From unknown Sun Jun 15 08:42:48 2025 X-Loop: help-debbugs@gnu.org Subject: bug#26829: Add knot service Resent-From: Julien Lepiller Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 08 May 2017 15:24:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 26829 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 26829@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.14942569963303 (code B ref -1); Mon, 08 May 2017 15:24:02 +0000 Received: (at submit) by debbugs.gnu.org; 8 May 2017 15:23:16 +0000 Received: from localhost ([127.0.0.1]:34538 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1d7kVC-0000r6-9l for submit@debbugs.gnu.org; Mon, 08 May 2017 11:23:16 -0400 Received: from eggs.gnu.org ([208.118.235.92]:57621) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1d7kV7-0000qN-GR for submit@debbugs.gnu.org; Mon, 08 May 2017 11:23:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1d7kUy-0003D6-4D for submit@debbugs.gnu.org; Mon, 08 May 2017 11:23:00 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:53926) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1d7kUx-0003Cn-Un for submit@debbugs.gnu.org; Mon, 08 May 2017 11:22:56 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:48549) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1d7kUs-0002GN-Pi for guix-patches@gnu.org; Mon, 08 May 2017 11:22:55 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1d7kUo-00031t-C0 for guix-patches@gnu.org; Mon, 08 May 2017 11:22:50 -0400 Received: from dau94-h03-89-91-205-84.dsl.sta.abo.bbox.fr ([89.91.205.84]:59818 helo=skaro.lepiller.eu) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1d7kUn-00031F-Cu for guix-patches@gnu.org; Mon, 08 May 2017 11:22:46 -0400 Received: from localhost (localhost [127.0.0.1]) by skaro.lepiller.eu (Postfix) with ESMTP id DCC7A7FBF8 for ; Mon, 8 May 2017 17:22:42 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lepiller.eu; s=default; t=1494256962; bh=5/xLL+GGje+OTe/XkdxNViTYh0VSBYxfcy+j7Y2Q5Xo=; h=Date:From:To:Subject:From; b=MFz28MJQhVjgYXJ0rN3+C2DVuDnUIdf6Vw3aUPqBq+HjmaTxZZSJzEAEFS04D5QF3 ahdFqMP185PltsWLzcBhzFk67oDbOXZwmBWVM4IRzGBfy5X40o6jAX95J8TwbL5q9B CB8kpbKwW2ZUAjrRoGrnx+E/HzahPy9bSvVr9lhe62CTPw2FXHiafknr9Kk0E1Sp2s x0XFWTdxSJ5SwsOoZP9FNg/CE5F+crvVDs8BF9R/w2BLLyc5M1Zhv28mERRabjzfnx tk7AoO9z4giPkq1EKMz0Hs/G8FOgV1WvLLbFSqfAIdw0xjtBBgMJJzlPpWmlozyG6C yYuW+7N69Zbn+GPCDQnd6DyEhk1RdUvwtzoAjXQaUdYRr4uVqGNTyMqkiAHv3r6LKU r7kG/QYFIhBOXgsWgq77YkZnRJM6WiQ+avKjzPWfrQnX2mIJY8iJuRPSWtHUI9ciGX Pkmdyp0uwObBIi1HdaJxrRYxEWSKNBugpGxCC+sMpC2q2glKWJxHFRj+aRAzUG8Fwp udkGm+VT0tIuNeqW3FvtnYz2Uw+J+UcoUTIq/gYSKOFhobEUYZejByUYjKoB/0nz/q Yfjj9FrT2kkNfCTb8aGkD0J1NrQ095TBPs3WW3K3O49xN1+/x1gB26KN6wqKAKf29u 7iTkU3MB6D1G5FRkXfrs63GA= X-Virus-Scanned: Debian amavisd-new at lepiller.eu Received: from skaro.lepiller.eu ([127.0.0.1]) by localhost (lepiller.eu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xt7ltRHemkiy for ; Mon, 8 May 2017 17:22:28 +0200 (CEST) Received: from localhost (89-93-157-164.hfc.dyn.abo.bbox.fr [89.93.157.164]) by skaro.lepiller.eu (Postfix) with ESMTPSA id 76D637F8A7 for ; Mon, 8 May 2017 17:22:27 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lepiller.eu; s=default; t=1494256947; bh=5/xLL+GGje+OTe/XkdxNViTYh0VSBYxfcy+j7Y2Q5Xo=; h=Date:From:To:Subject:From; b=bZtL379tF8TOy/qk7fmWmLahG0Dz8e7TVYfizDteVcETiLcvzqDWemqXyQWC6Hphq N3xOuhHcTp4uOlqkmQxhvO9zAokXwBC1W8vVJaUKQNceKG+ZYbZfpcY+WWyYO1MPFb GuVJ2nRuP56qZx74ru/OAlp4D+aEJEMulUU65RM3FR/Bo1j7H5FeHdXqJggSy+PCT4 Ff1VQxye6nEZTbjng6cKQ0+S41LXUIdnnL+E+OISjfa52DZnsLE6cKRRFKXR7LRjSy xK/HwOseM/Ox8nk3AM/fHLKbWktHatXPonvVP0YT0OvWe471PYZtYX0MR0Unl0Ut8K vlKt7OdQbreO489uzWx3Uw/r2biC9uiieAtQVPGc8P3434yBELrB2RKGCBw/xl31Vi l9glmQNiZmLfwT+sKSOzfEXlSo5LpbLR6gC3wXqD0rz7W5m+rLghT3/pcuvkeFl5An Nu+QIQsZx3fvjjadWRPQcU2yD5MU//HCEFvad1nEnPOmBYPbaPEEp5+JROyJfY/U2z Y4cANETLndavF7a2sJmWjPCu00ymZdrwcgLa3fKVNDKJ1EZr6Bpc0JT1NEJJBKaByL MwYiIrUhaFxIRffLM7YWwSkLvIgd93Hv6sQ77LLXJkop0sytrq4vq7xUI5FVXDt70P 1J0Auwp6kib0NpSyDox4h9lI= Date: Mon, 8 May 2017 17:22:23 +0200 From: Julien Lepiller Message-ID: <20170508172223.7fbc9705@lepiller.eu> X-Mailer: Claws Mail 3.15.0-dirty (GTK+ 2.24.31; x86_64-unknown-linux-gnu) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="MP_/MyOo8_wXfzTw1brvzp/AUPE" X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.0 (----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) --MP_/MyOo8_wXfzTw1brvzp/AUPE Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Disposition: inline Hi, here is a new service for knot, an authoritative DNS server. I have not yet tested all the possible combinations in the configuration, but at least the examples in the documentation work. --MP_/MyOo8_wXfzTw1brvzp/AUPE Content-Type: text/x-patch Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename=0001-gnu-Add-knot-service-type.patch =46rom 13f6ef594dd5d59d0f326863d1e10bc2a8112c21 Mon Sep 17 00:00:00 2001 From: Julien Lepiller Date: Mon, 1 May 2017 21:41:45 +0200 Subject: [PATCH] gnu: Add knot-service-type. * gnu/services/dns.scm: New file. * gnu/local.mk (GNU_SYSTEM_MODULES): Add it. * doc/guix.texi (DNS Services): New subsubsection. --- doc/guix.texi | 410 +++++++++++++++++++++++++++++++++++ gnu/local.mk | 1 + gnu/services/dns.scm | 593 +++++++++++++++++++++++++++++++++++++++++++++++= ++++ 3 files changed, 1004 insertions(+) create mode 100644 gnu/services/dns.scm diff --git a/doc/guix.texi b/doc/guix.texi index 4446909ed..0abaf54e3 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -216,6 +216,7 @@ Services * Messaging Services:: Messaging services. * Kerberos Services:: Kerberos services. * Web Services:: Web servers. +* DNS Services:: DNS daemons. * VPN Services:: VPN daemons. * Network File System:: NFS related services. * Continuous Integration:: The Cuirass service. @@ -8700,6 +8701,7 @@ declaration. * Messaging Services:: Messaging services. * Kerberos Services:: Kerberos services. * Web Services:: Web servers. +* DNS Services:: DNS daemons. * VPN Services:: VPN daemons. * Network File System:: NFS related services. * Continuous Integration:: The Cuirass service. @@ -13483,6 +13485,414 @@ Whether the server should add its configuration t= o response. @end table @end deftp =20 +@node DNS Services +@subsubsection DNS Services +@cindex DNS (domain name system) +@cindex domain name system (DNS) + +The @code{(gnu services dns)} module provides services related to the +@dfn{domain name system} (DNS). It provides a server service for hosting +an @emph{authoritative} DNS server for multiple zones, slave or master. +This service uses @uref{https://www.knot-dns.cz/, Knot DNS}. + +An example configuration of an authoritative server for two zones, one mas= ter +and one slave, is: + +@lisp +(define-zone-entries example.org.zone +;; Name TTL Class Type Data + ("@@" "" "IN" "A" "127.0.0.1") + ("@@" "" "IN" "NS" "ns") + ("ns" "" "IN" "A" "127.0.0.1")) + +(define master-zone + (knot-zone-configuration + (domain "example.org") + (zone (zone-file + (origin "example.org") + (entries example.org.zone))))) + +(define slave-zone + (knot-zone-configuration + (domain "plop.org") + (dnssec-policy "default") + (master (list "plop-master")))) + +(define plop-master + (knot-remote-configuration + (id "plop-master") + (address (list "208.76.58.171")))) + +(operating-system + ;; ... + (services (cons* (service knot-service-type + (knot-confifguration + (remotes (list plop-master)) + (zones (list maste-zone slave-zone)))) + ;; ... + %base-services))) +@end lisp + +@deffn {Scheme Variable} knot-service-type +This is the type for the Knot DNS server. + +Knot DNS is an authoritative DNS server, meaning that it can serve multiple +zones, that is to say domain names you would buy from a registrar. This s= erver +is not a resolver, meaning that it can only resolve names for which it is +authoritative. This server can be configured to serve zones as a master s= erver +or a slave server as a per-zone basis. Slave zones will get their data fr= om +masters, and will serve it as an authoritative server. From the point of = view +of a resolver, there is no difference between master and slave. + +The following data types are used to configure the Knot DNS server: +@end deffn + +@deftp {Data Type} knot-key-configuration +Data type representing a key. +This type has the following parameters: + +@table @asis +@item @code{id} (default: @code{""}) +An identifier for other configuration fields to refer to this key. IDs must +be unique and must not be empty. + +@item @code{algorithm} (default: @code{#f}) +The algorithm to use. Choose between @code{#f}, @code{'hmac-md5}, +@code{'hmac-sha1}, @code{'hmac-sha224}, @code{'hmac-sha256}, @code{'hmac-s= ha384} +and @code{'hmac-sha512}. + +@item @code{secret} (default: @code{""}) +The secret key itself. + +@end table +@end deftp + +@deftp {Data Type} knot-acl-configuration +Data type representing an Access Control List (ACL) configuration. +This type has the following parameters: + +@table @asis +@item @code{id} (default: @code{""}) +An identifier for ether configuration fields to refer to this key. IDs mus= t be +unique and must not be empty. + +@item @code{address} (default: @code{'()}) +An ordered list of IP addresses, network subnets, or network ranges repres= ented +with strings. The query must match one of them. Empty value means that +address match is not required. + +@item @code{key} (default: @code{'()}) +An ordered list of references to keys represented with strings. The string +must match a key ID defined in a @code{knot-key-configuration}. No key me= ans +that a key is not require to match that ACL. + +@item @code{action} (default: @code{'()}) +An ordered list of actions that are permitted or forbidden by this ACL. P= ossible +values are lists of zero or more elements from @code{'transfer}, @code{'no= tify} +and @code{'update}. + +@item @code{deny?} (default: @code{#f}) +When true, the ACL defines restrictions. Listed actions are forbidden. W= hen +false, listed actions are allowed. + +@end table +@end deftp + +@deftp {Data Type} zone-entry +Data type represnting a record entry in a zone file. +This type has the following parameters: + +@table @asis +@item @code{name} (default: @code{"@@"}) +The name of the record. @code{"@@"} refers to the origin of the zone. Na= mes +are relative to the origin of the zone. For example, in the @code{example= .org} +zone, @code{"ns.example.org"} actually refers to @code{ns.example.org.exam= ple.org}. +Names ending with a dot are absolute, which means that @code{"ns.example.o= rg."