zydronium/getnamingo-registry
1
0
Fork 0
mirror of https://github.com/getnamingo/registry.git synced 2025-05-12 09:48:35 +02:00
Code Issues Projects Releases Packages Wiki Activity

DNSSEC housekeeping and more automation

Browse source
This commit is contained in:
Pinga 2025-03-11 19:18:15 +02:00
parent d4a935055f
commit 57c9f62052
2 changed files with 204 additions and 143 deletions
Download patch file Download diff file Expand all files Collapse all files

190
cp/app/Controllers/SystemController.php
View file

@ -1012,83 +1012,137 @@ class SystemController extends Controller
$secureTld = $tld['secure']; $secureTld = $tld['secure'];
if ($secureTld === 1) { if ($secureTld === 1) {
$zone = ltrim($tld['tld'], '.'); if (file_exists('/usr/sbin/rndc')) {
$statusOutput = shell_exec("sudo rndc dnssec -status " . escapeshellarg($zone) . " 2>&1"); $zone = ltrim($tld['tld'], '.');
$statusOutput = shell_exec("sudo rndc dnssec -status " . escapeshellarg($zone) . " 2>&1");
if (!$statusOutput) { if (!$statusOutput) {
$dnssecData = ['error' => "Unable to fetch DNSSEC status for $zone."]; $dnssecData = ['error' => "Unable to fetch DNSSEC status for $zone."];
} else { } else {
// Extract all KSKs regardless of algorithm // Extract all KSKs regardless of algorithm
preg_match_all('/key: (\d+) \((\w+)\), KSK/', $statusOutput, $matches, PREG_SET_ORDER); preg_match_all('/key: (\d+) \((\w+)\), KSK/', $statusOutput, $matches, PREG_SET_ORDER);
$dnssecData = [ $dnssecData = [
'zoneName' => $tld['tld'], 'zoneName' => $tld['tld'],
'timestamp' => date('Y-m-d H:i:s'), 'timestamp' => date('Y-m-d H:i:s'),
'keys' => [], 'keys' => [],
];
foreach ($matches as $match) {
$keyId = $match[1];
$algorithm = $match[2];
// Convert algorithm name to corresponding number for dnssec-dsfromkey
$algoMap = [
'RSASHA1' => '005', 'RSASHA1-NSEC3-SHA1' => '007',
'RSASHA256' => '008', 'RSASHA512' => '010',
'ECDSAP256SHA256' => '013', 'ECDSAP384SHA384' => '014',
'ED25519' => '015', 'ED448' => '016'
]; ];
$algoNum = $algoMap[$algorithm] ?? '000'; // Default to unknown if missing
// Determine if key is active or in rollover state foreach ($matches as $match) {
preg_match("/key: $keyId.*?(?=\\nkey:|\\z)/s", $statusOutput, $keyBlockMatch); $keyId = $match[1];
$keyBlock = $keyBlockMatch[0] ?? ''; $algorithm = $match[2];
// Skip keys explicitly removed from the zone // Convert algorithm name to corresponding number for dnssec-dsfromkey
if (strpos($keyBlock, 'Key has been removed from the zone') !== false) { $algoMap = [
continue; 'RSASHA1' => '005', 'RSASHA1-NSEC3-SHA1' => '007',
'RSASHA256' => '008', 'RSASHA512' => '010',
'ECDSAP256SHA256' => '013', 'ECDSAP384SHA384' => '014',
'ED25519' => '015', 'ED448' => '016'
];
$algoNum = $algoMap[$algorithm] ?? '000'; // Default to unknown if missing
// Determine if key is active or in rollover state
preg_match("/key: $keyId.*?(?=\\nkey:|\\z)/s", $statusOutput, $keyBlockMatch);
$keyBlock = $keyBlockMatch[0] ?? '';
// Skip keys explicitly removed from the zone
if (strpos($keyBlock, 'Key has been removed from the zone') !== false) {
continue;
}
// Determine key status accurately
$keyStatus = strpos($keyBlock, 'key signing: yes') !== false ? 'Active' : 'Pending Rollover';
// Extract next rollover date
preg_match('/Next rollover scheduled on ([^\\n]+)/', $keyBlock, $rolloverMatch);
