import ./make-test-python.nix ({ pkgs, lib, ...} : let common = { networking.firewall.enable = false; networking.useDHCP = false; }; exampleZone = pkgs.writeTextDir "example.com.zone" '' @ SOA ns.example.com. noc.example.com. 2019031301 86400 7200 3600000 172800 @ NS ns1 @ NS ns2 ns1 A 192.168.0.1 ns1 AAAA fd00::1 ns2 A 192.168.0.2 ns2 AAAA fd00::2 www A 192.0.2.1 www AAAA 2001:DB8::1 sub NS ns.example.com. ''; delegatedZone = pkgs.writeTextDir "sub.example.com.zone" '' @ SOA ns.example.com. noc.example.com. 2019031301 86400 7200 3600000 172800 @ NS ns1.example.com. @ NS ns2.example.com. @ A 192.0.2.2 @ AAAA 2001:DB8::2 ''; knotZonesEnv = pkgs.buildEnv { name = "knot-zones"; paths = [ exampleZone delegatedZone ]; }; # DO NOT USE pkgs.writeText IN PRODUCTION. This put secrets in the nix store! tsigFile = pkgs.writeText "tsig.conf" '' key: - id: xfr_key algorithm: hmac-sha256 secret: zOYgOgnzx3TGe5J5I/0kxd7gTcxXhLYMEq3Ek3fY37s= ''; in { name = "knot"; meta = with pkgs.lib.maintainers; { maintainers = [ hexa ]; }; nodes = { primary = { lib, ... }: { imports = [ common ]; # trigger sched_setaffinity syscall virtualisation.cores = 2; networking.interfaces.eth1 = { ipv4.addresses = lib.mkForce [ { address = "192.168.0.1"; prefixLength = 24; } ]; ipv6.addresses = lib.mkForce [ { address = "fd00::1"; prefixLength = 64; } ]; }; services.knot.enable = true; services.knot.extraArgs = [ "-v" ]; services.knot.keyFiles = [ tsigFile ]; services.knot.settings = { server = { listen = [ "0.0.0.0@53" "::@53" ]; listen-quic = [ "0.0.0.0@853" "::@853" ]; automatic-acl = true; }; acl.secondary_acl = { address = "192.168.0.2"; key = "xfr_key"; action = "transfer"; }; remote.secondary.address = "192.168.0.2@53"; template.default = { storage = knotZonesEnv; notify = [ "secondary" ]; acl = [ "secondary_acl" ]; dnssec-signing = true; # Input-only zone files # https://www.knot-dns.cz/docs/2.8/html/operation.html#example-3 # prevents modification of the zonefiles, since the zonefiles are immutable zonefile-sync = -1; zonefile-load = "difference"; journal-content = "changes"; }; zone = { "example.com".file = "example.com.zone"; "sub.example.com".file = "sub.example.com.zone"; }; log.syslog.any = "info"; }; }; secondary = { lib, ... }: { imports = [ common ]; networking.interfaces.eth1 = { ipv4.addresses = lib.mkForce [ { address = "192.168.0.2"; prefixLength = 24; } ]; ipv6.addresses = lib.mkForce [ { address = "fd00::2"; prefixLength = 64; } ]; }; services.knot.enable = true; services.knot.keyFiles = [ tsigFile ]; services.knot.extraArgs = [ "-v" ]; services.knot.settings = { server = { automatic-acl = true; }; xdp = { listen = [ "eth1" ]; tcp = true; }; remote.primary = { address = "192.168.0.1@53"; key = "xfr_key"; }; remote.primary-quic = { address = "192.168.0.1@853"; key = "xfr_key"; quic = true; }; template.default = { # zonefileless setup # https://www.knot-dns.cz/docs/2.8/html/operation.html#example-2 zonefile-sync = "-1"; zonefile-load = "none"; journal-content = "all"; }; zone = { "example.com" = { master = "primary"; file = "example.com.zone"; }; "sub.example.com" = { master = "primary-quic"; file = "sub.example.com.zone"; }; }; log.syslog.any = "debug"; }; }; client = { lib, nodes, ... }: { imports = [ common ]; networking.interfaces.eth1 = { ipv4.addresses = [ { address = "192.168.0.3"; prefixLength = 24; } ]; ipv6.addresses = [ { address = "fd00::3"; prefixLength = 64; } ]; }; environment.systemPackages = [ pkgs.knot-dns ]; }; }; testScript = { nodes, ... }: let primary4 = (lib.head nodes.primary.config.networking.interfaces.eth1.ipv4.addresses).address; primary6 = (lib.head nodes.primary.config.networking.interfaces.eth1.ipv6.addresses).address; secondary4 = (lib.head nodes.secondary.config.networking.interfaces.eth1.ipv4.addresses).address; secondary6 = (lib.head nodes.secondary.config.networking.interfaces.eth1.ipv6.addresses).address; in '' import re start_all() client.wait_for_unit("network.target") primary.wait_for_unit("knot.service") secondary.wait_for_unit("knot.service") for zone in ("example.com.", "sub.example.com."): secondary.wait_until_succeeds( f"knotc zone-status {zone} | grep -q 'serial: 2019031302'" ) def test(host, query_type, query, pattern): out = client.succeed(f"khost -t {query_type} {query} {host}").strip() client.log(f"{host} replied with: {out}") assert re.search(pattern, out), f'Did not match "{pattern}"' for host in ("${primary4}", "${primary6}", "${secondary4}", "${secondary6}"): with subtest(f"Interrogate {host}"): test(host, "SOA", "example.com", r"start of authority.*noc\.example\.com\.") test(host, "A", "example.com", r"has no [^ ]+ record") test(host, "AAAA", "example.com", r"has no [^ ]+ record") test(host, "A", "www.example.com", r"address 192.0.2.1$") test(host, "AAAA", "www.example.com", r"address 2001:db8::1$") test(host, "NS", "sub.example.com", r"nameserver is ns\d\.example\.com.$") test(host, "A", "sub.example.com", r"address 192.0.2.2$") test(host, "AAAA", "sub.example.com", r"address 2001:db8::2$") test(host, "RRSIG", "www.example.com", r"RR set signature is") test(host, "DNSKEY", "example.com", r"DNSSEC key is") primary.log(primary.succeed("systemd-analyze security knot.service | grep -v '✓'")) ''; })