} +refers to @code{ns.example.org}. + +@item @code{ttl} (default: @code{""}) +The Time-To-Live (TTL) of this record. If not set, the default TTL is use= d. + +@item @code{class} (default: @code{"IN"}) +The class of the record. Knot currently supports only @code{"IN"} and +partially @code{"CH"}. + +@item @code{type} (default: @code{"A"}) +The type of the record. Common types include A (IPv4 address), AAAA (IPv6 +address), NS (Name Server) and MX (Mail eXchange). Many other types are +defined. + +@item @code{data} (default: @code{""}) +The data contained in the record. For instance an IP address associated w= ith +an A record, or a domain name associated with an NS record. Remember that +domain names are relative to the origin unless they end with a dot. + +@end table +@end deftp + +@deftp {Data Type} zone-file +Data type representing the content of a zone file. +This type has the following parameters: + +@table @asis +@item @code{entries} (default: @code{'()}) +The list of entries. The SOA record is taken care of, so you don't need to +put it in the list of entries. This list should probably contain an entry +for your primary authoritative DNS server. Other than using a list of ent= ries +directly, you can use @code{define-zone-entries} to define a object contai= ning +the list of entries more easily, that you can later pass to the @code{entr= ies} +field of the @code{zone-file}. + +@item @code{origin} (default: @code{""}) +The name of your zone. This parameter cannot be empty. + +@item @code{ns} (default: @code{"ns"}) +The domain of your primary authoritative DNS server. The name is relative= to +the origin, unless it ends with a dot. It is mandatory that this primary +DNS server corresponds to an NS record in the zone and that it is associat= ed +to an IP address in the list of entries. + +@item @code{mail} (default: @code{"hostmaster"}) +An email address people can contact you at, as the owner of the zone. This +is translated as @code{@@}. + +@item @code{serial} (default: @code{1}) +The serial number of the zone. As this is used to keep track of changes by +both slaves and resolvers, it is mandatory that it @emph{never} decreases. +Always increment it when you make a change in your zone. + +@item @code{refresh} (default: @code{"2d"}) +The frequency at which slaves will do a zone transfer. This value can be +a number of seconds or a number of some unit between: +@itemize +@item m: minute +@item h: hour +@item d: day +@item w: week +@end itemize + +@item @code{retry} (default: @code{"15m"}) +The period after which a slave will retry to contact its master when it fa= ils +to do so a first time. + +@item @code{expiry} (default: @code{"2w"}) +Default TTL of records. Existing records are considered correct for at mo= st +this amount of time. After this period, resolvers will invalidate their c= ache +and check again that it still exists. + +@item @code{nx} (default: @code{"1h"}) +Default TTL of inexistant records. This delay is usually short because yo= u want +your new domains to reach everyone quickly. + +@end table +@end deftp + +@deftp {Data Type} knot-remote-configuration +Data type representing a remote configuration. +This type has the following parameters: + +@table @asis +@item @code{id} (default: @code{""}) +An identifier for other configuration fields to refer to this remote. IDs = must +be unique and must not be empty. + +@item @code{address} (default: @code{'()}) +An ordered list of destination IP addresses. Addresses are tried in seque= nce. +An optional port can be given with the @@ separator. For instance: +@code{(list "1.2.3.4" "2.3.4.5@@53")}. Default port is 53. + +@item @code{via} (default: @code{'()}) +An ordered list of source IP addresses. An empty list will have Knot choo= se +an appropriate source IP. An optional port can be given with the @@ separ= ator. +The default is to choose at random. + +@item @code{key} (default: @code{#f}) +A reference to a key, that is a string containing the identifier of a key +defined in a @code{knot-key-configuration} field. + +@end table +@end deftp + +@deftp {Data Type} knot-keystore-configuration +Data type representing a keystore to hold dnssec keys. +This type has the following parameters: + +@table @asis +@item @code{id} (default: @code{""}) +The id of the keystore. It must not be empty. + +@item @code{backend} (default: @code{'pem}) +The backend to store the keys in. Can be @code{'pem} or @code{'pkcs11}. + +@item @code{config} (default: @code{"/var/lib/knot/keys/keys"}) +The configuration string of the backend. An example for the PKCS#11 is: +@code{"pkcs11:token=3Dknot;pin-value=3D1234 /gnu/store/.../lib/pkcs11/libs= ofthsm2.so"}. +For the pem backend, the string reprensents a path in the filesystem. + +@end table +@end deftp + +@deftp {Data Type} knot-policy-configuration +Data type representing a dnssec policy. Knot DNS is able to automatically +sign your zones. It can either generate and manage your keys automaticall= y or +use keys that you generate. + +Dnssec is usually implemented using two keys: a Key Signing Key (KSK) that= is +used to sign the second, and a Zone Signing Key (ZSK) that is used to sign= the +zone. In order to be trusted, the KSK needs to be present in the parent z= one +(usually a top-level domain). If your registrar supports dnssec, you will +have to send them your KSK's hash so they can add a DS record in their zon= e. +This is not automated and need to be done each time you change your KSK. + +The policy also defines the lifetime of keys. Usually, ZSK can be changed +easily and use weaker cryptographic functions (they use lower parameters) = in +order to sign records quickly, so they are changed often. The KSK however +requires manual interaction with the registrar, so they are changed less o= ften +and use stronger parameters because they sign only one record. + +This type has the following parameters: + +@table @asis +@item @code{id} (default: @code{""}) +The id of the policy. It must not be empty. + +@item @code{keystore} (default: @code{"default"}) +A reference to a keystore, that is a string containing the identifier of a +keystore defined in a @code{knot-keystore-configuration} field. The +@code{"default"} identifier means the default keystore (a kasp database th= at +was setup by this service). + +@item @code{manual?} (default: @code{#f}) +Whether the key management is manual or automatic. =20 + +@item @code{single-type-signing?} (default: @code{#f}) +When @code{#t}, use the Single-Type Signing Scheme. + +@item @code{algorithm} (default: @code{"ecdsap256sha256"}) +An algorithm of signing keys and issued signatures. + +@item @code{ksk-size} (default: @code{256}) +The length of the KSK. Note that this value is correct for the default +algorithm, but would be unsecure for other algorithms. + +@item @code{zsk-size} (default: @code{256}) +The length of the ZSK. Note that this value is correct for the default +algorithm, but would be unsecure for other algorithms. + +@item @code{dnskey-ttl} (default: @code{'default}) +The TTL value for DNSKEY records added into zone apex. The special +@code{'default} value means same as the zone SOA TTL. + +@item @code{zsk-lifetime} (default: @code{"30d"}) +The period between ZSK publication and the next rollover initiation. + +@item @code{propagation-delay} (default: @code{"1d"}) +An extra delay added for each key rollover step. This value should be high +enough to cover propagation of data from the master server to all slaves. + +@item @code{rrsig-lifetime} (default: @code{"14d"}) +A validity period of newly issued signatures. + +@item @code{rrsig-refresh} (default: @code{"7d"}) +A period how long before a signature expiration the signature will be refr= eshed. + +@item @code{nsec3?} (default: @code{#f}) +When @code{#t}, NSEC3 will be used instead of NSEC. + +@item @code{nsec3-iterations} (default: @code{5}) +The number of additional times the hashing is performed. + +@item @code{nsec3-salt-length} (default: @code{8}) +The length of a salt field in octets, which is appended to the original ow= ner +name before hashing. + +@item @code{nsec3-salt-lifetime} (default: @code{"30d"}) +The validity period of newly issued salt field. + +@end table +@end deftp + +@deftp {Data Type} knot-zone-configuration +Data type representing a zone served by Knot. +This type has the following parameters: + +@table @asis +@item @code{domain} (default: @code{""}) +The domain served by this configuration. It must not be empty. + +@item @code{file} (default: @code{""}) +The file where this zone is saved. This parameter is ignored by master zo= nes. +Empty means default location that depends on the domain name. + +@item @code{zone} (default: @code{(zone-file)}) +The content of the zone file. This parameter is ignored by slave zones. = It +must contain a zone-file record. + +@item @code{master} (default: @code{'()}) +A list of master remotes. When empty, this zone is a master. When set, t= his +zone is a slave. This is a list of remotes identifiers. + +@item @code{ddns-master} (default: @code{#f}) +The main master. When empty, it defaults to the first master in the list = of +masters. + +@item @code{notify} (default: @code{'()}) +A list of slave remote identifiers. + +@item @code{acl} (default: @code{'()}) +A list of acl identifiers. + +@item @code{semantic-checks?} (default: @code{#f}) +When set, this adds more semantic checks to the zone. + +@item @code{disable-any?