$nextRollover = $rolloverMatch[1] ?? null;
// Extract retirement date, if present
preg_match('/Key.*removed.*on ([^\\n]+)/', $keyBlock, $retirementMatch);
$retirementDate = $retirementMatch[1] ?? null;
// Extract published date
preg_match('/published:\s+yes\s+-\s+since\s+([^\n]+)/', $keyBlock, $publishedMatch);
$publishedDate = isset($publishedMatch[1]) ? trim($publishedMatch[1]) : null;
// Extract DS status ("rumoured" or "omnipresent")
preg_match('/- ds:\s+(\w+)/', $keyBlock, $dsMatch);
$dsStatus = $dsMatch[1] ?? null;
// Extract DS record for this key
$dsRecord = shell_exec("dnssec-dsfromkey -2 /var/lib/bind/K{$zone}.+{$algoNum}+{$keyId}.key");
$dsRecord = $dsRecord ? trim($dsRecord) : 'N/A';
// Append key details
$dnssecData['keys'][] = [
'key_id' => $keyId,
'algorithm' => $algorithm,
'ds_record' => $dsRecord,
'status' => $keyStatus,
'timestamp' => date('Y-m-d H:i:s'),
'next_rollover' => $nextRollover,
'retirement_date' => $retirementDate,
'published_date' => $publishedDate,
'ds_status' => $dsStatus,
];
} }
// Determine key status accurately // If no keys were found, set an error message
$keyStatus = strpos($keyBlock, 'key signing: yes') !== false ? 'Active' : 'Pending Rollover'; if (empty($dnssecData['keys'])) {
$dnssecData = ['error' => "No DNSSEC keys found for $zone."];
// Extract next rollover date }
preg_match('/Next rollover scheduled on ([^\\n]+)/', $keyBlock, $rolloverMatch);
$nextRollover = $rolloverMatch[1] ?? null;
// Extract retirement date, if present
preg_match('/Key.*removed.*on ([^\\n]+)/', $keyBlock, $retirementMatch);
$retirementDate = $retirementMatch[1] ?? null;
// Extract published date
preg_match('/published:\s+yes\s+-\s+since\s+([^\n]+)/', $keyBlock, $publishedMatch);
$publishedDate = isset($publishedMatch[1]) ? trim($publishedMatch[1]) : null;
// Extract DS status ("rumoured" or "omnipresent")
preg_match('/- ds:\s+(\w+)/', $keyBlock, $dsMatch);
$dsStatus = $dsMatch[1] ?? null;
// Extract DS record for this key
$dsRecord = shell_exec("dnssec-dsfromkey -2 /var/lib/bind/K{$zone}.+{$algoNum}+{$keyId}.key");
$dsRecord = $dsRecord ? trim($dsRecord) : 'N/A';
// Append key details
$dnssecData['keys'][] = [
'key_id' => $keyId,
'algorithm' => $algorithm,
'ds_record' => $dsRecord,
'status' => $keyStatus,
'timestamp' => date('Y-m-d H:i:s'),
'next_rollover' => $nextRollover,
'retirement_date' => $retirementDate,
'published_date' => $publishedDate,
'ds_status' => $dsStatus,
];
} }
} elseif (file_exists('/usr/sbin/knotc')) {
$zone = ltrim($tld['tld'], '.');
$keyDir = '/etc/knot/keys';
// If no keys were found, set an error message // Use knotc to get key statuses
if (empty($dnssecData['keys'])) { $keyListOutput = shell_exec("sudo knotc zone-key list " . escapeshellarg($zone) . " 2>&1");
$dnssecData = ['error' => "No DNSSEC keys found for $zone."];
if (!$keyListOutput) {
$dnssecData = ['error' => "Unable to fetch DNSSEC status for $zone (Knot DNS)."];
} else {
preg_match_all('/([0-9]+)\s+KSK\s+(\w+)\s+(\w+)\s+(\w+)\s+([0-9T:-]+)/', $keyListOutput, $matches, PREG_SET_ORDER);
$dnssecData = [
'zoneName' => '.' . $zone,
'timestamp' => date('Y-m-d H:i:s'),
'keys' => [],
];
foreach ($matches as $match) {
$keyId = $match[1];
$algorithm = 'ED25519'; // Knot uses policy-defined algorithm
$keyStatus = ($match[2] === 'active') ? 'Active' : 'Pending Rollover';
$publishedDate = $match[5] ?? null;
