内容简介:Have your domain served by OCaml-DNS authoritative name servers. Data is stored in a git remote, and let's encrypt certificates can be requested to DNS. This software is deployed since more than two years for several domains such asYou need to own a domain
Goal
Have your domain served by OCaml-DNS authoritative name servers. Data is stored in a git remote, and let's encrypt certificates can be requested to DNS. This software is deployed since more than two years for several domains such as nqsb.io
and robur.coop
. This present the authoritative server side, and certificate library of the OCaml-DNS implementation formerly known asµDNS.
Prerequisites
You need to own a domain, and be able to delegate the name service to your own servers. You also need two spare public IPv4 addresses (in different /24 networks) for your name servers. A git server or remote repository reachable via git over ssh. Servers which support solo5 guests, and have the corresponding tender installed. A computer with opam (>= 2.0.0) installed.
Data preparation
Figure out a way to get the DNS entries of your domain in a "master file format" , i.e. what bind uses.
This is a master file for the mirage
domain, defining $ORIGIN
to avoid typing the domain name after each hostname (use @
if you need the domain name only; if you need to refer to a hostname in a different domain end it with a dot ( .
), i.e. ns2.foo.com.
). The default time to live $TTL
is an hour (3600 seconds).
The zone contains a
start of authority ( SOA
) record
containing the nameserver, hostmaster, serial, refresh, retry, expiry, and minimum.
Also, a single
name server ( NS
) record
ns1
is specified with an accompanying
address ( A
) records
pointing to their IPv4 address.
git-repo> cat mirage $ORIGIN mirage. $TTL 3600 @ SOA ns1 hostmaster 1 86400 7200 1048576 3600 @ NS ns1 ns1 A 127.0.0.1 www A 1.1.1.1 git-repo> git add mirage && git commit -m initial && git push
Installation
On your development machine, you need to install various OCaml packages. You don't need privileged access if common tools (C compiler, make, libgmp) are already installed. You have opam
installed.
Let's create a fresh switch
for the DNS journey:
$ opam init $ opam update $ opam switch create udns 4.09.0 # waiting a bit, a fresh OCaml compiler is getting bootstrapped $ eval `opam env` #sets some environment variables
The last command set environment variables in your current shell session, please use the same shell for the commands following (or run eval $(opam env)
in another shell and proceed in there - the output of opam switch
sohuld point to udns
).
Validation of our zonefile
First let's check that OCaml-DNS can parse our zonefile:
$ opam install dns-cli #installs ~/.opam/udns/bin/ozone and other binaries $ ozone <git-repo>/mirage # see ozone --help successfully checked zone
Great. Error reporting is not great, but line numbers are indicated ( ozone: zone parse problem at line 3: syntax error
), lexer and parser are lex/yacc style
(PRs welcome).
FWIW, ozone
accepts --old <filename>
to check whether an update from the old zone to the new is fine. This can be used as pre-commit hook
in your git repository to avoid bad parse states in your name servers.
Getting the primary up
The next step is to compile the primary server and run it to serve the domain data. Since the git-via-ssh client is not yet released, we need to add a custom opam repository to this switch.
# git via ssh is not yet released, but this opam repository contains the branch information $ opam repo add git-ssh git+https://github.com/roburio/git-ssh-dns-mirage3-repo.git # get the `mirage` application via opam $ opam install lwt mirage # get the source code of the unikernels $ git clone -b future https://github.com/roburio/unikernels.git $ cd unikernels/primary-git # let's build the server first as unix application $ mirage configure --prng fortuna #--no-depext if you have all system dependencies $ make depend $ make # run it $ ./primary_git # starts a unix process which clones https://github.com/roburio/udns.git # attempts to parse the data as zone files, and fails on parse error $ ./primary-git --remote=https://my-public-git-repository # this should fail with ENOACCESS since the DNS server tries to listen on port 53 # which requires a privileged user, i.e. su, sudo or doas $ sudo ./primary-git --remote=https://my-public-git-repository # leave it running, run the following programs in a different shell # test it $ host ns1.mirage 127.0.0.1 ns1.mirage has address 127.0.0.1 $ dig any mirage @127.0.0.1 # a DNS packet printout with all records available for mirage
That's exciting, the DNS server serving answers from a remote git repository.
Securing the git access with ssh
Let's authenticate the access by using ssh, so we feel ready to push data there as well. The primary-git unikernel already includes an experimental ssh client , all we need to do is setting up credentials - in the following a RSA keypair and the server fingerprint.
# collect the RSA host key fingerprint $ ssh-keyscan <git-server> > /tmp/git-server-public-keys $ ssh-keygen -l -E sha256 -f /tmp/git-server-public-keys | grep RSA 2048 SHA256:a5kkkuo7MwTBkW+HDt4km0gGPUAX0y1bFcPMXKxBaD0 <git-server> (RSA) # we're interested in the SHA256:yyy only # generate a ssh keypair $ awa_gen_key # installed by the make depend step above in ~/.opam/udns/bin seed is pIKflD07VT2W9XpDvqntcmEW3OKlwZL62ak1EZ0m ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5b2cSSkZ5/MAu7pM6iJLOaX9tJsfA8DB1RI34Zygw6FA0y8iisbqGCv6Z94ZxreGATwSVvrpqGo5p0rsKs+6gQnMCU1+sOC4PRlxy6XKgj0YXvAZcQuxwmVQlBHshuq0CraMK9FASupGrSO8/dW30Kqy1wmd/IrqW9J1Cnw+qf0C/VEhIbo7btlpzlYpJLuZboTvEk1h67lx1ZRw9bSPuLjj665yO8d0caVIkPp6vDX20EsgITdg+cFjWzVtOciy4ETLFiKkDnuzHzoQ4EL8bUtjN02UpvX2qankONywXhzYYqu65+edSpogx2TuWFDJFPHgcyO/ZIMoluXGNgQlP awa@awa.local # please run your own awa_gen_key, don't use the numbers above
The public key needs is in standard OpenSSH format and needs to be added to the list of accepted keys on your server - the exact steps depend on your git server, if you're running your own with gitosis , add it as new public key file and grant that key access to the data repository. If you use gitlab or github, you may want to create a new user account and with the generated key.
The private key is not displayed, but only the seed required to re-generate it, when using the same random number generator, in our case fortuna implemented by nocrypto
- used by both awa_gen_key
and primary_git
. The seed is provided as command-line argument while starting primary_git
:
# execute with git over ssh, authenticator from ssh-keyscan, seed from awa_gen_key $ ./primary_git --authenticator=SHA256:a5kkkuo7MwTBkW+HDt4km0gGPUAX0y1bFcPMXKxBaD0 --seed=pIKflD07VT2W9XpDvqntcmEW3OKlwZL62ak1EZ0m --remote=ssh://git@<git-server>/repo-name.git # started up, you can try the host and dig commands from above if you like
To wrap up, we now have a primary authoritative name server for our zone running as Unix process, which clones a remote git repository via ssh on startup and then serves it.
Authenticated data updates
Our remote git repository is the source of truth, if you need to add a DNS entry to the zone, you git pull, edit the zone file, remember to increase the serial in the SOA line, run ozone
, git commit and push to the repository.
So, the primary_git
needs to be informed of git pushes. This requires a communication channel from the git server (or somewhere else, e.g. your laptop) to the DNS server. I prefer in-protocol solutions over adding yet another protocol stack, no way my DNS server will talk HTTP REST.
The DNS protocol has an extension for notifications of zone changes
(as a DNS packet), usually used between the primary and secondary servers. The primary_git
accepts these notify requests (i.e. bends the standard slightly), and upon receival pulls the remote git repository, and serves the fresh zone files. Since a git pull may be rather excessive in terms of CPU cycles and network bandwidth, only authenticated notifications are accepted.
The DNS protocol specifies in another extension authentication (DNS TSIG) with transaction signatures on DNS packets including a timestamp and fudge to avoid replay attacks. As key material hmac secrets distribued to both the communication endpoints are used.
To recap, the primary server is configured with command line parameters (for remote repository url and ssh credentials), and serves data from a zonefile. If the secrets would be provided via command line, a restart would be necessary for adding and removing keys. If put into the zonefile, they would be publicly served on request. So instead, we'll use another file, still in zone file format, in the top-level domain _keys
, i.e. the mirage._keys
file contains keys for the mirage
zone. All files ending in ._keys
are parsed with the normal parser, but put into an authentication store instead of the domain data store, which is served publically.
For encoding hmac secrets into DNS zone file format, the
DNSKEY
format is used (designed for DNSsec). The bind
software comes with dnssec-keygen
and tsig-keygen
to generate DNSKEY output: flags is 0, protocol is 3, and algorithm identifier for SHA256 is 163 (SHA384 164, SHA512 165). This is reused by the OCaml DNS library. The key material itself is base64 encoded.
Access control and naming of keys follows the DNS domain name hierarchy - a key has the form name._operation.domain, and has access granted to domain and all subdomains of it. Two operations are supported: update and transfer. In the future there may be a dedicated notify operation, for now we'll use update. The name part is ignored for the update operation.
Since we now embedd secret information in the git repository, it is a good idea to restrict access to it, i.e. make it private and not publicly cloneable or viewable. Let's generate a first hmac secret and send a notify:
$ dd if=/dev/random bs=1 count=32 | b64encode - begin-base64 644 - kJJqipaQHQWqZL31Raar6uPnepGFIdtpjkXot9rv2xg= ==== [..] git-repo> echo "personal._update.mirage. DNSKEY 0 3 163 kJJqipaQHQWqZL31Raar6uPnepGFIdtpjkXot9rv2xg=" > mirage._keys git-repo> git add mirage._keys && git commit -m "add hmac secret" && git push # now we need to restart the primary git to get the git repository with the key $ ./primary_git --seed=... # arguments from above, remote git, host key fingerprint, private key seed # now test that a notify results in a git pull $ onotify 127.0.0.1 mirage --key=personal._update.mirage:SHA256:kJJqipaQHQWqZL31Raar6uPnepGFIdtpjkXot9rv2xg= # onotify was installed by dns-cli in ~/.opam/udns/bin/onotify, see --help for options # further changes to the hmac secrets don't require a restart anymore, a notify packet is sufficient :D
Ok, this onotify command line could be setup as a git post-commit hook, or run manually after each manual git push.
Secondary
It's time to figure out how to integrate the secondary name server. The secondary
subdirectory of the cloned unikernels
repository is another unikernel that acts as secondary server. It's only command line argument is a list of hmac secrets used for authenticating that the received data originates from the primary server. Data is initially transferred by a full zone transfer (AXFR)
, later updates (upon refresh timer or notify request sent by the primary) use incremental (IXFR)
. Zone transfer requests and data are authenticated with transaction signatures again.
Convenience by OCaml DNS is that transfer key names matter, and are of the form <primary-ip>.<secondary-ip>._transfer.domain, i.e. 1.1.1.1.2.2.2.2._transfer.mirage
if the primary server is 1.1.1.1, and the secondary 2.2.2.2. Encoding the IP address in the name allows both parties to start the communication: the secondary starts by requesting a SOA for all domains for which keys are provided on command line, and if an authoritative SOA answer is received, the AXFR is triggered. The primary server emits notification requests on startup and then on every zone change (i.e. via git pull) to all secondary IP addresses of transfer keys present for the specific zone in addition to the notifications to the NS records in the zone.
$ cd ../secondary $ mirage configure --prng fortuna # make depend should not be needed since all packages are already installed by the primary-git $ make $ ./secondary
IP addresses and routing
Both primary and secondary serve the data on the DNS port (53) on UDP and TCP. To run both on the same machine and bind them to different IP addresses, we'll use a layer 2 network (ethernet frames) with a host system software switch (bridge interface service
), the unikernels as virtual machines (or seccomp-sandboxed) via the solo5
backend. Using xen is possible as well. As IP address range we'll use 10.0.42.0/24, and the host system uses the 10.0.42.1.
The primary git needs connectivity to the remote git repository, thus on a laptop in a private network we need network address translation (NAT) from the bridge where the unikernels speak to the Internet where the git repository resides.
# on FreeBSD: # configure NAT with pf, you need to have forwarding enabled $ sysctl net.inet.ip.forwarding: 1 $ echo 'nat pass on wlan0 inet from 10.0.42.0/24 to any -> (wlan0)' >> /etc/pf.conf $ service pf restart # make tap interfaces UP on open() $ sysctl net.link.tap.up_on_open: 1 # bridge creation, naming, and IP setup $ ifconfig bridge create bridge0 $ ifconfig bridge0 name service $ ifconfig bridge0 10.0.42.1/24 # two tap interfaces for our unikernels $ ifconfig tap create tap0 $ ifconfig tap create tap1 # add them to the bridge $ ifconfig service addm tap0 addm tap1
Primary and secondary setup
Let's update our zone slightly to reflect the IP changes.
git-repo> cat mirage $ORIGIN mirage. $TTL 3600 @ SOA ns1 hostmaster 2 86400 7200 1048576 3600 @ NS ns1 @ NS ns2 ns1 A 10.0.42.2 ns2 A 10.0.42.3 # we also need an additional transfer key git-repo> cat mirage._keys personal._update.mirage. DNSKEY 0 3 163 kJJqipaQHQWqZL31Raar6uPnepGFIdtpjkXot9rv2xg= 10.0.42.2.10.0.42.3._update.mirage. DNSKEY 0 3 163 cDK6sKyvlt8UBerZlmxuD84ih2KookJGDagJlLVNo20= git-repo> git commit -m "udpates" . && git push
Ok, the git repository is ready, now we need to compile the unikernels for the virtualisation target (see other targets for further information).
# back to primary $ cd ../primary-git $ mirage configure -t hvt --prng fortuna # or e.g. -t spt (and solo5-spt below) # installs backend-specific opam packages, recompiles some $ make depend $ make [...] $ solo5-hvt --net:service=tap0 -- primary_git.hvt --ipv4=10.0.42.2/24 --ipv4-gateway=10.0.42.1 --seed=.. --authenticator=.. --remote=ssh+git://... # should now run as a virtual machine (kvm, bhyve), and clone the git repository $ dig any mirage @10.0.42.2 # should reply with the SOA and NS records, and also the name server address records in the additional section # secondary $ cd ../secondary $ mirage configure -t hvt --prng fortuna $ make $ solo5-hvt --net:service=tap0 -- secondary.hvt --ipv4=10.0.42.3/24 --keys=10.0.42.2.10.0.42.3._update.mirage:SHA256:cDK6sKyvlt8UBerZlmxuD84ih2KookJGDagJlLVNo20= # an ipv4-gateway is not needed in this setup, but in real deployment later # it should start up and transfer the mirage zone from the primary $ dig any mirage @10.0.42.3 # should now output the same information as from 10.0.42.2 # testing an update and propagation # edit mirage zone, add a new record and increment the serial number git-repo> echo "foo A 127.0.0.1" >> mirage git-repo> vi mirage <- increment serial git-repo> git commit -m 'add foo' . && git push $ onotify 10.0.42.2 mirage --key=personal._update.mirage:SHA256:kJJqipaQHQWqZL31Raar6uPnepGFIdtpjkXot9rv2xg= # now check that it worked $ dig foo.mirage @10.0.42.2 # primary $ dig foo.mirage @10.0.42.3 # secondary got notified and transferred the zone
You can also check the behaviour when restarting either of the VMs, whenever the primary is available the zone is synchronised. If the primary is down, the secondary still serves the zone. When the secondary is started while the primary is down, it won't serve any data until the primary is online (the secondary polls periodically, the primary sends notifies on startup).
Dynamic data updates via DNS, pushed to git
DNS is a rich protocol, and it also has builtin updates
that are supported by OCaml DNS, again authenticated with hmac-sha256 and shared secrets. Bind provides the command-line utility nsupdate
to send these update packets, a simple oupdate
unix utility is available as well (i.e. for integration of dynamic DNS clients). You know the drill, add a shared secret to the primary, git push, notify the primary, and voila we can dynamically in-protocol update. An update received by the primary via this way will trigger a git push to the remote git repository, and notifications to the secondary servers as described above.
# being lazy, I reuse the key above $ oupdate 10.0.42.2 personal._update.mirage:SHA256:kJJqipaQHQWqZL31Raar6uPnepGFIdtpjkXot9rv2xg= my-other.mirage 1.2.3.4 # let's observe the remote git git-repo> git pull # there should be a new commit generated by the primary git-repo> git log # test it, should return 1.2.3.4 $ dig my-other.mirage @10.0.42.2 $ dig my-other.mirage @10.0.42.3
So we can deploy further oupdate
(or nsupdate
) clients, distribute hmac secrets, and have the DNS zone updated. The source of truth is still the git repository, where the primary-git pushes to. Merge conflicts and timing of pushes is not yet dealt with. They are unlikely to happen since the primary is notified on pushes and should have up-to-date data in storage. Sorry, I'm unsure about the error semantics, try it yourself.
Let's encrypt!
Let's encrypt is a certificate authority (CA), which certificate is shipped as trust anchor in web browsers. They specified a protocol for automated certificate management environment (ACME) , used to get X509 certificates for your services. In the protocol, a certificate signing request (publickey and hostname) is sent to let's encrypt servers, which sends a challenge to proof the ownership of the hostnames. One widely-used way to solve this challenge is running a web server, another is to serve it as text record from the authoritative DNS server.
Since I avoid persistent storage when possible, and also don't want to integrate a HTTP client stack in the primary server, I developed a third unikernel that acts as (hidden) secondary server, performs the tedious HTTP communication with let's encrypt servers, and stores all data in the public DNS zone.
