feat(api): allow moving between nslord backends

Author: nils-wisiol

api/api/settings.py

@@ -178,6 +178,12 @@
 NSLORD_KNOT_HOST = os.environ.get("DESECSTACK_NSLORD_KNOT_HOST", "nslord_knot")
 NSLORD_KNOT_PORT = int(os.environ.get("DESECSTACK_NSLORD_KNOT_PORT", "53"))
 NSLORD_KNOT_TIMEOUT = float(os.environ.get("DESECSTACK_NSLORD_KNOT_TIMEOUT", "5"))
+NSLORD_KNOT_KEY_READY_TIMEOUT = float(
+    os.environ.get("DESECSTACK_NSLORD_KNOT_KEY_READY_TIMEOUT", "30")
+)
+NSLORD_KNOT_IMPORT_DIR = os.environ.get(
+    "DESECSTACK_NSLORD_KNOT_IMPORT_DIR", "/knot-import"
+)
 NSLORD_KNOT_UPDATE_KEY_NAME = os.environ.get(
     "DESECSTACK_NSLORD_KNOT_UPDATE_KEY_NAME", "nslord-update"
 )

api/desecapi/migrations/0047_domain_csk_private_key.py

@@ -0,0 +1,15 @@
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("desecapi", "0046_domain_nslord"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="domain",
+            name="csk_private_key_encrypted",
+            field=models.BinaryField(blank=True, null=True),
+        ),
+    ]

api/desecapi/models/domains.py

@@ -15,7 +15,7 @@
 from dns.resolver import NoNameservers
 from rest_framework.exceptions import APIException
 
-from desecapi import logger, metrics, nslord
+from desecapi import crypto, logger, metrics, nslord
 
 from .base import validate_domain_name
 from .records import RRset
@@ -66,6 +66,7 @@ class RenewalState(models.IntegerChoices):
     nslord = models.CharField(
         max_length=16, choices=NSLord.choices, default=NSLord.PDNS
     )
+    csk_private_key_encrypted = models.BinaryField(null=True, blank=True)
     renewal_state = models.IntegerField(
         choices=RenewalState.choices, db_index=True, default=RenewalState.IMMORTAL
     )
@@ -302,6 +303,25 @@ def update_delegation(self, child_domain: Domain):
     def delete(self, *args, **kwargs):
         ret = super().delete(*args, **kwargs)
         logger.warning(f"Domain {self.name} deleted (owner: {self.owner.pk})")
+
+    def set_csk_private_key(self, private_key: str | None) -> None:
+        if private_key is None:
+            self.csk_private_key_encrypted = None
+        else:
+            if self.pk is None:
+                raise ValueError("Domain must be saved before storing private key")
+            self.csk_private_key_encrypted = crypto.encrypt(
+                private_key.encode(), context=f"domain_csk:{self.pk}"
+            )
+        self.save(update_fields=["csk_private_key_encrypted"])
+
+    def get_csk_private_key(self) -> str | None:
+        if not self.csk_private_key_encrypted:
+            return None
+        _, decrypted = crypto.decrypt(
+            self.csk_private_key_encrypted, context=f"domain_csk:{self.pk}"
+        )
+        return decrypted.decode()
         return ret
 
     def __str__(self):

api/desecapi/nslord.py

@@ -1,10 +1,28 @@
 import logging
 
+import dns.message
+import dns.name
+import dns.query
+import dns.rdataclass
+import dns.rdatatype
+import dns.zone
+from django.conf import settings
+
 from desecapi import knot, pdns
 from desecapi.exceptions import KnotException
 
 logger = logging.getLogger(__name__)
 
+_DNSSEC_TYPES = {
+    "DNSKEY",
+    "CDS",
+    "CDNSKEY",
+    "RRSIG",
+    "NSEC",
+    "NSEC3",
+    "NSEC3PARAM",
+}
+
 