// Extract DS record from keymgr
$dsRecord = shell_exec("keymgr ds " . escapeshellarg($zone) . " 2>/dev/null");
$dsRecord = $dsRecord ? trim($dsRecord) : 'N/A';
// Since Knot DNS doesn't explicitly show rollover in this output, set as null
$nextRollover = null;
$retirementDate = null;
// DS Status isn't directly shown; you might manually track submission
$dsStatus = null;
$dnssecData['keys'][] = [
'key_id' => $match[1],
'algorithm' => 'ED25519',
'ds_record' => $dsRecord,
'status' => (strpos($match[0], 'active') !== false ? 'Active' : 'Pending Rollover'),
'timestamp' => date('Y-m-d H:i:s'),
'next_rollover' => $nextRollover,
'retirement_date' => null,
'published_date' => $publishedDate,
'ds_status' => null,
];
}
if (empty($dnssecData['keys'])) {
$dnssecData = ['error' => "No DNSSEC keys found for $zone using Knot DNS."];
}
} }
} }
} else { } else {

157
docs/configuration.md
View file

@ -422,19 +422,17 @@ Create an A record pointing `sftp.namingo.org` → `<your-server-ip>`.
sftp -i icann_sftp_key sftpuser@sftp.namingo.org sftp -i icann_sftp_key sftpuser@sftp.namingo.org
``` ```
## 2. Recommended Components and Integrations ## 2. DNS Server Setup
This section outlines recommended components to enhance the functionality and reliability of your Namingo setup. These include essential services like DNS servers, monitoring tools, and other integrations that can help maintain a robust registry environment. ### 2.1. Hidden Master DNS with BIND
### 2.1. Setup Hidden Master DNS with BIND #### 2.1.1. Install BIND9 and its utilities:
#### Install BIND9 and its utilities:
```bash ```bash
apt install bind9 bind9-utils bind9-doc apt install bind9 bind9-utils bind9-doc
``` ```
#### Generate a TSIG key: #### 2.1.2. Generate a TSIG key:
Generate a TSIG key which will be used to authenticate DNS updates between the master and slave servers. **Note: replace ```test``` with your TLD.** Generate a TSIG key which will be used to authenticate DNS updates between the master and slave servers. **Note: replace ```test``` with your TLD.**
@ -454,9 +452,9 @@ key "test.key" {
Copy this output for use in the configuration files of both the master and slave DNS servers. (```/etc/bind/named.conf.local```) Copy this output for use in the configuration files of both the master and slave DNS servers. (```/etc/bind/named.conf.local```)
#### Configure the Named Configuration File (Please Choose One): #### 2.1.3. Named Configuration - Please Choose One:
1. Without DNSSEC: #### 2.1.3a. Unsigned zone (No DNSSEC):
Edit the named.conf.local file: Edit the named.conf.local file:
@ -489,7 +487,7 @@ Configure the `Zone Writer` in Registry Automation and run it manually the first
php /opt/registry/automation/write-zone.php php /opt/registry/automation/write-zone.php
``` ```
2. Using DNSSEC with BIND9: #### 2.1.3b. Signed zone (With DNSSEC):
Edit the named.conf.local file: Edit the named.conf.local file:
@ -544,7 +542,50 @@ php /opt/registry/automation/write-zone.php
**NB! Enable DNSSEC in the TLD management page from the control panel. Mode must be BIND9.** Then upload the DS record to IANA or the parent registry from the Control Panel TLD page. **NB! Enable DNSSEC in the TLD management page from the control panel. Mode must be BIND9.** Then upload the DS record to IANA or the parent registry from the Control Panel TLD page.
