '{1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}'
+ ':){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}'
+ '|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:'
+ '(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|'
+ '(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|'
+ '([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}'
+ '(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))(/(([0-9])|([0-9]{2})|(1[0-1][0-9])|(12[0-8])))$')
@staticmethod
def _ignore_comments(line: str):
......@@ -217,11 +224,10 @@ class Converter:
def _at_anchorfile(self, key: str, value: str) -> None:
self.dnssec['trust-anchors']['key-files'] = []
domain = "domain" + str(self.ta_domain_count)
self.dnssec['trust-anchors']['key-files'].append({
self.dnssec['trust-anchors'].append({
'domain': domain,
'file': str(value)})
'key-file': str(value)})
self.ta_domain_count += 1
def _domain_insecure(self, key: str, value: str) -> None:
......@@ -429,3 +435,5 @@ class Converter:
"stub-addr": "_stubaddr",
"stub-host": "_stubhost",
}
......@@ -213,22 +213,18 @@ class Generator:
def _dnssec_kresd(self, dnssec_conf: dict) -> None:
# trust-anchors
if 'trust-anchors' in dnssec_conf:
# key-files
if 'key-files' in dnssec_conf['trust-anchors']:
for kf in dnssec_conf['trust-anchors']['key-files']:
# domain
if 'domain' in kf:
pass
# file
if 'file' in kf:
# read-only
if 'read-only' in kf:
self.kresd_conf += str("trust_anchors.add_file('{0}',{1})\n".format(kf['file'],
kf['read-only']))
for ta in dnssec_conf['trust-anchors']:
if 'domain' in ta:
pass
# file
if 'key-file' in ta:
# read-only
if 'auto-update' in ta:
self.kresd_conf += str("trust_anchors.add_file('{0}',{1})\n".format(ta['key-file'],
not ta['auto-update']))
else:
self.kresd_conf += str("trust_anchors.add_file('{0}')\n".format(kf['file']))
else:
self.kresd_conf += str("trust_anchors.add_file('{0}')\n".format(ta['key-file']))
# negative-trust-anchors
if 'negative-trust-anchors' in dnssec_conf:
......@@ -283,9 +279,8 @@ class Generator:
temp += "\t['" + str(origin) + "'] = {\n" \
"\t\turl = '" + str(url) + "', \n" \
"\t\tca_file = '" + str(ca) + "', \n" \
"\t\tinterval = " + str(
interval) + "\n\t}"
"\t\tca_file = '" + str(ca) + \
"', \n\t\tinterval = " + str(interval) + "\n\t}"
self.kresd_conf += "prefill.config({\n" + temp + "\n})\n"
......@@ -470,18 +465,16 @@ class Generator:
def _dnssec_unbound(self, dnssec_conf: dict) -> None:
# trust-anchors
if 'trust-anchors' in dnssec_conf:
# key-files
if 'key-files' in dnssec_conf['trust-anchors']:
for kf in dnssec_conf['trust-anchors']['key-files']:
# domain
if 'domain' in kf:
pass
# file
if 'file' in kf:
self.server_unbound_conf += str("\tauto-trust-anchor-file: \"{}\"\n".format(kf['file']))
# read-only
if 'read-only' in kf:
pass
for ta in dnssec_conf['trust-anchors']:
# domain
if 'domain' in ta:
pass
# file
if 'key-file' in ta:
self.server_unbound_conf += str("\tauto-trust-anchor-file: \"{}\"\n".format(ta['key-file']))
# read-only
if 'read-only' in ta:
pass
# negative-trust-anchors
if 'negative-trust-anchors' in dnssec_conf:
......
......@@ -3,15 +3,14 @@
"module-set-id": "e595da11ace92c0d881995fa7e56bbe86f1f48e9",
"module": [
{
"name": "cznic-dns-types",
"revision": "2018-05-14",
"namespace": "https://www.nic.cz/ns/yang/dns-types",
"conformance-type": "implement",
"schema": "https://gitlab.labs.nic.cz/jetconf/jetconf-resolver/blob/master/yang-modules/cznic-dns-types.yang"
"name": "cznic-deckard",
"revision": "2018-10-26",
"namespace": "https://www.nic.cz/ns/yang/deckard",
"conformance-type": "implement"
},
{
"name": "cznic-resolver-common",
"revision": "2018-07-27",
"revision": "2018-10-29",
"feature": [
"set-group"
],
......@@ -19,31 +18,47 @@
"conformance-type": "implement"
},
{
"name": "cznic-deckard",
"revision": "2018-06-06",
"namespace": "https://www.nic.cz/ns/yang/deckard",
"name": "cznic-resolver-knot",
"revision": "2018-10-26",
"namespace": "https://www.nic.cz/ns/yang/resolver-knot",
"conformance-type": "implement"
},
{
"name": "cznic-resolver-unbound",
"revision": "2018-10-26",
"namespace": "https://www.nic.cz/ns/yang/resolver-unbound",
"conformance-type": "implement"
},
{
"name": "cznic-dns-parameters",
"revision": "2018-10-26",
"namespace": "https://www.nic.cz/ns/yang/dns-parameters",
"conformance-type": "import"
},
{
"name": "cznic-dns-rdata",
"revision": "2018-10-29",
"namespace": "https://www.nic.cz/ns/yang/dns-rdata",
"conformance-type": "import"
},
{
"name": "iana-dns-class-rr-type",
"revision": "2018-10-26",
"namespace": "urn:ietf:params:xml:ns:yang:iana-dns-class-rr-type",
"conformance-type": "import"
},
{
"name": "ietf-inet-types",
"revision": "2013-07-15",
"namespace": "urn:ietf:params:xml:ns:yang:ietf-inet-types",
"conformance-type": "import",
"schema": "https://raw.githubusercontent.com/YangModels/yang/master/standard/ietf/RFC/ietf-inet-types.yang"
},
{
"name": "ietf-yang-library",
"revision": "2016-06-21",
"namespace": "urn:ietf:params:xml:ns:yang:ietf-yang-library",
"conformance-type": "implement"
"conformance-type": "import"
},
{
"name": "ietf-yang-types",
"revision": "2013-07-15",
"namespace": "urn:ietf:params:xml:ns:yang:ietf-yang-types",
"conformance-type": "import",
"schema": "https://github.com/YangModels/yang/blob/master/standard/ietf/RFC/ietf-yang-types.yang"
"conformance-type": "import"
}
]
}
}
}
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment