Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is there a way protect AXFR and IXFR queries to require TSIG? #481

Closed
pusateri opened this issue Jan 24, 2025 · 6 comments · May be fixed by #485
Closed

Is there a way protect AXFR and IXFR queries to require TSIG? #481

pusateri opened this issue Jan 24, 2025 · 6 comments · May be fixed by #485

Comments

@pusateri
Copy link

Thanks for adding TSIG support. This is very cool.

Current TSIG middleware docs say:

Signed requests that fail signature verification will be rejected.
Unsigned requests and correctly signed requests will pass through this middleware unchanged.

Is there a way to require Signed requests only?
@ximon18 Slack
Copy link
Member

ximon18 commented Jan 24, 2025
edited
Loading

Yes.

As an example the XfrMiddlewareSvc middleware can optionally do this via the XfrDataProvider impl, by checking in that impl if the Option<Key> is None and then refusing the XFR.

No existing provided impl of XfrDataProvider does this because it's a local policy decision and so you should implement XfrDataProvider yourself, the existing impls do not restrict access at all.

I have a proof-of-concept impl that does restrict access that was never released, there's still a version of it in Git history, I'll try and find it.

There isn’t an out-of-the-box simple Middleware Service impl that does just checking for a key, but your actual application Service impl could also do it in the same way by examining the Option<Key> received via RequestMeta (but this is only relevant in the case that you are not using the provided XfrMiddlewareSvc).

@ximon18
Copy link
Member

ximon18 commented Jan 24, 2025
edited
Loading

See:

domain/src/zonemaintenance/maintainer.rs

Line 2152 in b61d08f

impl<KS, CF> XfrDataProvider<Option<Key>> for ZoneMaintainer<KS, CF>

It might be a bit overwhelming as there's a lot going on in that code. It was never properly finished or reviewed but was tested locally with an NSD both acting as a primary and also in a separate test acting as a secondary, so it's not beautiful but it works.

@ximon18
Copy link
Member

ximon18 commented Jan 25, 2025
edited
Loading

Hi @pusateri,

The attached patch against the main branch of domain shows how to do this by modifying examples/serve-zone.rs.

I hope that helps.

Ximon

refuse_unsigned_xfr.txt

Update: Note that you can also check that only the expected TSIG keys are used, not just that some TSIG key was used.

@pusateri
Copy link
Author

pusateri commented Jan 27, 2025
edited
Loading

Fantastic. This works for me. Thanks!

@ximon18
Copy link
Member

ximon18 commented Jan 27, 2025
edited
Loading

Great!

@pusateri: Do you think the documentation needs improving (for this scenario) and if so do you have any suggestions as to what to change or add?

Ximon

@pusateri
Copy link
Author

No, updating the example code should be sufficient.

ximon18 added a commit that referenced this issue Jan 28, 2025
@ximon18
Update serve-zone.rs to show working with the TSIG key.
132b792 
As shown in #481.
@ximon18 ximon18 mentioned this issue Jan 28, 2025
Open
@ximon18 ximon18 linked a pull request Jan 28, 2025 that will close this issue
Update serve-zone.rs to show working with the TSIG key. #485
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update serve-zone.rs to show working with the TSIG key. NLnetLabs/domain
2 participants
@pusateri @ximon18