3. Using DNSSEC with OpenDNSSEC: **Optional: Configure BIND with PKCS#11 support
```bash
apt install softhsm2 opensc libengine-pkcs11-openssl
```
Edit `/etc/bind/named.conf.options` and add the following:
```bash
options {
// Existing options...
dnssec-policy "hsm-policy";
};
dnssec-policy "hsm-policy" {
keys {
ksk key-directory "pkcs11:token=YourTokenLabel" lifetime P1Y algorithm ecdsap256sha256;
zsk key-directory "pkcs11:token=YourTokenLabel" lifetime P2M algorithm ecdsap256sha256;
};
max-zone-ttl 86400;
dnskey-ttl 3600;
zone-propagation-delay 3600;
parent-propagation-delay 7200;
parent-ds-ttl 86400;
};
```
Replace `YourTokenLabel` with your actual HSM token label.
BIND will automatically generate keys within the device when configured correctly:
```bash
rndc loadkeys your.tld
```
You can verify the keys with tools provided by your HSM vendor or via standard PKCS#11 utilities:
```bash
softhsm2-util --show-slots
```
#### 2.1.3c. Signed zone (DNSSEC with OpenDNSSEC):
3. Using DNSSEC with :
Edit the named.conf.local file: Edit the named.conf.local file:
@ -614,7 +655,7 @@ Configure the `Zone Writer` in Registry Automation and run it manually the first
php /opt/registry/automation/write-zone.php php /opt/registry/automation/write-zone.php
``` ```
#### Logging: #### 2.1.4. Logging:
Place the contents below at `/etc/bind/named.conf.default-logging` and include the file in `/etc/bind/named.conf`: Place the contents below at `/etc/bind/named.conf.default-logging` and include the file in `/etc/bind/named.conf`:
@ -685,20 +726,20 @@ logging {
}; };
``` ```
#### Check BIND9 Configuration: #### 2.1.5. Check BIND9 Configuration:
```bash ```bash
named-checkconf named-checkconf
named-checkzone test /var/lib/bind/test.zone named-checkzone test /var/lib/bind/test.zone
``` ```
#### Restart BIND9 Service: #### 2.1.6. Restart BIND9 Service:
```bash ```bash
systemctl restart bind9 systemctl restart bind9
``` ```
#### Verify Zone Loading: #### 2.1.7. Verify Zone Loading:
Check the BIND9 logs to ensure that the .test zone is loaded without errors: Check the BIND9 logs to ensure that the .test zone is loaded without errors:
@ -706,53 +747,15 @@ Check the BIND9 logs to ensure that the .test zone is loaded without errors:
grep named /var/log/syslog grep named /var/log/syslog
``` ```
#### Setup DNSSEC KSK Rollover: ### 2.2. Hidden Master DNS with Knot DNS and DNSSEC
Create `/etc/systemd/system/dnssec-rollover.timer`: #### 2.2.1. Install Knot DNS and its utilities:
```bash
[Unit]
Description=Run DNSSEC rollover script every 12 hours
[Timer]
OnCalendar=*-*-* 00,12:00:00
Persistent=true
[Install]
WantedBy=timers.target
```
Then create `/etc/systemd/system/dnssec-rollover.service`:
```bash
[Unit]
Description=DNSSEC Rollover Script
[Service]
ExecStart=/opt/registry/automation/dnssec-rollover.sh
User=root
StandardOutput=append:/var/log/namingo/dnssec-rollover.log
StandardError=append:/var/log/namingo/dnssec-rollover.log
```
Enable and start the timer:
```bash
systemctl daemon-reload
systemctl enable --now dnssec-rollover.timer
```
This ensures **automatic execution every 12 hours** and logs output.