} (default: @code{#f}) +When set, this forbids queries of the ANY type. + +@item @code{zonefile-sync} (default: @code{0}) +The delay between a modification in memory and on disk. 0 means immediate +synchronization. + +@item @code{serial-policy} (default: @code{'increment}) +A policy between @code{'increment} and @code{'unixtime}. + +@end table +@end deftp + +@deftp {Data Type} knot-configuration +Data type representing the Knot configuration. +This type has the following parameters: + +@table @asis +@item @code{knot} (default: @code{knot}) +The Knot package. + +@item @code{run-directory} (default: @code{"/var/run/knot"}) +The run directory. This directory will be used for pid file and sockets. + +@item @code{listen-v4} (default: @code{"0.0.0.0"}) +An ip address on which to listen. + +@item @code{listen-v6} (default: @code{"::"}) +An ip address on which to listen. + +@item @code{listen-port} (default: @code{53}) +A port on which to listen. + +@item @code{keys} (default: @code{'()}) +The list of knot-key-configuration used by this configuration. + +@item @code{acls} (default: @code{'()}) +The list of knot-acl-configuration used by this configuration. + +@item @code{remotes} (default: @code{'()}) +The list of knot-remote-configuration used by this configuration. + +@item @code{zones} (default: @code{'()}) +The list of knot-zone-configuration used by this configuration. + +@end table +@end deftp + @node VPN Services @subsubsection VPN Services @cindex VPN (virtual private network) diff --git a/gnu/local.mk b/gnu/local.mk index dcf9b14ce..c40928a83 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -423,6 +423,7 @@ GNU_SYSTEM_MODULES =3D \ %D%/services/dbus.scm \ %D%/services/desktop.scm \ %D%/services/dict.scm \ + %D%/services/dns.scm \ %D%/services/kerberos.scm \ %D%/services/lirc.scm \ %D%/services/mail.scm \ diff --git a/gnu/services/dns.scm b/gnu/services/dns.scm new file mode 100644 index 000000000..2ed7b9e22 --- /dev/null +++ b/gnu/services/dns.scm @@ -0,0 +1,593 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright =C2=A9 2017 Julien Lepiller +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu services dns) + #:use-module (gnu services) + #:use-module (gnu services configuration) + #:use-module (gnu services shepherd) + #:use-module (gnu system shadow) + #:use-module (gnu packages admin) + #:use-module (gnu packages dns) + #:use-module (guix packages) + #:use-module (guix records) + #:use-module (guix gexp) + #:use-module (srfi srfi-1) + #:use-module (srfi srfi-34) + #:use-module (srfi srfi-35) + #:use-module (ice-9 match) + #:use-module (ice-9 regex) + #:export (knot-service-type + knot-acl-configuration + knot-key-configuration + knot-keystore-configuration + knot-zone-configuration + knot-remote-configuration + knot-policy-configuration + knot-configuration + define-zone-entries + zone-file + zone-entry)) + +;;; +;;; Knot DNS. +;;; + +(define-record-type* + knot-key-configuration make-knot-key-configuration + knot-key-configuration? + (id knot-key-configuration-id + (default "")) + (algorithm knot-key-configuration-algorithm + (default #f)); one of #f, or an algorithm name + (secret knot-key-configuration-secret + (default ""))) + +(define-record-type* + knot-acl-configuration make-knot-acl-configuration + knot-acl-configuration? + (id knot-acl-configuration-id + (default "")) + (address knot-acl-configuration-address + (default '())) + (key knot-acl-configuration-key + (default '())) + (action knot-acl-configuration-action + (default '())) + (deny? knot-acl-configuration-deny? + (default #f))) + +(define-record-type* + zone-entry make-zone-entry + zone-entry? + (name zone-entry-name + (default "@")) + (ttl zone-entry-ttl + (default "")) + (class zone-entry-class + (default "IN")) + (type zone-entry-type + (default "A")) + (data zone-entry-data + (default ""))) + +(define-record-type* + zone-file make-zone-file + zone-file? + (entries zone-file-entries + (default '())) + (origin zone-file-origin + (default "")) + (ns zone-file-ns + (default "ns")) + (mail zone-file-mail + (default "hostmaster")) + (serial zone-file-serial + (default 1)) + (refresh zone-file-refresh + (default "2d")) + (retry zone-file-retry + (default "15m")) + (expiry zone-file-expiry + (default "2w")) + (nx zone-file-nx + (default "1h"))) +(define-record-type* + knot-keystore-configuration make-knot-keystore-configuration + knot-keystore-configuration? + (id knot-keystore-configuration-id + (default "")) + (backend knot-keystore-configuration-backend + (default 'pem)) + (config knot-keystore-configuration-config + (default "/var/lib/knot/keys/keys"))) + +(define-record-type* + knot-policy-configuration make-knot-policy-configuration + knot-policy-configuration? + (id knot-policy-configuration-id + (default "")) + (keystore knot-policy-configuration-keystore + (default "default")) + (manual? knot-policy-configuration-manual? + (default #f)) + (single-type-signing? knot-policy-configuration-single-type-signing? + (default #f)) + (algorithm knot-policy-configuration-algorithm + (default "ecdsap256sha256")) + (ksk-size knot-policy-configuration-ksk-size + (default 256)) + (zsk-size knot-policy-configuration-zsk-size + (default 256)) + (dnskey-ttl knot-policy-configuration-dnskey-ttl + (default 'default)) + (zsk-lifetime knot-policy-configuration-zsk-lifetime + (default "30d")) + (propagation-delay knot-policy-configuration-propagation-delay + (default "1d")) + (rrsig-lifetime knot-policy-configuration-rrsig-lifetime + (default "14d")) + (rrsig-refresh knot-policy-configuration-rrsig-refresh + (default "7d")) + (nsec3? knot-policy-configuration-nsec3? + (default #f)) + (nsec3-iterations knot-policy-configuration-nsec3-iterations + (default 5)) + (nsec3-salt-length knot-policy-configuration-nsec3-salt-length + (default 8)) + (nsec3-salt-lifetime knot-policy-configuration-nsec3-salt-lifetime + (default "30d"))) + +(define-record-type* + knot-zone-configuration make-knot-zone-configuration + knot-zone-configuration? + (domain knot-zone-configuration-domain + (default "")) + (file knot-zone-configuration-file + (default "")) ; the file where this zone is saved. + (zone knot-zone-configuration-zone + (default (zone-file))) ; initial content of the zone f= ile + (master knot-zone-configuration-master + (default '())) + (ddns-master knot-zone-configuration-ddns-master + (default #f)) + (notify knot-zone-configuration-notify + (default '())) + (acl knot-zone-configuration-acl + (default '())) + (semantic-checks? knot-zone-configuration-semantic-checks? + (default #f)) + (disable-any? knot-zone-configuration-disable-any? + (default #f)) + (zonefile-sync knot-zone-configuration-zonefile-sync + (default 0)) + (dnssec-policy knot-zone-configuration-dnssec-policy + (default #f)) + (serial-policy knot-zone-configuration-serial-policy + (default 'increment))) + +(define-record-type* + knot-remote-configuration make-knot-remote-configuration + knot-remote-configuration? + (id knot-remote-configuration-id + (default "")) + (address knot-remote-configuration-address + (default '())) + (via knot-remote-configuration-via + (default '())) + (key knot-remote-configuration-key + (default #f))) + +(define-record-type* + knot-configuration make-knot-configuration + knot-configuration? + (knot knot-configuration-knot + (default knot)) + (run-directory knot-configuration-run-directory + (default "/var/run/knot")) + (listen-v4 knot-configuration-listen-v4 + (default "0.0.0.0")) + (listen-v6 knot-configuration-listen-v6 + (default "::")) + (listen-port knot-configuration-listen-port + (default 53)) + (keys knot-configuration-keys + (default '())) + (keystores knot-configuration-keystores + (default '())) + (acls knot-configuration-acls + (default '())) + (remotes knot-configuration-remotes + (default '())) + (policies knot-configuration-policies + (default '())) + (zones knot-configuration-zones + (default '()))) + +(define-syntax define-zone-entries + (syntax-rules () + ((_ id (name ttl class type data) ...) + (define id (list (make-zone-entry name ttl class type data) ...))))) + +(define (error-out msg) + (raise (condition (&message (message msg))))) + +(define (verify-knot-key-configuration key) + (unless (knot-key-configuration? key) + (error-out "keys must be a list of only knot-key-configuration.")) + (let ((id (knot-key-configuration-id key))) + (unless (and (string? id) (not (equal? id ""))) + (error-out "key id must be a non empty string."))) + (unless (memq '(#f hmac-md5 hmac-sha1 hmac-sha224 hmac-sha256 hmac-sha38= 4 hmac-sha512) + (knot-key-configuration-algorithm key)) + (error-out "algorithm must be one of: #f, 'hmac-md5, 'hmac-sha1, +'hmac-sha224, 'hmac-sha256, 'hmac-sha384 or 'hmac-sha512"))) + +(define (verify-knot-keystore-configuration keystore) + (unless (knot-keystore-configuration? keystore) + (error-out "keystores must be a list of only knot-keystore-configurati= on.")) + (let ((id (knot-keystore-configuration-id keystore))) + (unless (and (string? id) (not (equal? id ""))) + (error-out "keystore id must be a non empty string."))) + (unless (memq '(pem pkcs11) + (knot-keystore-configuration-backend keystore)) + (error-out "backend must be one of: 'pem or 'pkcs11"))) + +(define (verify-knot-policy-configuration policy) + (unless (knot-keystore-configuration? policy) + (error-out "policies must be a list of only knot-policy-configuration.= ")) + (let ((id (knot-policy-configuration-id policy))) + (unless (and (string? id) (not (equal? id ""))) + (error-out "policy id must be a non empty string.")))) + +(define (verify-knot-acl-configuration acl) + (unless (knot-acl-configuration? acl) + (error-out "acls must be a list of only knot-acl-configuration.")) + (let ((id (knot-acl-configuration-id acl)) + (address (knot-acl-configuration-address acl)) + (key (knot-acl-configuration-key acl)) + (action (knot-acl-configuration-action acl))) + (unless (and (string? id) (not (equal? id ""))) + (error-out "acl id must be a non empty string.")) + (unless (and (list? address) + (fold (lambda (x1 x2) (and (string? x1) (string? x2))) ""= address)) + (error-out "acl address must be a list of strings."))) + (unless (boolean? (knot-acl-configuration-deny? acl)) + (error-out "deny? must be #t or #f."))) + +(define (verify-knot-zone-configuration zone) + (unless (knot-zone-configuration? zone) + (error-out "zones must be a list of only knot-zone-configuration.")) + (let ((domain (knot-zone-configuration-domain zone))) + (unless (and (string? domain) (not (equal? domain ""))) + (error-out "zone domain must be a non empty string.")))) + +(define (verify-knot-remote-configuration remote) + (unless (knot-remote-configuration? remote) + (error-out "remotes must be a list of only knot-remote-configuration."= )) + (let ((id (knot-remote-configuration-id remote))) + (unless (and (string? id) (not (equal? id ""))) + (error-out "remote id must be a non empty string.")))) + +(define (verify-knot-configuration config) + (unless (package? (knot-configuration-knot config)) + (error-out "knot configuration field must be a package.")) + (unless (string? (knot-configuration-run-directory config)) + (error-out "run-directory must be a string.")) + (unless (list? (knot-configuration-keys config)) + (error-out "keys must be a list of knot-key-configuration.")) + (for-each (lambda (key) (verify-knot-key-configuration key)) + (knot-configuration-keys config)) + (unless (list? (knot-configuration-keystores config)) + (error-out "keystores must be a list of knot-keystore-configuration.")) + (for-each (lambda (keystore) (verify-knot-keystore-configuration keystor= e)) + (knot-configuration-keystores config)) + (unless (list? (knot-configuration-acls config)) + (error-out "acls must be a list of knot-acl-configuration.")) + (for-each (lambda (acl) (verify-knot-acl-configuration acl)) + (knot-configuration-acls config)) + (unless (list? (knot-configuration-zones config)) + (error-out "zones must be a list of knot-zone-configuration.")) + (for-each (lambda (zone) (verify-knot-zone-configuration zone)) + (knot-configuration-zones config)) + (unless (list? (knot-configuration-policies config)) + (error-out "policies must be a list of knot-policy-configuration.")) + (for-each (lambda (policy) (verify-knot-policy-configuration policy)) + (knot-configuration-policies config)) + (unless (list? (knot-configuration-remotes config)) + (error-out "remotes must be a list of knot-remote-configuration.")) + (for-each (lambda (remote) (verify-knot-remote-configuration remote)) + (knot-configuration-remotes config)) + #t) + +(define (format-string-list l) + "Formats a list of string in YAML" + (if (eq? l '()) + "" + (let ((l (reverse l))) + (string-append + "[" + (fold (lambda (x1 x2) + (string-append (if (symbol? x1) (symbol->string x1) x1) = ", " + (if (symbol? x2) (symbol->string x2) x2))) + (car l) (cdr l)) + "]")))) + +(define (knot-acl-config acls) + (with-output-to-string + (lambda () + (for-each + (lambda (acl-config) + (let ((id (knot-acl-configuration-id acl-config)) + (address (knot-acl-configuration-address acl-config)) + (key (knot-acl-configuration-key acl-config)) + (action (knot-acl-configuration-action acl-config)) + (deny? (knot-acl-configuration-deny? acl-config))) + (format #t " - id: ~a\n" id) + (unless (eq? address '()) + (format #t " address: ~a\n" (format-string-list address= ))) + (unless (eq? key '()) + (format #t " key: ~a\n" (format-string-list key))) + (unless (eq? action '()) + (format #t " action: ~a\n" (format-string-list action))) + (format #t " deny: ~a\n" (if deny? "on" "off")))) + acls)))) + +(define (knot-key-config keys) + (with-output-to-string + (lambda () + (for-each + (lambda (key-config) + (let ((id (knot-key-configuration-id key-config)) + (algorithm (knot-key-configuration-algorithm key-config)) + (secret (knot-key-configuration-secret key-config))) + (format #t " - id: ~a\n" id) + (if algorithm + (format #t " algorithm: ~a\n" (symbol->string algorit= hm))) + (format #t " secret: ~a\n" secret))) + keys)))) + +(define (knot-keystore-config keystores) + (with-output-to-string + (lambda () + (for-each + (lambda (keystore-config) + (let ((id (knot-keystore-configuration-id keystore-config)) + (backend (knot-keystore-configuration-backend keystore-con= fig)) + (config (knot-keystore-configuration-config keystore-confi= g))) + (format #t " - id: ~a\n" id) + (format #t " backend: ~a\n" (symbol->string backend)) + (format #t " config: \"~a\"\n" config))) + keystores)))) + +(define (knot-policy-config policies) + (with-output-to-string + (lambda () + (for-each + (lambda (policy-config) + (let ((id (knot-policy-configuration-id policy-config)) + (keystore (knot-policy-configuration-keystore policy-confi= g)) + (manual? (knot-policy-configuration-manual? policy-config)) + (single-type-signing? (knot-policy-configuration-single-ty= pe-signing? + policy-config)) + (algorithm (knot-policy-configuration-algorithm policy-con= fig)) + (ksk-size (knot-policy-configuration-ksk-size policy-confi= g)) + (zsk-size (knot-policy-configuration-zsk-size policy-confi= g)) + (dnskey-ttl (knot-policy-configuration-dnskey-ttl policy-c= onfig)) + (zsk-lifetime (knot-policy-configuration-zsk-lifetime poli= cy-config)) + (propagation-delay (knot-policy-configuration-propagation-= delay + policy-config)) + (rrsig-lifetime (knot-policy-configuration-rrsig-lifetime + policy-config)) + (nsec3? (knot-policy-configuration-nsec3? policy-config)) + (nsec3-iterations (knot-policy-configuration-nsec3-iterati= ons + policy-config)) + (nsec3-salt-length (knot-policy-configuration-nsec3-salt-l= ength + policy-config)) + (nsec3-salt-lifetime (knot-policy-configuration-nsec3-salt= -lifetime + policy-config))) + (format #t " - id: ~a\n" id) + (format #t " keystore: ~a\n" keystore) + (format #t " manual: ~a\n" (if manual? "on" "off")) + (format #t " single-type-signing: ~a\n" (if single-type-s= igning? + "on" "off")) + (format #t " algorithm: ~a\n" algorithm) + (format #t " ksk-size: ~a\n" (number->string ksk-size)) + (format #t " zsk-size: ~a\n" (number->string zsk-size)) + (unless (eq? dnskey-ttl 'default) + (format #t " dnskey-ttl: ~a\n" dnskey-ttl)) + (format #t " zsk-lifetime: ~a\n" zsk-lifetime) + (format #t " propagation-delay: ~a\n" propagation-delay) + (format #t " rrsig-lifetime: ~a\n" rrsig-lifetime) + (format #t " nsec3: ~a\n" (if nsec3? "on" "off")) + (format #t " nsec3-iterations: ~a\n" + (number->string nsec3-iterations)) + (format #t " nsec3-salt-length: ~a\n" + (number->string nsec3-salt-length)) + (format #t " nsec3-salt-lifetime: ~a\n" nsec3-salt-lifeti= me))) + policies)))) + +(define (knot-remote-config remotes) + (with-output-to-string + (lambda () + (for-each + (lambda (remote-config) + (let ((id (knot-remote-configuration-id remote-config)) + (address (knot-remote-configuration-address remote-config)) + (via (knot-remote-configuration-via remote-config)) + (key (knot-remote-configuration-key remote-config))) + (format #t " - id: ~a\n" id) + (unless (eq? address '()) + (format #t " address: ~a\n" (format-string-list address= ))) + (unless (eq? via '()) + (format #t " via: ~a\n" (format-string-list via))) + (if key + (format #t " key: ~a\n" key)))) + remotes)))) + +(define (serialize-zone-entries entries) + (with-output-to-string + (lambda () + (for-each + (lambda (entry) + (let ((name (zone-entry-name entry)) + (ttl (zone-entry-ttl entry)) + (class (zone-entry-class entry)) + (type (zone-entry-type entry)) + (data (zone-entry-data entry))) + (format #t "~a ~a ~a ~a ~a\n" name ttl class type data))) + entries)))) + +(define (serialize-zone-file zone domain) + (computed-file (string-append domain ".zone") + #~(begin + (call-with-output-file #$output + (lambda (port) + (format port "$ORIGIN ~a.\n" + #$(zone-file-origin zone)) + (format port "@ IN SOA ~a ~a (~a ~a ~a ~a ~a)\n" + #$(zone-file-ns zone) + #$(zone-file-mail zone) + #$(zone-file-serial zone) + #$(zone-file-refresh zone) + #$(zone-file-retry zone) + #$(zone-file-expiry zone) + #$(zone-file-nx zone)) + (format port "~a\n" + #$(serialize-zone-entries (zone-file-entries zone)))))= ))) + +(define (knot-zone-config zone) + (let ((content (knot-zone-configuration-zone zone))) + #~(with-output-to-string + (lambda () + (let ((domain #$(knot-zone-configuration-domain zone)) + (file #$(knot-zone-configuration-file zone)) + (master (list #$@(knot-zone-configuration-master zone))) + (ddns-master #$(knot-zone-configuration-ddns-master zone)) + (notify (list #$@(knot-zone-configuration-notify zone))) + (acl (list #$@(knot-zone-configuration-acl zone))) + (semantic-checks? #$(knot-zone-configuration-semantic-chec= ks? zone)) + (disable-any? #$(knot-zone-configuration-disable-any? zone= )) + (dnssec-policy #$(knot-zone-configuration-dnssec-policy zo= ne)) + (serial-policy '#$(knot-zone-configuration-serial-policy z= one))) + (format #t " - domain: ~a\n" domain) + (if (eq? master '()) + ;; This server is a master + (if (equal? file "") + (format #t " file: ~a\n" + #$(serialize-zone-file content + (knot-zone-configuration-domain= zone))) + (format #t " file: ~a\n" file)) + ;; This server is a slave (has masters) + (begin + (format #t " master: ~a\n" + #$(format-string-list + (knot-zone-configuration-master zone))) + (if ddns-master (format #t " ddns-master ~a\n" ddns= -master)))) + (unless (eq? notify '()) + (format #t " notify: ~a\n" + #$(format-string-list + (knot-zone-configuration-notify zone)))) + (unless (eq? acl '()) + (format #t " acl: ~a\n" + #$(format-string-list + (knot-zone-configuration-acl zone)))) + (format #t " semantic-checks: ~a\n" (if semantic-checks? = "on" "off")) + (format #t " disable-any: ~a\n" (if disable-any? "on" "of= f")) + (if dnssec-policy + (begin + (format #t " dnssec-signing: on\n") + (format #t " dnssec-policy: ~a\n" dnssec-policy))) + (format #t " serial-policy: ~a\n" + (symbol->string serial-policy))))))) + +(define (knot-config-file config) + (verify-knot-configuration config) + (computed-file "knot.conf" + #~(begin + (call-with-output-file #$output + (lambda (port) + (format port "server:\n") + (format port " rundir: ~a\n" #$(knot-configuration-run-dire= ctory config)) + (format port " user: knot\n") + (format port " listen: ~a@~a\n" + #$(knot-configuration-listen-v4 config) + #$(knot-configuration-listen-port config)) + (format port " listen: ~a@~a\n" + #$(knot-configuration-listen-v6 config) + #$(knot-configuration-listen-port config)) + (format port "\nkey:\n") + (format port #$(knot-key-config (knot-configuration-keys confi= g))) + (format port "\nkeystore:\n") + (format port #$(knot-keystore-config (knot-configuration-keyst= ores config))) + (format port "\nacl:\n") + (format port #$(knot-acl-config (knot-configuration-acls confi= g))) + (format port "\nremote:\n") + (format port #$(knot-remote-config (knot-configuration-remotes= config))) + (format port "\npolicy:\n") + (format port #$(knot-policy-config (knot-configuration-policie= s config))) + (unless #$(eq? (knot-configuration-zones config) '()) + (format port "\nzone:\n") + (format port "~a\n" + (string-concatenate + (list #$@(map knot-zone-config + (knot-configuration-zones config))))= ))))))) + +(define %knot-accounts + (list (user-group (name "knot") (system? #t)) + (user-account + (name "knot") + (group "knot") + (system? #t) + (comment "knot dns server user") + (home-directory "/var/empty") + (shell (file-append shadow "/sbin/nologin"))))) + +(define (knot-activation config) + #~(begin + (use-modules (guix build utils)) + (define (mkdir-p/perms