For encoding of certificates, the DANE working group specified TLSA records in DNS. They are quadruples of usage, selector, matching type, and ASN.1 DER-encoded material. We set usage to 3 (domain-issued certificate), matching type to 0 (no hash), and selector to 0 (full certificate) or 255 (private usage) for certificate signing requests. The interaction is as follows:
- Primary, secondary, and let's encrypt unikernels are running
-
A service (
ocertify
,unikernels/certificate
, or thedns-certify.mirage
library) demands a TLS certificate, and has a hmac-secret for the primary DNS - The service generates a certificate signing request with the desired hostname(s), and performs an nsupdate with TLSA 255 <DER encoded signing-request>
- The primary accepts the update, pushes the new zone to git, and sends notifies to secondary and let's encrypt unikernels which (incrementally) transfer the zone
- The let's encrypt unikernel notices while transferring the zone a signing request without a certificate, starts HTTP interaction with let's encrypt
- The let's encrypt unikernel solves the challenge, sends the response as update of a TXT record to the primary nameserver
- The primary pushes the TXT record to git, and notifies secondaries (which transfer the zone)
- The let's encrypt servers request the TXT record from either or both authoritative name servers
- The let's encrypt unikernel polls for the issued certificate and send an update to the primary TLSA 0 <DER encoded certificate>
- The primary pushes the certificate to git, notifies secondaries (which transfer the zone)
- The service polls TLSA records for the hostname, and use it upon retrieval
Note that neither the signing request nor the certificate contain private key material, thus it is fine to serve them publically.
The let's encrypt unikernel does not serve anything, it is a reactive system which acts upon notification from the primary. Thus, it can be executed in a private address space (with a NAT). Since the OCaml DNS server stack needs to push notifications to it, it preserves all incoming signed SOA requests as candidates for notifications on update. The let's encrypt unikernel ensures to always have a connection to the primary to receive notifications.
# getting let's encrypt up and running $ cd ../lets-encrypt $ mirage configure -t hvt --prng fortuna $ make depend $ make # run it $ solo5-hvt --net:service=tap2 -- letsencrypt.hvt --keys=... # test it $ ocertify 10.0.42.2 foo.mirage
For actual testing with let's encrypt servers you need to have the primary and secondary deployed on your remote hosts, and your domain needs to be delegated to these servers. Good luck.
As fine print, while this tutorial was about the mirage
zone, you can stick any number of zones into the git repository. If you use a _keys
file (without any domain prefix), you can configure hmac secrets for all zones, i.e. something to use in your let's encrypt unikernel and secondary unikernel. Dynamic addition of zones is supported, just create a new zonefile and notify the primary, the secondary will be notified and pick it up. The primary responds to a signed SOA for the root zone (i.e. requested by the secondary) with the SOA response (not authoritative), and additionally notifications for all domains of the primary.
Conclusion and thanks
This tutorial presented how to use the OCaml DNS based unikernels to run authoritative name servers for your domain, using a git repository as the source of truth, dynamic authenticated updates, and let's encrypt certificate issuing.
There are further steps to take, such as monitoring -- have a look at the monitoring
branch of the opam repository above, and the future-robur
branch of the unikernels repository above, which use a second network interface for reporting syslog and metrics to telegraf / influx / grafana. Some DNS features are still missing, most prominently DNSSec.
I'd like to thank all people involved in this software stack, without other key components, including git , irmin 2.0 , nocrypto , awa-ssh , cohttp , solo5 , mirage , ocaml-letsencrypt , and more.
If you want to support our work on MirageOS unikernels, please donate to robur . I'm interested in feedback, either via twitter , hannesm@mastodon.social or an issue on the data repository .
以上就是本文的全部内容,希望本文的内容对大家的学习或者工作能带来一定的帮助,也希望大家多多支持 码农网
猜你喜欢:本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。
智能Web算法(第2版)
【英】Douglas G. McIlwraith(道格拉斯 G. 麦基尔雷思)、【美】Haralambos Marmanis(哈若拉玛 玛若曼尼斯)、【美】Dmitry Babenko(德米特里•巴邦科) / 达观数据、陈运文 等 / 电子工业出版社 / 2017-7 / 69.00
机器学习一直是人工智能研究领域的重要方向,而在大数据时代,来自Web 的数据采集、挖掘、应用技术又越来越受到瞩目,并创造着巨大的价值。本书是有关Web数据挖掘和机器学习技术的一本知名的著作,第2 版进一步加入了本领域最新的研究内容和应用案例,介绍了统计学、结构建模、推荐系统、数据分类、点击预测、深度学习、效果评估、数据采集等众多方面的内容。《智能Web算法(第2版)》内容翔实、案例生动,有很高的阅......一起来看看 《智能Web算法(第2版)》 这本书的介绍吧!