DNS validator #2838
Open
DNS validator #2838
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Implements automatic DNSSEC synchronization (RFC 7344) and delegation synchronization (RFC 7477) for DNS zone management. ## Features Added: ### DNS Validator Service - Add flag (default: true) to control validation vs. application mode - Implement CDS record processing for automatic DS record updates - Implement CDNSKEY record processing for DNSKEY management and KSK rotation - Implement CSYNC record parsing (manual TYPE62 parsing as Dnsruby lacks support) - Add DNSSEC validation chain verification for secure updates ### CDS/CDNSKEY Support (RFC 7344) - Process CDS records for DS record synchronization - Handle CDS with algorithm=0 for DS removal - Process CDNSKEY records for DNSKEY updates - Detect and handle KSK rotation scenarios - Validate records using DNSSEC chain when enabled ### CSYNC Support (RFC 7477) - Parse CSYNC records (TYPE62) with serial, flags, and type bitmap - Detect NS record synchronization requirements - Support A/AAAA glue record synchronization - Process immediate and soaminimum flags ### Update Methods - : Create or update DS records from CDS - : Remove all DS records - : Remove all DNSSEC keys - : Handle KSK rotation - : Synchronize nameserver records - : Update glue (A/AAAA) records ### Convenience Methods - : Validation without applying changes - : Apply only DNSSEC updates - : Apply only CSYNC updates ## Testing - Add comprehensive test coverage for all new features - Test apply_changes flag behavior - Test CDS/CDNSKEY/CSYNC record processing - Test DNSSEC validation and update methods - Use proper fixtures and mocking for DNS queries ## Security - Validate CDS/CDNSKEY records via DNSSEC when domain has existing keys - Only apply validated updates or when no DNSSEC validation required - Log all changes and send notifications to registrar - Allow validation-only mode for safe preview of changes This implementation enables automatic DNSSEC key management and delegation synchronization, reducing manual intervention and improving DNS security automation according to RFC standards.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.