directory owner perms) + (mkdir-p directory) + (chown directory (passwd:uid owner) (passwd:gid owner)) + (chmod directory perms)) + (mkdir-p/perms #$(knot-configuration-run-directory config) + (getpwnam "knot") #o755) + (mkdir-p/perms "/var/lib/knot" (getpwnam "knot") #o755) + (mkdir-p/perms "/var/lib/knot/keys" (getpwnam "knot") #o755) + (mkdir-p/perms "/var/lib/knot/keys/keys" (getpwnam "knot") #o755))) + +(define (knot-shepherd-service config) + (let* ((config-file (knot-config-file config)) + (knot (knot-configuration-knot config))) + (list (shepherd-service + (documentation "Run the Knot DNS daemon.") + (provision '(knot dns)) + (requirement '(networking)) + (start #~(make-forkexec-constructor + (list (string-append #$knot "/sbin/knotd") + "-c" #$config-file))) + (stop #~(make-kill-destructor)))))) + +(define knot-service-type + (service-type (name 'knot) + (extensions + (list (service-extension shepherd-root-service-type + knot-shepherd-service) + (service-extension activation-service-type + knot-activation) + (service-extension account-service-type + (const %knot-accounts)))))) --=20 2.12.2 --MP_/MyOo8_wXfzTw1brvzp/AUPE-- From unknown Sun Jun 15 08:42:48 2025 X-Loop: help-debbugs@gnu.org Subject: bug#26829: Add knot service Resent-From: Tobias Geerinckx-Rice Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 08 May 2017 18:25:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 26829 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: Julien Lepiller , 26829@debbugs.gnu.org Received: via spool by 26829-submit@debbugs.gnu.org id=B26829.14942678524145 (code B ref 26829); Mon, 08 May 2017 18:25:01 +0000 Received: (at 26829) by debbugs.gnu.org; 8 May 2017 18:24:12 +0000 Received: from localhost ([127.0.0.1]:60023 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1d7nKO-00014n-F0 for submit@debbugs.gnu.org; Mon, 08 May 2017 14:24:12 -0400 Received: from tobias.gr ([51.15.135.5]:37294 helo=apollo.tobias.gr) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1d7nKM-00014e-6K for 26829@debbugs.gnu.org; Mon, 08 May 2017 14:24:10 -0400 Received: by mail.tobias.gr (OpenSMTPD) with ESMTPSA id 8caca084 (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128:NO); Mon, 8 May 2017 18:24:05 +0000 (UTC) References: <20170508172223.7fbc9705@lepiller.eu> From: Tobias Geerinckx-Rice Message-ID: Date: Mon, 8 May 2017 20:25:26 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: <20170508172223.7fbc9705@lepiller.eu> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) Julien, On 08/05/17 17:22, Julien Lepiller wrote: > + (zones (list maste-zone slave-zone)))) ^^^^^ This happened to catch my eye. > here is a new service for knot, an authoritative DNS server. I have not > yet tested all the possible combinations in the configuration, but at > least the examples in the documentation work. Wonderful! Knot on GuixSD (sans service) runs the primary NS for my domain. It's a great server, but its configuration file format can make doing non-trivial things quite painful. Being able to use Scheme instead sounds very nice indeed. I'm giving it a spin. Thanks! T G-R From unknown Sun Jun 15 08:42:48 2025 X-Loop: help-debbugs@gnu.org Subject: bug#26829: Add knot service Resent-From: Tobias Geerinckx-Rice Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 08 May 2017 18:27:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 26829 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: Julien Lepiller , 26829@debbugs.gnu.org Received: via spool by 26829-submit@debbugs.gnu.org id=B26829.14942679964346 (code B ref 26829); Mon, 08 May 2017 18:27:02 +0000 Received: (at 26829) by debbugs.gnu.org; 8 May 2017 18:26:36 +0000 Received: from localhost ([127.0.0.1]:60027 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1d7nMh-000182-Sn for submit@debbugs.gnu.org; Mon, 08 May 2017 14:26:35 -0400 Received: from tobias.gr ([51.15.135.5]:37420 helo=apollo.tobias.gr) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1d7nMf-00017u-TG for 26829@debbugs.gnu.org; Mon, 08 May 2017 14:26:34 -0400 Received: by mail.tobias.gr (OpenSMTPD) with ESMTPSA id 0fd28b13 (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128:NO); Mon, 8 May 2017 18:26:33 +0000 (UTC) References: <20170508172223.7fbc9705@lepiller.eu> From: Tobias Geerinckx-Rice Message-ID: Date: Mon, 8 May 2017 20:27:53 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) On 08/05/17 20:25, Tobias Geerinckx-Rice wrote: > This happened to catch my eye. As did this: nckx@apollo ~/guix$ git am ~/0001-gnu-Add-knot-service-type.patch Applying: gnu: Add knot-service-type. .git/rebase-apply/patch:310: trailing whitespace. Whether the key management is manual or automatic. warning: 1 line adds whitespace errors. Kind regards, T G-R From unknown Sun Jun 15 08:42:48 2025 X-Loop: help-debbugs@gnu.org Subject: bug#26829: Add knot service Resent-From: julien lepiller Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 22 May 2017 07:58:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 26829 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 26829@debbugs.gnu.org Received: via spool by 26829-submit@debbugs.gnu.org id=B26829.149543984330071 (code B ref 26829); Mon, 22 May 2017 07:58:01 +0000 Received: (at 26829) by debbugs.gnu.org; 22 May 2017 07:57:23 +0000 Received: from localhost ([127.0.0.1]:59950 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dCiDT-0007ox-AL for submit@debbugs.gnu.org; Mon, 22 May 2017 03:57:23 -0400 Received: from dau94-h03-89-91-205-84.dsl.sta.abo.bbox.fr ([89.91.205.84]:53044 helo=skaro.lepiller.eu) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dCiDQ-0007og-PW for 26829@debbugs.gnu.org; Mon, 22 May 2017 03:57:21 -0400 Received: from localhost (localhost [127.0.0.1]) by skaro.lepiller.eu (Postfix) with ESMTP id 1975580006 for <26829@debbugs.gnu.org>; Mon, 22 May 2017 09:57:14 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lepiller.eu; s=default; t=1495439834; bh=VZdij2r273oSiWZ3Q//ADiCTrrIpG9+LKHTdCcGdXuA=; h=Date:From:To:Subject:In-Reply-To:References:From; b=jOALLlUB+GgWRJuQ4/UsVCOq9pMviDYK2vcPsZmURlXd6loKI8RrhrhkhwxUio08u s0kewGXr5OomXiPlzxNtUDnNkpIhulosfbBjn45JA3s2k5M1TAEa2B4Xsu1i17X8sg 7bKpibPV1KvSyrjGlARwT7X10bEGdfftLh9DfIozeTRre2vW4Vspcbf0HtHl1s43PA qlVTkFrzQv5yz2K9d+HOL1X+lrAig1Vy2G9rtfMqkyCkaZLsGonp1lMd7IpcP1D/TO mlw7dNNM1XaUNyoXodIr4l/3KESOWh1DBihIjUAmnOGgeVhVRwaZDY8p+2rdhzRy6w pOJwzkKAy/MG91B4CQsNKKEjIkLLfjA/VWZvdsZyZhaqM4+6ie+nlGLham9/2Cu+0g 5a794zQ+ULg+XfFtddxCerL2Ld5QYUd7DfjNsUvf0ildaZQM8B46/E6jmh2nvyL/Bd wfRVJQLqyTscApnMR60+/f6OmY79MmVTHXy1VxshBtZ1oL+1NJP6aV1Mts89Ql5JRb 8wFW4CDa0B3DUddQYoeUFRkQnhQv9cpNDxwwdclKth1iUSEAFQrDrUO08zpoLyj+xR 14qmWEdChWJcwRZ6gAA5uhU4gW0YIA4gtr98RllYrDvybV7jWrUSvuAwnBHSSpOjMX 9UDD6avusVzaxqFERRZXrtYI= X-Virus-Scanned: Debian amavisd-new at lepiller.eu Received: from skaro.lepiller.eu ([127.0.0.1]) by localhost (lepiller.eu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b0pUkr9hiCO8 for <26829@debbugs.gnu.org>; Mon, 22 May 2017 09:57:11 +0200 (CEST) Received: from webmail.lepiller.eu (localhost [127.0.0.1]) by skaro.lepiller.eu (Postfix) with ESMTPA id C24547FC03 for <26829@debbugs.gnu.org>; Mon, 22 May 2017 09:57:10 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lepiller.eu; s=default; t=1495439830; bh=VZdij2r273oSiWZ3Q//ADiCTrrIpG9+LKHTdCcGdXuA=; h=Date:From:To:Subject:In-Reply-To:References:From; b=cy00voqi3+zt3SB4HOi/Bu0cWE6Mmyup/ASNTgO0cKdxtQWYWoyLGsfrm7O5Dxd/q XGyjNXYmJ2AuEzq/OZztEYCgwgwMcWf4sVandiKiRJ9woru/Vdxzi1cPHizfBGTnHz EgVD86Cl9PFD7VpPyxyuIufnmlZkZSLY7aL/sDSDOFIfK25ZzhfkAn7sTfRm0Ofhob Xf9QgzEEHp0q9m267LNiECufCHPtmC0Y7TtAVY6GElqgeaHlK1OWjWsvQqXjzV3LyB Wzayb4DKU+XSGUf4ReKLilfCLtCclsvEHecwYXOtAZVEURX3GUFcJ2YngbR/8slOUS CTfh5KRtjPzRNzj2ipNtF5daWD7qesW/R+asdxr2E2+SkPmbD8HRD/ecccGs480/cs sL+Q6eRStKDf9EsscLrBXR4xKesMe0uiDGhqw9XL9SPh7iOXNpptf7Ra5b8PTxxEdC HhNVIHFG6Yb8LQ5GbkzM7tq94gTfnq1SyqBylZfniwYgBSAU0+3VP1AeJnz/osxf5T Gyjok+S0hq8j/PqIcMLSlDp2b3aYx96aKbVBV78eVgs36IxhEdANGIpU+2NUalet49 W/lQQ0axBAW3bDfqF8MCw1SUoiLoRLibdLjQEgwbNV1xnCEWQ6dhcmO6ktpqdqRIMw nqcxARSmPL6ulVDQlbmBS+Kk= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Mon, 22 May 2017 09:57:10 +0200 From: julien lepiller In-Reply-To: References: <20170508172223.7fbc9705@lepiller.eu> Message-ID: X-Sender: julien@lepiller.eu User-Agent: Roundcube Webmail/1.2.5 X-Spam-Score: 0.4 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.4 (/) Le 2017-05-08 20:27, Tobias Geerinckx-Rice a écrit : > On 08/05/17 20:25, Tobias Geerinckx-Rice wrote: >> This happened to catch my eye. > > As did this: > > nckx@apollo ~/guix$ git am ~/0001-gnu-Add-knot-service-type.patch > Applying: gnu: Add knot-service-type. > .git/rebase-apply/patch:310: trailing whitespace. > Whether the key management is manual or automatic. > warning: 1 line adds whitespace errors. > > Kind regards, > > T G-R Hi Tobias, apart from these mistakes, did you test it? I guess the lack of response from your side means it works well? Can I push this patch? From unknown Sun Jun 15 08:42:48 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Julien Lepiller Subject: bug#26829: closed (Re: bug#26829: Add knot service) Message-ID: References: <20170527104145.2d8b6867@lepiller.eu> <20170508172223.7fbc9705@lepiller.eu> X-Gnu-PR-Message: they-closed 26829 X-Gnu-PR-Package: guix-patches Reply-To: 26829@debbugs.gnu.org Date: Sat, 27 May 2017 08:43:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1495874582-4903-1" This is a multi-part message in MIME format... ------------=_1495874582-4903-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #26829: Add knot service which was filed against the guix-patches package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 26829@debbugs.gnu.org. --=20 26829: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D26829 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1495874582-4903-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 26829-done) by debbugs.gnu.org; 27 May 2017 08:42:03 +0000 Received: from localhost ([127.0.0.1]:39866 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dEXIQ-0001Fl-Sg for submit@debbugs.gnu.org; Sat, 27 May 2017 04:42:03 -0400 Received: from dau94-h03-89-91-205-84.dsl.sta.abo.bbox.fr ([89.91.205.84]:32928 helo=skaro.lepiller.eu) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dEXIO-0001FH-P2 for 26829-done@debbugs.gnu.org; Sat, 27 May 2017 04:42:01 -0400 