### 2.2. Setup Hidden Master DNS with Knot DNS and DNSSEC
#### Install Knot DNS and its utilities:
```bash ```bash
apt install knot knot-dnsutils apt install knot knot-dnsutils
``` ```
#### Generate a TSIG key: #### 2.2.2. Generate a TSIG key:
Generate a TSIG key which will be used to authenticate DNS updates between the master and slave servers. **Note: replace ```test``` with your TLD.** Generate a TSIG key which will be used to authenticate DNS updates between the master and slave servers. **Note: replace ```test``` with your TLD.**
@ -772,7 +775,7 @@ key:
Copy this output for use in the configuration files of both the master and slave DNS servers. (```/etc/knot/knot.conf```) Copy this output for use in the configuration files of both the master and slave DNS servers. (```/etc/knot/knot.conf```)
#### Configure DNSSEC Policy: #### 2.2.3. Configure DNSSEC Policy:
Add the DNSSEC policy to `/etc/knot/knot.conf`: Add the DNSSEC policy to `/etc/knot/knot.conf`:
@ -795,7 +798,7 @@ policy:
dnskey-ttl: 3600 dnskey-ttl: 3600
``` ```
#### Add your zone: #### 2.2.4. Add your zone:
Add the zone to `/etc/knot/knot.conf`: Add the zone to `/etc/knot/knot.conf`:
@ -860,14 +863,14 @@ key "test.key" {
}; };
``` ```
#### Installation of BIND9 #### 2.3.1. Installation of BIND9
```bash ```bash
apt update apt update
apt install bind9 bind9-utils bind9-doc apt install bind9 bind9-utils bind9-doc
``` ```
#### Add the TSIG key to the BIND Configuration #### 2.3.2. Add the TSIG key to the BIND Configuration
Create a directory to store zone files: Create a directory to store zone files:
@ -904,7 +907,7 @@ zone "test." {
Make sure to replace `192.0.2.1` with the IP address of your hidden master server and `base64-encoded-secret==` with the actual secret from your TSIG key. Make sure to replace `192.0.2.1` with the IP address of your hidden master server and `base64-encoded-secret==` with the actual secret from your TSIG key.
#### Adjusting Permissions and Ownership #### 2.3.3. Adjusting Permissions and Ownership
Ensure BIND has permission to write to the zone file and that the files are owned by the BIND user: Ensure BIND has permission to write to the zone file and that the files are owned by the BIND user:
@ -913,7 +916,7 @@ chown bind:bind /var/cache/bind/zones
chmod 755 /var/cache/bind/zones chmod 755 /var/cache/bind/zones
``` ```
#### Logging: #### 2.3.4. Logging:
Place the contents below at `/etc/bind/named.conf.default-logging` and include the file in `/etc/bind/named.conf`: Place the contents below at `/etc/bind/named.conf.default-logging` and include the file in `/etc/bind/named.conf`:
@ -984,7 +987,7 @@ logging {
}; };
``` ```
#### Restart BIND9 Service #### 2.3.5. Restart BIND9 Service
After making these changes, restart the BIND9 service to apply them: After making these changes, restart the BIND9 service to apply them:
@ -992,16 +995,20 @@ After making these changes, restart the BIND9 service to apply them:
systemctl restart bind9 systemctl restart bind9
``` ```
#### Verify Configuration and Zone Transfer #### 2.3.6. Verify Configuration and Zone Transfer
```bash ```bash
named-checkconf named-checkconf
grep 'transfer of "test."' /var/log/syslog grep 'transfer of "test."' /var/log/syslog
``` ```
### 2.4. Setup Monitoring ## 3. Recommended Components and Integrations
#### 2.4.1. Option 1: Prometheus This section outlines recommended components to enhance the functionality and reliability of your Namingo setup.
### 3.1. Setup Monitoring
#### 3.1.1. Option 1: Prometheus
```bash ```bash
apt update apt update
@ -1334,7 +1341,7 @@ If you want notifications via email, Slack, Telegram, or other tools, you can co
3. Create alert rules (e.g., "Alert if Redis is down for 1 minute"). 3. Create alert rules (e.g., "Alert if Redis is down for 1 minute").
