zydronium/google-nomulus
1
0
Fork 0
mirror of https://github.com/google/nomulus.git synced 2025-05-14 16:37:13 +02:00
Code Issues Projects Releases Packages Wiki Activity

Turn on DNSSEC for new Cloud DNS TLDs

Browse source 
we set the "denial of existence" to NSEC (rather than NSEC3), because preventing "walking the zone" isn't an issue for TLDs.

It uses the default security configuration for everything else, which at the time of this writing is:

Key signing: RSASHA256, key length of 2048
Zone signing: RSASHA256, key length of 1024

-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=179045575
This commit is contained in:
guyben 2017-12-14 08:06:13 -08:00 committed by Ben McIlwain
parent 0d3ec66259
commit d5d29959b4
2 changed files with 25 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

19
java/google/registry/tools/CreateCdnsTld.java
View file

@ -23,6 +23,7 @@ import com.google.api.client.json.JsonFactory;
import com.google.api.client.json.jackson2.JacksonFactory; import com.google.api.client.json.jackson2.JacksonFactory;
import com.google.api.services.dns.Dns; import com.google.api.services.dns.Dns;
import com.google.api.services.dns.model.ManagedZone; import com.google.api.services.dns.model.ManagedZone;
import com.google.api.services.dns.model.ManagedZoneDnsSecConfig;
import com.google.common.annotations.VisibleForTesting; import com.google.common.annotations.VisibleForTesting;
import google.registry.config.RegistryConfig.Config; import google.registry.config.RegistryConfig.Config;
import java.io.IOException; import java.io.IOException;
@ -58,16 +59,18 @@ class CreateCdnsTld extends ConfirmingCommand {
private static final String KEY_VALUE_FORMAT = " %s = %s"; private static final String KEY_VALUE_FORMAT = " %s = %s";
private ManagedZone requestBody; private ManagedZone managedZone;
@Override @Override
protected void init() throws IOException, GeneralSecurityException { protected void init() throws IOException, GeneralSecurityException {
requestBody = new ManagedZone(); managedZone =
requestBody.setDescription(description); new ManagedZone()
.setDescription(description)
// TODO(b/67413698): allow parameterizing the nameserver set once it's safe to do so. // TODO(b/67413698): allow parameterizing the nameserver set once it's safe to do so.
requestBody.setNameServerSet("cloud-dns-registry-test"); .setNameServerSet("cloud-dns-registry-test")
requestBody.setDnsName(dnsName); .setDnsName(dnsName)
requestBody.setName((name != null) ? name : dnsName); .setName((name != null) ? name : dnsName)
.setDnssecConfig(new ManagedZoneDnsSecConfig().setNonExistence("NSEC").setState("ON"));
} }
@Override @Override
@ -75,7 +78,7 @@ class CreateCdnsTld extends ConfirmingCommand {
return String.format( return String.format(
"Creating TLD with:\n%s\n%s", "Creating TLD with:\n%s\n%s",
String.format(KEY_VALUE_FORMAT, "projectId", projectId), String.format(KEY_VALUE_FORMAT, "projectId", projectId),
requestBody managedZone
.entrySet() .entrySet()
.stream() .stream()
.map(entry -> String.format(KEY_VALUE_FORMAT, entry.getKey(), entry.getValue())) .map(entry -> String.format(KEY_VALUE_FORMAT, entry.getKey(), entry.getValue()))
@ -85,7 +88,7 @@ class CreateCdnsTld extends ConfirmingCommand {
@Override @Override
public String execute() throws IOException, GeneralSecurityException { public String execute() throws IOException, GeneralSecurityException {
Dns dnsService = createDnsService(); Dns dnsService = createDnsService();
Dns.ManagedZones.Create request = dnsService.managedZones().create(projectId, requestBody); Dns.ManagedZones.Create request = dnsService.managedZones().create(projectId, managedZone);
ManagedZone response = request.execute(); ManagedZone response = request.execute();
return String.format("Created managed zone: %s", response); return String.format("Created managed zone: %s", response);
} }

19
javatests/google/registry/tools/CreateCdnsTldTest.java
View file

@ -20,6 +20,7 @@ import static org.mockito.Mockito.when;
import com.google.api.services.dns.Dns; import com.google.api.services.dns.Dns;
import com.google.api.services.dns.model.ManagedZone; import com.google.api.services.dns.model.ManagedZone;
import com.google.api.services.dns.model.ManagedZoneDnsSecConfig;
import java.io.IOException; import java.io.IOException;
import java.security.GeneralSecurityException; import java.security.GeneralSecurityException;
import org.junit.Before; import org.junit.Before;
@ -55,23 +56,29 @@ public class CreateCdnsTldTest extends CommandTestCase<CreateCdnsTld> {
} }
} }
private ManagedZone createZone(
String nameServerSet, String description, String dnsName, String name) {
return new ManagedZone()
.setNameServerSet(nameServerSet)
.setDnsName(dnsName)
.setDescription(description)
.setName(name)
.setDnssecConfig(new ManagedZoneDnsSecConfig().setState("ON").setNonExistence("NSEC"));
}
@Test @Test
public void testBasicFunctionality() throws Exception { public void testBasicFunctionality() throws Exception {
runCommand("--dns_name=tld.", "--name=tld", "--description=test run", "--force"); runCommand("--dns_name=tld.", "--name=tld", "--description=test run", "--force");
verify(request).execute(); verify(request).execute();
assertThat(projectId.getValue()).isEqualTo("test-project"); assertThat(projectId.getValue()).isEqualTo("test-project");
ManagedZone zone = requestBody.getValue(); ManagedZone zone = requestBody.getValue();
assertThat(zone.getNameServerSet()).isEqualTo("cloud-dns-registry-test"); assertThat(zone).isEqualTo(createZone("cloud-dns-registry-test", "test run", "tld.", "tld"));
assertThat(zone.getDnsName()).isEqualTo("tld.");
assertThat(zone.getName()).isEqualTo("tld");
} }
@Test @Test
public void testNameDefault() throws Exception { public void testNameDefault() throws Exception {
runCommand("--dns_name=tld.", "--description=test run", "--force"); runCommand("--dns_name=tld.", "--description=test run", "--force");
ManagedZone zone = requestBody.getValue(); ManagedZone zone = requestBody.getValue();
assertThat(zone.getNameServerSet()).isEqualTo("cloud-dns-registry-test"); assertThat(zone).isEqualTo(createZone("cloud-dns-registry-test", "test run", "tld.", "tld."));
assertThat(zone.getDnsName()).isEqualTo("tld.");
assertThat(zone.getName()).isEqualTo("tld.");
} }
} }