Received: from localhost (localhost [127.0.0.1]) by skaro.lepiller.eu (Postfix) with ESMTP id E7ED2810A2 for <26829-done@debbugs.gnu.org>; Sat, 27 May 2017 10:41:53 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lepiller.eu; s=default; t=1495874513; bh=I1b/O00Hq/XX+i+r8KWzAlBTwbvQfU4kUtwp3dufjzo=; h=Date:From:To:Subject:In-Reply-To:References:From; b=j2BFfuGcui9jzKjURi8iEpCe4AbjGdJNL4NPwpMUn2/5GNupQpXg5HB5vFlKfNLmN XIpdw5i7hEWC3NWr/BfKeHCKfFVw4hF7s9DY9qxaz6oBBlUlKYsjRbL0KRclv2z4uI WuPP2QrAyuBVu74jucdorHnFVFGQ6Z/i7vYbo+Z7u/rPOKOuiY9zWNTOMDBXd3WwQV q0KmdB5x/fGov1YHTBIsEpfjlBHutqLArK+AR3XjcGlspo4yRRTNqqtznLIvWUZhLh F4TidjQd//gZYCgXdrqYcIBeD75aYwB37nqZN/exYYoAsgUtG4kJKKKJy3xFgTn60T Ya86uaklhh0Xc8G+7yKmKwJyib4CPBXenxZ9ukEAmtg/haucXhlYROiWWeqAn5ei5n 4RuqArW3lwncowQJ58SDaOGjzgsElKBulDg0Qkzbsi6HaMkHrhyYT3NjMUXHh6u9XA Nyuh5/2JnR+HXcWZflo2KWXjy0CwVIspAiw/DJPtMnKk1MQpkExSFXyqVz+4C/WLWk 2fYTzTHd5/ucIiTzCYWktB980FfjO0kX27azM9D1MavucFLrpZpMUj1BBpw+d6hH7d 948ohiL/5ErRw6/H61GfjXjhjYrOjSIoMCASULtrflES15TDr635uo6kgHj83+SA+0 sxytGQphiJCUBkvSuM9YnlEM= X-Virus-Scanned: Debian amavisd-new at lepiller.eu Received: from skaro.lepiller.eu ([127.0.0.1]) by localhost (lepiller.eu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ekzOK1wyTWJD for <26829-done@debbugs.gnu.org>; Sat, 27 May 2017 10:41:50 +0200 (CEST) Received: from localhost (89-92-10-219.hfc.dyn.abo.bbox.fr [89.92.10.219]) by skaro.lepiller.eu (Postfix) with ESMTPSA id 9F26680003 for <26829-done@debbugs.gnu.org>; Sat, 27 May 2017 10:41:49 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lepiller.eu; s=default; t=1495874509; bh=I1b/O00Hq/XX+i+r8KWzAlBTwbvQfU4kUtwp3dufjzo=; h=Date:From:To:Subject:In-Reply-To:References:From; b=RZ46QDfrW0JldK/ha00fqLwHJlITJZgX1S6JrEMdhmdyh++5ughy8OGe6b8V3VKi8 jj+2w37EAjCavdLNKqtGhbNr0lS/LrYDwm/HOc1tYsKgedfKaHape1tT6wQZCjvNke Zt5RhUsS/5aKXuFBF6hMG6kAnKyOqNk0WnIDTxY76Sgb7j2VYPB94qdEs46TIDMKoV C7+zfr/gt2z3j5eqEXy2Y4Wai2ojSJVDZrxr5GwgcaYwYPFdklHkYwXKPIGnJ55KDB 14c5ig0+72igDbwjNzzryCeRnEEqQQBgM2n1MVFEhwCLSVNGcYI4T7UXTu2cauxR/R wIizywz9mIhNNqgwazEe0Rdm5x+HRgaR8UkNckQIU/zwuAXAweaalMoKcFh4rY+Mcj mK+P2x6XktkJqfNkR0g/wQm5/4VW0ZlPqd2vkK+2c43CElkEzzFoZpUB+Q7INj68Fu 2hdrorJFA1vVvZL+69Keqh5zhREZvlCCPJUmajaUq10ClJ9C3/WqW7N9bIfL92Hgqv t3wIyDzQwcwxQuitcuz1Iw26v+zGVnvr/5u1eKHJKeMIoTP2LTUOyK9mzEFsywjTwZ e57y42GIC1Yp1DJjkmuocISk2jQbIKAr7Cv6O0ANL/NJl321fhghrVHkEfZfR8twDN k3twLQ0mGK9FkLUlW4cwJR+w= Date: Sat, 27 May 2017 10:41:45 +0200 From: Julien Lepiller To: 26829-done@debbugs.gnu.org Subject: Re: bug#26829: Add knot service Message-ID: <20170527104145.2d8b6867@lepiller.eu> In-Reply-To: References: <20170508172223.7fbc9705@lepiller.eu> X-Mailer: Claws Mail 3.15.0-dirty (GTK+ 2.24.31; x86_64-unknown-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.4 (/) X-Debbugs-Envelope-To: 26829-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.4 (/) Le Mon, 22 May 2017 09:57:10 +0200, julien lepiller a =C3=A9crit : > Le 2017-05-08 20:27, Tobias Geerinckx-Rice a =C3=A9crit=C2=A0: > > On 08/05/17 20:25, Tobias Geerinckx-Rice wrote: =20 > >> This happened to catch my eye. =20 > >=20 > > As did this: > >=20 > > nckx@apollo ~/guix$ git am ~/0001-gnu-Add-knot-service-type.patch > > Applying: gnu: Add knot-service-type. > > .git/rebase-apply/patch:310: trailing whitespace. > > Whether the key management is manual or automatic. > > warning: 1 line adds whitespace errors. > >=20 > > Kind regards, > >=20 > > T G-R =20 >=20 > Hi Tobias, >=20 > apart from these mistakes, did you test it? I guess the lack of > response from your side means it works well? Can I push this patch? >=20 >=20 >=20 So, pushed as ba69e8f7ce21a81bdd5b99fdb1cc64492443e15c. ------------=_1495874582-4903-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 8 May 2017 15:23:16 +0000 Received: from localhost ([127.0.0.1]:34538 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1d7kVC-0000r6-9l for submit@debbugs.gnu.org; Mon, 08 May 2017 11:23:16 -0400 Received: from eggs.gnu.org ([208.118.235.92]:57621) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1d7kV7-0000qN-GR for submit@debbugs.gnu.org; Mon, 08 May 2017 11:23:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1d7kUy-0003D6-4D for submit@debbugs.gnu.org; Mon, 08 May 2017 11:23:00 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:53926) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1d7kUx-0003Cn-Un for submit@debbugs.gnu.org; Mon, 08 May 2017 11:22:56 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:48549) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1d7kUs-0002GN-Pi for guix-patches@gnu.org; Mon, 08 May 2017 11:22:55 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1d7kUo-00031t-C0 for guix-patches@gnu.org; Mon, 08 May 2017 11:22:50 -0400 Received: from dau94-h03-89-91-205-84.dsl.sta.abo.bbox.fr ([89.91.205.84]:59818 helo=skaro.lepiller.eu) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1d7kUn-00031F-Cu for guix-patches@gnu.org; Mon, 08 May 2017 11:22:46 -0400 Received: from localhost (localhost [127.0.0.1]) by skaro.lepiller.eu (Postfix) with ESMTP id DCC7A7FBF8 for ; Mon, 8 May 2017 17:22:42 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lepiller.eu; s=default; t=1494256962; bh=5/xLL+GGje+OTe/XkdxNViTYh0VSBYxfcy+j7Y2Q5Xo=; h=Date:From:To:Subject:From; b=MFz28MJQhVjgYXJ0rN3+C2DVuDnUIdf6Vw3aUPqBq+HjmaTxZZSJzEAEFS04D5QF3 ahdFqMP185PltsWLzcBhzFk67oDbOXZwmBWVM4IRzGBfy5X40o6jAX95J8TwbL5q9B CB8kpbKwW2ZUAjrRoGrnx+E/HzahPy9bSvVr9lhe62CTPw2FXHiafknr9Kk0E1Sp2s x0XFWTdxSJ5SwsOoZP9FNg/CE5F+crvVDs8BF9R/w2BLLyc5M1Zhv28mERRabjzfnx tk7AoO9z4giPkq1EKMz0Hs/G8FOgV1WvLLbFSqfAIdw0xjtBBgMJJzlPpWmlozyG6C yYuW+7N69Zbn+GPCDQnd6DyEhk1RdUvwtzoAjXQaUdYRr4uVqGNTyMqkiAHv3r6LKU r7kG/QYFIhBOXgsWgq77YkZnRJM6WiQ+avKjzPWfrQnX2mIJY8iJuRPSWtHUI9ciGX Pkmdyp0uwObBIi1HdaJxrRYxEWSKNBugpGxCC+sMpC2q2glKWJxHFRj+aRAzUG8Fwp udkGm+VT0tIuNeqW3FvtnYz2Uw+J+UcoUTIq/gYSKOFhobEUYZejByUYjKoB/0nz/q Yfjj9FrT2kkNfCTb8aGkD0J1NrQ095TBPs3WW3K3O49xN1+/x1gB26KN6wqKAKf29u 7iTkU3MB6D1G5FRkXfrs63GA= X-Virus-Scanned: Debian amavisd-new at lepiller.eu Received: from skaro.lepiller.eu ([127.0.0.1]) by localhost (lepiller.eu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xt7ltRHemkiy for ; Mon, 8 May 2017 17:22:28 +0200 (CEST) Received: from localhost (89-93-157-164.hfc.dyn.abo.bbox.fr [89.93.157.164]) by skaro.lepiller.eu (Postfix) with ESMTPSA id 76D637F8A7 for ; Mon, 8 May 2017 17:22:27 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lepiller.eu; s=default; t=1494256947; bh=5/xLL+GGje+OTe/XkdxNViTYh0VSBYxfcy+j7Y2Q5Xo=; h=Date:From:To:Subject:From; b=bZtL379tF8TOy/qk7fmWmLahG0Dz8e7TVYfizDteVcETiLcvzqDWemqXyQWC6Hphq N3xOuhHcTp4uOlqkmQxhvO9zAokXwBC1W8vVJaUKQNceKG+ZYbZfpcY+WWyYO1MPFb GuVJ2nRuP56qZx74ru/OAlp4D+aEJEMulUU65RM3FR/Bo1j7H5FeHdXqJggSy+PCT4 Ff1VQxye6nEZTbjng6cKQ0+S41LXUIdnnL+E+OISjfa52DZnsLE6cKRRFKXR7LRjSy xK/HwOseM/Ox8nk3AM/fHLKbWktHatXPonvVP0YT0OvWe471PYZtYX0MR0Unl0Ut8K vlKt7OdQbreO489uzWx3Uw/r2biC9uiieAtQVPGc8P3434yBELrB2RKGCBw/xl31Vi l9glmQNiZmLfwT+sKSOzfEXlSo5LpbLR6gC3wXqD0rz7W5m+rLghT3/pcuvkeFl5An Nu+QIQsZx3fvjjadWRPQcU2yD5MU//HCEFvad1nEnPOmBYPbaPEEp5+JROyJfY/U2z Y4cANETLndavF7a2sJmWjPCu00ymZdrwcgLa3fKVNDKJ1EZr6Bpc0JT1NEJJBKaByL MwYiIrUhaFxIRffLM7YWwSkLvIgd93Hv6sQ77LLXJkop0sytrq4vq7xUI5FVXDt70P 1J0Auwp6kib0NpSyDox4h9lI= Date: Mon, 8 May 2017 17:22:23 +0200 From: Julien Lepiller To: guix-patches@gnu.org Subject: Add knot service Message-ID: <20170508172223.7fbc9705@lepiller.eu> X-Mailer: Claws Mail 3.15.0-dirty (GTK+ 2.24.31; x86_64-unknown-linux-gnu) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="MP_/MyOo8_wXfzTw1brvzp/AUPE" X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.0 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) --MP_/MyOo8_wXfzTw1brvzp/AUPE Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Disposition: inline Hi, here is a new service for knot, an authoritative DNS server. I have not yet tested all the possible combinations in the configuration, but at least the examples in the documentation work. --MP_/MyOo8_wXfzTw1brvzp/AUPE Content-Type: text/x-patch Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename=0001-gnu-Add-knot-service-type.patch =46rom 13f6ef594dd5d59d0f326863d1e10bc2a8112c21 Mon Sep 17 00:00:00 2001 From: Julien Lepiller Date: Mon, 1 May 2017 21:41:45 +0200 Subject: [PATCH] gnu: Add knot-service-type. * gnu/services/dns.scm: New file. * gnu/local.mk (GNU_SYSTEM_MODULES): Add it. * doc/guix.texi (DNS Services): New subsubsection. --- doc/guix.texi | 410 +++++++++++++++++++++++++++++++++++ gnu/local.mk | 1 + gnu/services/dns.scm | 593 +++++++++++++++++++++++++++++++++++++++++++++++= ++++ 3 files changed, 1004 insertions(+) create mode 100644 gnu/services/dns.scm diff --git a/doc/guix.texi b/doc/guix.texi index 4446909ed..0abaf54e3 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -216,6 +216,7 @@ Services * Messaging Services:: Messaging services. * Kerberos Services:: Kerberos services. * Web Services:: Web servers. +* DNS Services:: DNS daemons. * VPN Services:: VPN daemons. * Network File System:: NFS related services. * Continuous Integration:: The Cuirass service. @@ -8700,6 +8701,7 @@ declaration. * Messaging Services:: Messaging services. * Kerberos Services:: Kerberos services. * Web Services:: Web servers. +* DNS Services:: DNS daemons. * VPN Services:: VPN daemons. * Network File System:: NFS related services. * Continuous Integration:: The Cuirass service. @@ -13483,6 +13485,414 @@ Whether the server should add its configuration t= o response. @end table @end deftp =20 +@node DNS Services +@subsubsection DNS Services +@cindex DNS (domain name system) +@cindex domain name system (DNS) + +The @code{(gnu services dns)} module provides services related to the +@dfn{domain name system} (DNS). It provides a server service for hosting +an @emph{authoritative} DNS server for multiple zones, slave or master. +This service uses @uref{https://www.knot-dns.cz/, Knot DNS}. + +An example configuration of an authoritative server for two zones, one mas= ter +and one slave, is: + +@lisp +(define-zone-entries example.org.zone +;; Name TTL Class Type Data + ("@@" "" "IN" "A" "127.0.0.1") + ("@@" "" "IN" "NS" "ns") + ("ns" "" "IN" "A" "127.0.0.1")) + +(define master-zone + (knot-zone-configuration + (domain "example.org") + (zone (zone-file + (origin "example.org") + (entries example.org.zone))))) + +(define slave-zone + (knot-zone-configuration + (domain "plop.org") + (dnssec-policy "default") + (master (list "plop-master")))) + +(define plop-master + (knot-remote-configuration + (id "plop-master") + (address (list "208.76.58.171")))) + +(operating-system + ;; ... + (services (cons* (service knot-service-type + (knot-confifguration + (remotes (list plop-master)) + (zones (list maste-zone slave-zone)))) + ;; ... + %base-services))) +@end lisp + +@deffn {Scheme Variable} knot-service-type +This is the type for the Knot DNS server. + +Knot DNS is an authoritative DNS server, meaning that it can serve multiple +zones, that is to say domain names you would buy from a registrar. This s= erver +is not a resolver, meaning that it can only resolve names for which it is +authoritative. This server can be configured to serve zones as a master s= erver +or a slave server as a per-zone basis. Slave zones will get their data fr= om +masters, and will serve it as an authoritative server. From the point of = view +of a resolver, there is no difference between master and slave. + +The following data types are used to configure the Knot DNS server: +@end deffn + +@deftp {Data Type} knot-key-configuration +Data type representing a key. +This type has the following parameters: + +@table @asis +@item @code{id} (default: @code{""}) +An identifier for other configuration fields to refer to this key. IDs must +be unique and must not be empty. + +@item @code{algorithm} (default: @code{#f}) +The algorithm to use. Choose between @code{#f}, @code{'hmac-md5}, +@code{'hmac-sha1}, @code{'hmac-sha224}, @code{'hmac-sha256}, @code{'hmac-s= ha384} +and @code{'hmac-sha512}. + +@item @code{secret} (default: @code{""}) +The secret key itself. + +@end table +@end deftp + +@deftp {Data Type} knot-acl-configuration +Data type representing an Access Control List (ACL) configuration. +This type has the following parameters: + +@table @asis +@item @code{id} (default: @code{""}) +An identifier for ether configuration fields to refer to this key. IDs mus= t be +unique and must not be empty. + +@item @code{address} (default: @code{'()}) +An ordered list of IP addresses, network subnets, or network ranges repres= ented +with strings. The query must match one of them. Empty value means that +address match is not required. + +@item @code{key} (default: @code{'()}) +An ordered list of references to keys represented with strings. The string +must match a key ID defined in a @code{knot-key-configuration}. No key me= ans +that a key is not require to match that ACL. + +@item @code{action} (default: @code{'()}) +An ordered list of actions that are permitted or forbidden by this ACL. P= ossible +values are lists of zero or more elements from @code{'transfer}, @code{'no= tify} +and @code{'update}. + +@item @code{deny?} (default: @code{#f}) +When true, the ACL defines restrictions. Listed actions are forbidden. W= hen +false, listed actions are allowed. + +@end table +@end deftp + +@deftp {Data Type} zone-entry +Data type represnting a record entry in a zone file. +This type has the following parameters: + +@table @asis +@item @code{name} (default: @code{"@@"}) +The name of the record. @code{"@@"} refers to the origin of the zone. Na= mes +are relative to the origin of the zone. For example, in the @code{example= .org} +zone, @code{"ns.example.org"} actually refers to @code{ns.example.org.exam= ple.org}. +Names ending with a dot are absolute, which means that @code{"ns.example.o= rg."} +refers to @code{ns.example.org}. + +@item @code{ttl} (default: @code{""}) +The Time-To-Live (TTL) of this record. If not set, the default TTL is use= d. + +@item @code{class} (default: @code{"IN"}) +The class of the record. Knot currently supports only @code{"IN"} and +partially @code{"CH"}. + +@item @code{type} (default: @code{"A"}) +The type of the record. Common types include A (IPv4 address), AAAA (IPv6 +address), NS (Name Server) and MX (Mail eXchange). Many other types are +defined. + +@item @code{data} (default: @code{""}) +The data contained in the record. For instance an IP address associated w= ith +an A record, or a domain name associated with an NS record. Remember that +domain names are relative to the origin unless they end with a dot. + +@end table +@end deftp + +@deftp {Data Type} zone-file +Data type representing the content of a zone file. +This type has the following parameters: + +@table @asis +@item @code{entries} (default: @code{'()}) +The list of entries. The SOA record is taken care of, so you don't need to +put it in the list of entries. This list should probably contain an entry +for your primary authoritative DNS server. Other than using a list of ent= ries +directly, you can use @code{define-zone-entries} to define a object contai= ning +the list of entries more easily, that you can later pass to the @code{entr= ies} +field of the @code{zone-file}. + +@item @code{origin} (default: @code{""}) +The name of your zone. This parameter cannot be empty. + +@item @code{ns} (default: @code{"ns"}) +The domain of your primary authoritative DNS server. The name is relative= to +the origin, unless it ends with a dot. It is mandatory that this primary +DNS server corresponds to an NS record in the zone and that it is associat= ed +to an IP address in the list of entries. + +@item @code{mail} (default: @code{"hostmaster"}) +An email address people can contact you at, as the owner of the zone. This +is translated as @code{@@}. + +@item @code{serial} (default: @code{1}) +The serial number of the zone. As this is used to keep track of changes by +both slaves and resolvers, it is mandatory that it @emph{never} decreases. +Always increment it when you make a change in your zone. + +@item @code{refresh} (default: @code{"2d"}) +The frequency at which slaves will do a zone transfer. This value can be +a number of seconds or a number of some unit between: +@itemize +@item m: minute +@item h: hour +@item d: day +@item w: week +@end itemize + +@item @code{retry} (default: @code{"15m"}) +The period after which a slave will retry to contact its master when it fa= ils +to do so a first time. + +@item @code{expiry} (default: @code{"2w"}) +Default TTL of records. Existing records are considered correct for at mo= st +this amount of time. After this period, resolvers will invalidate their c= ache +and check again that it still exists. + +@item @code{nx} (default: @code{"1h"}) +Default TTL of inexistant records. This delay is usually short because yo= u want +your new domains to reach everyone quickly. + +@end table +@end deftp + +@deftp {Data Type} knot-remote-configuration +Data type representing a remote configuration. +This type has the following parameters: + +@table @asis +@item @code{id} (default: @code{""}) +An identifier for other configuration fields to refer to this remote. IDs = must +be unique and must not be empty. + +@item @code{address} (default: @code{'()}) +An ordered list of destination IP addresses. Addresses are tried in seque= nce. +An optional port can be given with the @@ separator. For instance: +@code{(list "1.2.3.4" "2.3.4.5@@53")}. Default port is 53. + +@item @code{via} (default: @code{'()}) +An ordered list of source IP addresses. An empty list will have Knot choo= se +an appropriate source IP. An optional port can be given with the @@ separ= ator. +The default is to choose at random. + +@item @code{key} (default: @code{#f}) +A reference to a key, that is a string containing the identifier of a key +defined in a @code{knot-key-configuration} field. + +@end table +@end deftp + +@deftp {Data Type} knot-keystore-configuration +Data type representing a keystore to hold dnssec keys. +This type has the following parameters: + +@table @asis +@item @code{id} (default: @code{""}) +The id of the keystore. It must not be empty. + +@item @code{backend} (default: @code{'pem}) +The backend to store the keys in. Can be @code{'pem} or @code{'pkcs11}. + +@item @code{config} (default: @code{"/var/lib/knot/keys/keys"}) +The configuration string of the backend. An example for the PKCS#11 is: +@code{"pkcs11:token=3Dknot;pin-value=3D1234 /gnu/store/.../lib/pkcs11/libs= ofthsm2.so"}. +For the pem backend, the string reprensents a path in the filesystem. + +@end table +@end deftp + +@deftp {Data Type} knot-policy-configuration +Data type representing a dnssec policy. Knot DNS is able to automatically +sign your zones. It can either generate and manage your keys automaticall= y or +use keys that you generate. + +Dnssec is usually implemented using two keys: a Key Signing Key (KSK) that= is +used to sign the second, and a Zone Signing Key (ZSK) that is used to sign= the +zone. In order to be trusted, the KSK needs to be present in the parent z= one +(usually a top-level domain). If your registrar supports dnssec, you will +have to send them your KSK's hash so they can add a DS record in their zon= e. +This is not automated and need to be done each time you change your KSK. + +The policy also defines the lifetime of keys. Usually, ZSK can be changed +easily and use weaker cryptographic functions (they use lower parameters) = in +order to sign records quickly, so they are changed often. The KSK however +requires manual interaction with the registrar, so they are changed less o= ften +and use stronger parameters because they sign only one record. + +This type has the following parameters: + +@table @asis +@item @code{id} (default: @code{""}) +The id of the policy. It must not be empty. + +@item @code{keystore} (default: @code{"default"}) +A reference to a keystore, that is a string containing the identifier of a +keystore defined in a @code{knot-keystore-configuration} field. The +@code{"default"} identifier means the default keystore (a kasp database th= at +was setup by this service). + +@item @code{manual?} (default: @code{#f}) +Whether the key management is manual or automatic. =20 + +@item @code{single-type-signing?