#### 2.4.2. Option 2: Netdata #### 3.1.2. Option 2: Netdata
```bash ```bash
wget https://my-netdata.io/kickstart.sh -O install.sh && chmod +x install.sh && ./install.sh wget https://my-netdata.io/kickstart.sh -O install.sh && chmod +x install.sh && ./install.sh
@ -1342,7 +1349,7 @@ wget https://my-netdata.io/kickstart.sh -O install.sh && chmod +x install.sh &&
Open Netdata in your browser: http://your-server-ip:19999 Open Netdata in your browser: http://your-server-ip:19999
### 2.5. Recommended Help Desk Solutions ### 3.2. Recommended Help Desk Solutions
To enhance your customer support experience with Namingo, consider using one of these open-source help desk solutions: To enhance your customer support experience with Namingo, consider using one of these open-source help desk solutions:
@ -1353,20 +1360,20 @@ To enhance your customer support experience with Namingo, consider using one of
**Note:** These solutions are independent of Namingo. FreeScout is licensed under AGPL-3.0, while Chatwoot uses MIT. If using FreeScout, ensure compliance with AGPL-3.0 licensing. **Note:** These solutions are independent of Namingo. FreeScout is licensed under AGPL-3.0, while Chatwoot uses MIT. If using FreeScout, ensure compliance with AGPL-3.0 licensing.
### 2.6. Scaling Your Database with ProxySQL ### 3.3. Scaling Your Database with ProxySQL
To enhance the scalability and performance of your database, consider integrating [ProxySQL](https://proxysql.com/) into your architecture. ProxySQL is a high-performance, open-source proxy designed for MySQL, MariaDB, and other database systems, providing features like query caching, load balancing, query routing, and failover support. By acting as an intermediary between your application and the database, ProxySQL enables efficient distribution of queries across multiple database nodes, reducing latency and improving overall reliability, making it an excellent choice for scaling your database infrastructure. To enhance the scalability and performance of your database, consider integrating [ProxySQL](https://proxysql.com/) into your architecture. ProxySQL is a high-performance, open-source proxy designed for MySQL, MariaDB, and other database systems, providing features like query caching, load balancing, query routing, and failover support. By acting as an intermediary between your application and the database, ProxySQL enables efficient distribution of queries across multiple database nodes, reducing latency and improving overall reliability, making it an excellent choice for scaling your database infrastructure.
## 3. Security Hardening ## 4. Security Hardening
### 3.1. Create the namingo user ### 4.1. Create the namingo user
```bash ```bash
adduser namingo adduser namingo
usermod -aG sudo namingo usermod -aG sudo namingo
``` ```
### 3.2. Set Up Services ### 4.2. Set Up Services
```bash ```bash
su namingo su namingo
@ -1389,7 +1396,7 @@ sudo systemctl daemon-reload
sudo systemctl restart whois epp rdap sudo systemctl restart whois epp rdap
``` ```
### 3.3. SSH Hardening ### 4.3. SSH Hardening
1. Disable Root Login: 1. Disable Root Login:
@ -1440,7 +1447,7 @@ sudo ufw enable
sudo systemctl restart ssh sudo systemctl restart ssh
``` ```
### 3.4. Other Server Hardening ### 4.4. Other Server Hardening
```bash ```bash
sudo apt update && sudo apt upgrade -y sudo apt update && sudo apt upgrade -y
@ -1462,7 +1469,7 @@ sudo swapon /swapfile
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab
``` ```
### 3.5. Adminer Security settings ### 4.5. Adminer Security settings
To enhance the security of your Adminer installation, we recommend the following settings for Caddy, Apache2, and Nginx: To enhance the security of your Adminer installation, we recommend the following settings for Caddy, Apache2, and Nginx:
@ -1514,7 +1521,7 @@ location /dbtool.php {
} }
``` ```
## 4. In-Depth Configuration File Overview ## 5. In-Depth Configuration File Overview
In this section, we provide a detailed overview of each configuration file used in the Namingo domain registry platform. Understanding these files is essential for customizing and optimizing your system according to your specific needs. We will walk you through the purpose of each file, key settings, and recommended configurations to ensure smooth operation and integration with other components of your setup. In this section, we provide a detailed overview of each configuration file used in the Namingo domain registry platform. Understanding these files is essential for customizing and optimizing your system according to your specific needs. We will walk you through the purpose of each file, key settings, and recommended configurations to ensure smooth operation and integration with other components of your setup.