[bug#68621] [PATCH 0/2] Provide default DNSSEC trust anchors for knot-resolver

[bug#68621] [PATCH 0/2] Provide default DNSSEC trust anchors for knot-resolver

[Leo Nikkilä via Guix-patches via]

The default DNSSEC trust anchors for knot-resolver are currently
disabled through a build phase, but configured when you use the default
kresd.conf file provided by Guix.

If you write your own configuration, you might expect kresd to have
DNSSEC enabled by default since this is what upstream does [1]. On Guix,
DNSSEC is disabled unless you provide the same custom path in your own
configuration and install the file into the appropriate location.

This set updates the package to be built with the correct path as the
default, and the service to use that path and install the default trust
anchors at activation time when missing.

[1]: https://knot-resolver.readthedocs.io/en/stable/config-dnssec.html

Leo Nikkilä (2):
  gnu: knot-resolver: Re-enable default DNSSEC trust anchors.
  services: knot-resolver: Use default DNSSEC trust anchors.

 gnu/packages/dns.scm | 20 +++++++++++++-------
 gnu/services/dns.scm | 17 +++++++++++++----
 2 files changed, 26 insertions(+), 11 deletions(-)


base-commit: 9072f27f5d3514be22c6af208f2ad56ef4e112f4
-- 
2.41.0

[bug#68620] [PATCH 1/2] gnu: knot-resolver: Re-enable default DNSSEC trust anchors.

[Leo Nikkilä via Guix-patches via]

* gnu/packages/dns.scm (knot-resolver) [#:configure-flags]: Configure
root keys and managed TA.
[#:phases] Remove `'disable-default-ta', add `'install-root-keys'.
---
 gnu/packages/dns.scm | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scm
index 73a2fac54b..9783e560fa 100644
--- a/gnu/packages/dns.scm
+++ b/gnu/packages/dns.scm
@@ -994,15 +994,13 @@ (define-public knot-resolver
     (build-system meson-build-system)
     (outputs '("out" "doc"))
     (arguments
-     '(#:configure-flags '("-Ddoc=enabled")
+     `(#:configure-flags
+       '("-Ddoc=enabled"
+         "-Dinstall_root_keys=disabled" ; installed manually outside store
+         "-Dkeyfile_default=/var/cache/knot-resolver/root.keys"
+         "-Dmanaged_ta=enabled")
        #:phases
        (modify-phases %standard-phases
-         (add-before 'configure 'disable-default-ta
-           (lambda _
-             ;;  Disable the default managed root TA, since we don't have
-             ;;  write access to the keyfile and its directory in store.
-             (substitute* "daemon/lua/sandbox.lua.in"
-               (("^trust_anchors\\.add_file.*") ""))))
          (add-after 'build 'build-doc
            (lambda _
              (invoke "ninja" "doc")))
@@ -1020,6 +1018,14 @@ (define-public knot-resolver
                 '("doc/knot-resolver/examples"
                   "doc/knot-resolver/html"
                   "info")))))
+         (add-after 'install 'install-root-keys
+           (lambda* (#:key outputs #:allow-other-keys)
+             (let ((dir (string-append (assoc-ref outputs "out")
+                                       "/etc/knot-resolver")))
+               (mkdir-p dir)
+               (install-file (string-append "../knot-resolver-" ,version
+                                            "/etc/root.keys")
+                             dir))))
          (add-after 'install 'wrap-binary
            (lambda* (#:key inputs outputs #:allow-other-keys)
              (let* ((out (assoc-ref outputs "out"))
-- 
2.41.0

[bug#68620] Moved into 68621

[Dale Mellor]

This patch belongs to issue 68621, closing here.

[bug#68620] Moved into 68621

[Dale Mellor]

This patch belongs to issue 68621, closing this one.

[bug#68622] [PATCH 2/2] services: knot-resolver: Use default DNSSEC trust anchors.

[Leo Nikkilä via Guix-patches via]

* gnu/services/dns.scm (%kresd.conf): Use default anchors.
(knot-resolver-activation): Install default anchors when missing.
---
 gnu/services/dns.scm | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/gnu/services/dns.scm b/gnu/services/dns.scm
index 6608046909..f83c5b6594 100644
--- a/gnu/services/dns.scm
+++ b/gnu/services/dns.scm
@@ -655,7 +655,6 @@ (define-record-type* <knot-resolver-configuration>
 