 def get_keys(domain):
     if getattr(domain, "nslord", None) == "knot":
@@ -22,3 +40,79 @@ def get_zonefile(domain) -> bytes:
     if getattr(domain, "nslord", None) == "knot":
         return knot.get_zonefile(domain)
     return pdns.get_zonefile(domain)
+
+
+def get_zonefile_without_dnssec(domain) -> bytes:
+    zonefile = get_zonefile(domain).decode()
+    rrsets = zonefile_to_rrsets(domain.name, zonefile)
+    return rrsets_to_zonefile(domain.name, rrsets).encode()
+
+
+def zonefile_to_rrsets(domain_name: str, zonefile: str):
+    zone = dns.zone.from_text(
+        zonefile,
+        origin=dns.name.from_text(domain_name),
+        allow_include=False,
+        check_origin=False,
+        relativize=False,
+    )
+    rrsets = []
+    for name, rdataset in zone.iterate_rdatasets():
+        rtype = dns.rdatatype.to_text(rdataset.rdtype)
+        if rtype in _DNSSEC_TYPES:
+            continue
+        rrsets.append(
+            {
+                "name": name.to_text(),
+                "type": rtype,
+                "ttl": rdataset.ttl,
+                "records": [rdata.to_text() for rdata in rdataset],
+            }
+        )
+    return rrsets
+
+
+def rrsets_to_zonefile(domain_name: str, rrsets) -> str:
+    lines = []
+    for rrset in rrsets:
+        name = rrset["name"]
+        ttl = rrset["ttl"]
+        rtype = rrset["type"]
+        for record in rrset["records"]:
+            lines.append(f"{name}\t{ttl}\tIN\t{rtype}\t{record}")
+    return "\n".join(lines) + "\n"
+
+
+def get_csk_private_key(domain):
+    if getattr(domain, "nslord", None) == "knot":
+        return domain.get_csk_private_key()
+    private_key = pdns.get_csk_private_key(domain.name)
+    return private_key or domain.get_csk_private_key()
+
+
+def get_soa_serial(domain):
+    name = domain.name.rstrip(".") + "."
+    if getattr(domain, "nslord", None) == "knot":
+        host = settings.NSLORD_KNOT_HOST
+        port = settings.NSLORD_KNOT_PORT
+        timeout = settings.NSLORD_KNOT_TIMEOUT
+    else:
+        host = "nslord"
+        port = 53
+        timeout = 5
+    query = dns.message.make_query(name, dns.rdatatype.SOA)
+    host = pdns.gethostbyname_cached(host)
+    try:
+        response = dns.query.tcp(query, host, port=port, timeout=timeout)
+    except Exception:
+        logger.warning("SOA serial query failed for %s", name, exc_info=True)
+        return None
+    rrset = response.get_rrset(
+        dns.message.ANSWER,
+        dns.name.from_text(name),
+        dns.rdataclass.IN,
+        dns.rdatatype.SOA,
+    )
+    if rrset is None:
+        return None
+    return rrset[0].serial

api/desecapi/pdns.py

@@ -1,9 +1,16 @@
 import json
 import re
 import socket
+import time
 from functools import cache
 from hashlib import sha1
 
+import dns.message
+import dns.name
+import dns.query
+import dns.rdataclass
+import dns.rdatatype
+import dns.rcode
 import requests
 from django.conf import settings
 from django.core.exceptions import SuspiciousOperation
@@ -182,6 +189,24 @@ def delete_cryptokey(domain_name, key_id):
     _pdns_delete(NSLORD, "/zones/%s/cryptokeys/%s" % (pdns_id(domain_name), key_id))
 
 
+def get_csk_private_key(domain_name):
+    keys = list_cryptokeys(domain_name)
+    candidates = [
+        key
+        for key in keys
+        if key.get("keytype") == "csk" or key.get("keytype") == "CSK"
+    ]
+    if not candidates:
+        candidates = keys
+    for key in candidates:
+        if not key.get("active", True):
+            continue
+        private_key = key.get("privatekey") or key.get("content")
+        if private_key:
+            return private_key
+    return None
+
+
 def get_zone(domain):
     """
     Retrieves a dict representation of the zone from pdns
@@ -309,6 +334,26 @@ def import_csk_key(name, *, dnskey, private_key):
     return cryptokey
 
 
+def import_zonefile_rrsets(name, rrsets):
+    data = {
+        "rrsets": [
+            {
+                "name": rrset["name"],
+                "type": rrset["type"],
+                "ttl": min(rrset["ttl"], settings.DEFAULT_NS_TTL),
+                "changetype": "REPLACE",
+                "records": [
+                    {"content": record, "disabled": False}
+                    for record in rrset["records"]
+                ],
+            }
+            for rrset in rrsets
+        ]
+    }
+    if data["rrsets"]:
+        update_zone(name, data)
+
+
 def delete_zone(name, server):
     _pdns_delete(server, "/zones/" + pdns_id(name))
 
@@ -329,6 +374,17 @@ def axfr_to_master(zone):
     _pdns_put(NSMASTER, "/zones/%s/axfr-retrieve" % pdns_id(zone))
 
 
+def wait_for_master_zone(zone, *, attempts=20, delay_seconds=0.5):
+    zone_id = pdns_id(zone)
+    for _ in range(attempts):
+        try:
+            _pdns_get(NSMASTER, "/zones/%s" % zone_id)
+            return True
+        except PDNSException:
+            time.sleep(delay_seconds)
+    return False
+
+
 def rectify_zone(name):
     _pdns_put(NSLORD, "/zones/%s/rectify" % pdns_id(name))