 (define %kresd.conf
   (plain-file "kresd.conf" "-- -*- mode: lua -*-
-trust_anchors.add_file('/var/cache/knot-resolver/root.keys')
 net = { '127.0.0.1', '::1' }
 user('knot-resolver', 'knot-resolver')
 modules = { 'hints > iterate', 'stats', 'predict' }
@@ -676,10 +675,20 @@ (define %knot-resolver-accounts
 (define (knot-resolver-activation config)
   #~(begin
       (use-modules (guix build utils))
-      (let ((rundir "/var/cache/knot-resolver")
-            (owner (getpwnam "knot-resolver")))
+      (let* ((rundir "/var/cache/knot-resolver")
+             (keyfile (string-append rundir "/root.keys"))
+             (owner (getpwnam "knot-resolver")))
         (mkdir-p rundir)
-        (chown rundir (passwd:uid owner) (passwd:gid owner)))))
+        (chown rundir (passwd:uid owner) (passwd:gid owner))
+
+        ;; Install initial trust anchors when missing.
+        (unless (file-exists? keyfile)
+          (copy-file #$(file-append (knot-resolver-configuration-package
+                                     config)
+                                    "/etc/knot-resolver/root.keys")
+                     keyfile)
+          (chown keyfile (passwd:uid owner) (passwd:gid owner))
+          (chmod keyfile #o755)))))
 
 (define knot-resolver-shepherd-services
   (match-lambda
-- 
2.41.0

[bug#68622] Moved to 68621

[Dale Mellor]

This patch belongs to issue 68621, closing here.

[bug#68622] Moved into 68621

[Dale Mellor]

This patch belongs to issue 68621, closing this one.

[bug#68621] [PATCH 0/2] Provide default DNSSEC trust anchors for knot-resolver

[Leo Nikkilä via Guix-patches via]

Forgot to mention, but this is more or less what was done for the upstream RPM package, see:

https://gitlab.nic.cz/knot/knot-resolver/-/issues/513
https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/888/diffs

[bug#68621] Consolidating patches under this one issue number

[Dale Mellor]

The patches that follow are:
  * two patches which were originally supposed to accompany this issue
  * a fix to quieten some guix lint warnings
  * a package version micro-bump, to 5.7.2.

[bug#68621] [PATCH v2 1/4] gnu: knot-resolver: Re-enable default DNSSEC trust anchors.

[Dale Mellor]

From: Leo Nikkilä <hello@lnikki.la>

* gnu/packages/dns.scm (knot-resolver) [#:configure-flags]: Configure
root keys and managed TA.
[#:phases] Remove `'disable-default-ta', add `'install-root-keys'.
---
 gnu/packages/dns.scm | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scm
index 36d3eb8b7e..947a6e89ba 100644
--- a/gnu/packages/dns.scm
+++ b/gnu/packages/dns.scm
@@ -995,15 +995,13 @@ (define-public knot-resolver
     (build-system meson-build-system)
     (outputs '("out" "doc"))
     (arguments
-     '(#:configure-flags '("-Ddoc=enabled")
+     `(#:configure-flags
+       '("-Ddoc=enabled"
+         "-Dinstall_root_keys=disabled" ; installed manually outside store
+         "-Dkeyfile_default=/var/cache/knot-resolver/root.keys"
+         "-Dmanaged_ta=enabled")
        #:phases
        (modify-phases %standard-phases
-         (add-before 'configure 'disable-default-ta
-           (lambda _
-             ;;  Disable the default managed root TA, since we don't have
-             ;;  write access to the keyfile and its directory in store.
-             (substitute* "daemon/lua/sandbox.lua.in"
-               (("^trust_anchors\\.add_file.*") ""))))
          (add-after 'build 'build-doc
            (lambda _
              (invoke "ninja" "doc")))
@@ -1021,6 +1019,14 @@ (define-public knot-resolver
                 '("doc/knot-resolver/examples"
                   "doc/knot-resolver/html"
                   "info")))))
+         (add-after 'install 'install-root-keys
+           (lambda* (#:key outputs #:allow-other-keys)
+             (let ((dir (string-append (assoc-ref outputs "out")
+                                       "/etc/knot-resolver")))
+               (mkdir-p dir)
+               (install-file (string-append "../knot-resolver-" ,version
+                                            "/etc/root.keys")
+                             dir))))
          (add-after 'install 'wrap-binary
            (lambda* (#:key inputs outputs #:allow-other-keys)
              (let* ((out (assoc-ref outputs "out"))
-- 
2.41.0

[bug#68621] [PATCH v2 2/4] gnu: knot-resolver: Appease some guix lint complaints.

[Dale Mellor]

From: Dale Mellor <black-hole@rdmp.org>

  * gnu/packages/dns.scm (knot-resolver): Add bash-minimal to inputs, re-label
    input items to 'lua5.1-bitop' and 'nghttp2:lib'.
---
 gnu/packages/dns.scm | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scm
index 947a6e89ba..bb86fd34f8 100644
--- a/gnu/packages/dns.scm
+++ b/gnu/packages/dns.scm
@@ -1051,15 +1051,16 @@ (define-public knot-resolver
            python-sphinx-rtd-theme
            texinfo))
     (inputs
-     `(("fstrm" ,fstrm)
+     `(("bash-minimal" ,bash-minimal)
+       ("fstrm" ,fstrm)
        ("gnutls" ,gnutls)
        ("knot:lib" ,knot "lib")
        ("libuv" ,libuv)
        ("lmdb" ,lmdb)
        ("luajit" ,luajit)
        ;; TODO: Add optional lua modules: basexx and psl.
-       ("lua-bitop" ,lua5.1-bitop)
-       ("nghttp2" ,nghttp2 "lib")
+       ("lua5.1-bitop" ,lua5.1-bitop)
+       ("nghttp2:lib" ,nghttp2 "lib")
        ("python" ,python)))
     (home-page "https://www.knot-resolver.cz/")
     (synopsis "Caching validating DNS resolver")
-- 
2.41.0

[bug#68621] [PATCH v2 3/4] services: knot-resolver: Use default DNSSEC trust anchors.

[Dale Mellor]

From: Leo Nikkilä <hello@lnikki.la>

* gnu/services/dns.scm (%kresd.conf): Use default anchors.
(knot-resolver-activation): Install default anchors when missing.
---
 gnu/services/dns.scm | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/gnu/services/dns.scm b/gnu/services/dns.scm
index 6608046909..f83c5b6594 100644
--- a/gnu/services/dns.scm
+++ b/gnu/services/dns.scm
@@ -655,7 +655,6 @@ (define-record-type* <knot-resolver-configuration>
 
 (define %kresd.conf
   (plain-file "kresd.conf" "-- -*- mode: lua -*-
-trust_anchors.add_file('/var/cache/knot-resolver/root.keys')
 net = { '127.0.0.1', '::1' }
 user('knot-resolver', 'knot-resolver')
 modules = { 'hints > iterate', 'stats', 'predict' }
@@ -676,10 +675,20 @@ (define %knot-resolver-accounts
 (define (knot-resolver-activation config)
   #~(begin
       (use-modules (guix build utils))
-      (let ((rundir "/var/cache/knot-resolver")
-            (owner (getpwnam "knot-resolver")))
+      (let* ((rundir "/var/cache/knot-resolver")
+             (keyfile (string-append rundir "/root.keys"))
+             (owner (getpwnam "knot-resolver")))
         (mkdir-p rundir)
-        (chown rundir (passwd:uid owner) (passwd:gid owner)))))
+        (chown rundir (passwd:uid owner) (passwd:gid owner))
+
+        ;; Install initial trust anchors when missing.
+        (unless (file-exists? keyfile)
+          (copy-file #$(file-append (knot-resolver-configuration-package
+                                     config)
+                                    "/etc/knot-resolver/root.keys")
+                     keyfile)
+          (chown keyfile (passwd:uid owner) (passwd:gid owner))
+          (chmod keyfile #o755)))))
 
 (define knot-resolver-shepherd-services
   (match-lambda
-- 
2.41.0

[bug#68621] [PATCH v2 4/4] gnu: knot-resolver: version to 5.7.2

[Dale Mellor]

From: Dale Mellor <black-hole@rdmp.org>

  * gnu/packages/dns.scm (knot-resolver): Version to 5.7.2.
---
 gnu/packages/dns.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scm
index bb86fd34f8..d8b3606f10 100644
--- a/gnu/packages/dns.scm
+++ b/gnu/packages/dns.scm
@@ -984,14 +984,14 @@ (define (move source target file)
 (define-public knot-resolver
   (package
     (name "knot-resolver")
-    (version "5.7.1")
+    (version "5.7.2")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://secure.nic.cz/files/knot-resolver/"
                                   "knot-resolver-" version ".tar.xz"))
               (sha256
                (base32
-                "18n3jh17d22xmzpg8syw2dm85vv7jchdc4hzk5x78lqxqqav856s"))))
+                "03wszdrx5wcd0gz9h4p0ggn67n59almnb2h2m38c5m7wj1rj4sjz"))))
     (build-system meson-build-system)
     (outputs '("out" "doc"))
     (arguments
-- 
2.41.0

[bug#68621] [PATCH v2 0/4] Allow use of DNSSEC in knot-resolver service

[Dale Mellor]

As per previous messages.