} (default: @code{#f}) +When @code{#t}, use the Single-Type Signing Scheme. + +@item @code{algorithm} (default: @code{"ecdsap256sha256"}) +An algorithm of signing keys and issued signatures. + +@item @code{ksk-size} (default: @code{256}) +The length of the KSK. Note that this value is correct for the default +algorithm, but would be unsecure for other algorithms. + +@item @code{zsk-size} (default: @code{256}) +The length of the ZSK. Note that this value is correct for the default +algorithm, but would be unsecure for other algorithms. + +@item @code{dnskey-ttl} (default: @code{'default}) +The TTL value for DNSKEY records added into zone apex. The special +@code{'default} value means same as the zone SOA TTL. + +@item @code{zsk-lifetime} (default: @code{"30d"}) +The period between ZSK publication and the next rollover initiation. + +@item @code{propagation-delay} (default: @code{"1d"}) +An extra delay added for each key rollover step. This value should be high +enough to cover propagation of data from the master server to all slaves. + +@item @code{rrsig-lifetime} (default: @code{"14d"}) +A validity period of newly issued signatures. + +@item @code{rrsig-refresh} (default: @code{"7d"}) +A period how long before a signature expiration the signature will be refr= eshed. + +@item @code{nsec3?} (default: @code{#f}) +When @code{#t}, NSEC3 will be used instead of NSEC. + +@item @code{nsec3-iterations} (default: @code{5}) +The number of additional times the hashing is performed. + +@item @code{nsec3-salt-length} (default: @code{8}) +The length of a salt field in octets, which is appended to the original ow= ner +name before hashing. + +@item @code{nsec3-salt-lifetime} (default: @code{"30d"}) +The validity period of newly issued salt field. + +@end table +@end deftp + +@deftp {Data Type} knot-zone-configuration +Data type representing a zone served by Knot. +This type has the following parameters: + +@table @asis +@item @code{domain} (default: @code{""}) +The domain served by this configuration. It must not be empty. + +@item @code{file} (default: @code{""}) +The file where this zone is saved. This parameter is ignored by master zo= nes. +Empty means default location that depends on the domain name. + +@item @code{zone} (default: @code{(zone-file)}) +The content of the zone file. This parameter is ignored by slave zones. = It +must contain a zone-file record. + +@item @code{master} (default: @code{'()}) +A list of master remotes. When empty, this zone is a master. When set, t= his +zone is a slave. This is a list of remotes identifiers. + +@item @code{ddns-master} (default: @code{#f}) +The main master. When empty, it defaults to the first master in the list = of +masters. + +@item @code{notify} (default: @code{'()}) +A list of slave remote identifiers. + +@item @code{acl} (default: @code{'()}) +A list of acl identifiers. + +@item @code{semantic-checks?} (default: @code{#f}) +When set, this adds more semantic checks to the zone. + +@item @code{disable-any?} (default: @code{#f}) +When set, this forbids queries of the ANY type. + +@item @code{zonefile-sync} (default: @code{0}) +The delay between a modification in memory and on disk. 0 means immediate +synchronization. + +@item @code{serial-policy} (default: @code{'increment}) +A policy between @code{'increment} and @code{'unixtime}. + +@end table +@end deftp + +@deftp {Data Type} knot-configuration +Data type representing the Knot configuration. +This type has the following parameters: + +@table @asis +@item @code{knot} (default: @code{knot}) +The Knot package. + +@item @code{run-directory} (default: @code{"/var/run/knot"}) +The run directory. This directory will be used for pid file and sockets. + +@item @code{listen-v4} (default: @code{"0.0.0.0"}) +An ip address on which to listen. + +@item @code{listen-v6} (default: @code{"::"}) +An ip address on which to listen. + +@item @code{listen-port} (default: @code{53}) +A port on which to listen. + +@item @code{keys} (default: @code{'()}) +The list of knot-key-configuration used by this configuration. + +@item @code{acls} (default: @code{'()}) +The list of knot-acl-configuration used by this configuration. + +@item @code{remotes} (default: @code{'()}) +The list of knot-remote-configuration used by this configuration. + +@item @code{zones} (default: @code{'()}) +The list of knot-zone-configuration used by this configuration. + +@end table +@end deftp + @node VPN Services @subsubsection VPN Services @cindex VPN (virtual private network) diff --git a/gnu/local.mk b/gnu/local.mk index dcf9b14ce..c40928a83 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -423,6 +423,7 @@ GNU_SYSTEM_MODULES =3D \ %D%/services/dbus.scm \ %D%/services/desktop.scm \ %D%/services/dict.scm \ + %D%/services/dns.scm \ %D%/services/kerberos.scm \ %D%/services/lirc.scm \ %D%/services/mail.scm \ diff --git a/gnu/services/dns.scm b/gnu/services/dns.scm new file mode 100644 index 000000000..2ed7b9e22 --- /dev/null +++ b/gnu/services/dns.scm @@ -0,0 +1,593 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright =C2=A9 2017 Julien Lepiller +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu services dns) + #:use-module (gnu services) + #:use-module (gnu services configuration) + #:use-module (gnu services shepherd) + #:use-module (gnu system shadow) + #:use-module (gnu packages admin) + #:use-module (gnu packages dns) + #:use-module (guix packages) + #:use-module (guix records) + #:use-module (guix gexp) + #:use-module (srfi srfi-1) + #:use-module (srfi srfi-34) + #:use-module (srfi srfi-35) + #:use-module (ice-9 match) + #:use-module (ice-9 regex) + #:export (knot-service-type + knot-acl-configuration + knot-key-configuration + knot-keystore-configuration + knot-zone-configuration + knot-remote-configuration + knot-policy-configuration + knot-configuration + define-zone-entries + zone-file + zone-entry)) + +;;; +;;; Knot DNS. +;;; + +(define-record-type* + knot-key-configuration make-knot-key-configuration + knot-key-configuration? + (id knot-key-configuration-id + (default "")) + (algorithm knot-key-configuration-algorithm + (default #f)); one of #f, or an algorithm name + (secret knot-key-configuration-secret + (default ""))) + +(define-record-type* + knot-acl-configuration make-knot-acl-configuration + knot-acl-configuration? + (id knot-acl-configuration-id + (default "")) + (address knot-acl-configuration-address + (default '())) + (key knot-acl-configuration-key + (default '())) + (action knot-acl-configuration-action + (default '())) + (deny? knot-acl-configuration-deny? + (default #f))) + +(define-record-type* + zone-entry make-zone-entry + zone-entry? + (name zone-entry-name + (default "@")) + (ttl zone-entry-ttl + (default "")) + (class zone-entry-class + (default "IN")) + (type zone-entry-type + (default "A")) + (data zone-entry-data + (default ""))) + +(define-record-type* + zone-file make-zone-file + zone-file? + (entries zone-file-entries + (default '())) + (origin zone-file-origin + (default "")) + (ns zone-file-ns + (default "ns")) + (mail zone-file-mail + (default "hostmaster")) + (serial zone-file-serial + (default 1)) + (refresh zone-file-refresh + (default "2d")) + (retry zone-file-retry + (default "15m")) + (expiry zone-file-expiry + (default "2w")) + (nx zone-file-nx + (default "1h"))) +(define-record-type* + knot-keystore-configuration make-knot-keystore-configuration + knot-keystore-configuration? + (id knot-keystore-configuration-id + (default "")) + (backend knot-keystore-configuration-backend + (default 'pem)) + (config knot-keystore-configuration-config + (default "/var/lib/knot/keys/keys"))) + +(define-record-type* + knot-policy-configuration make-knot-policy-configuration + knot-policy-configuration? + (id knot-policy-configuration-id + (default "")) + (keystore knot-policy-configuration-keystore + (default "default")) + (manual? knot-policy-configuration-manual? + (default #f)) + (single-type-signing? knot-policy-configuration-single-type-signing? + (default #f)) + (algorithm knot-policy-configuration-algorithm + (default "ecdsap256sha256")) + (ksk-size knot-policy-configuration-ksk-size + (default 256)) + (zsk-size knot-policy-configuration-zsk-size + (default 256)) + (dnskey-ttl knot-policy-configuration-dnskey-ttl + (default 'default)) + (zsk-lifetime knot-policy-configuration-zsk-lifetime + (default "30d")) + (propagation-delay knot-policy-configuration-propagation-delay + (default "1d")) + (rrsig-lifetime knot-policy-configuration-rrsig-lifetime + (default "14d")) + (rrsig-refresh knot-policy-configuration-rrsig-refresh + (default "7d")) + (nsec3? knot-policy-configuration-nsec3? + (default #f)) + (nsec3-iterations knot-policy-configuration-nsec3-iterations + (default 5)) + (nsec3-salt-length knot-policy-configuration-nsec3-salt-length + (default 8)) + (nsec3-salt-lifetime knot-policy-configuration-nsec3-salt-lifetime + (default "30d"))) + +(define-record-type* + knot-zone-configuration make-knot-zone-configuration + knot-zone-configuration? + (domain knot-zone-configuration-domain + (default "")) + (file knot-zone-configuration-file + (default "")) ; the file where this zone is saved. + (zone knot-zone-configuration-zone + (default (zone-file))) ; initial content of the zone f= ile + (master knot-zone-configuration-master + (default '())) + (ddns-master knot-zone-configuration-ddns-master + (default #f)) + (notify knot-zone-configuration-notify + (default '())) + (acl knot-zone-configuration-acl + (default '())) + (semantic-checks? knot-zone-configuration-semantic-checks? + (default #f)) + (disable-any? knot-zone-configuration-disable-any? + (default #f)) + (zonefile-sync knot-zone-configuration-zonefile-sync + (default 0)) + (dnssec-policy knot-zone-configuration-dnssec-policy + (default #f)) + (serial-policy knot-zone-configuration-serial-policy + (default 'increment))) + +(define-record-type* + knot-remote-configuration make-knot-remote-configuration + knot-remote-configuration? + (id knot-remote-configuration-id + (default "")) + (address knot-remote-configuration-address + (default '())) + (via knot-remote-configuration-via + (default '())) + (key knot-remote-configuration-key + (default #f))) + +(define-record-type* + knot-configuration make-knot-configuration + knot-configuration? + (knot knot-configuration-knot + (default knot)) + (run-directory knot-configuration-run-directory + (default "/var/run/knot")) + (listen-v4 knot-configuration-listen-v4 + (default "0.0.0.0")) + (listen-v6 knot-configuration-listen-v6 + (default "::")) + (listen-port knot-configuration-listen-port + (default 53)) + (keys knot-configuration-keys + (default '())) + (keystores knot-configuration-keystores + (default '())) + (acls knot-configuration-acls + (default '())) + (remotes knot-configuration-remotes + (default '())) + (policies knot-configuration-policies + (default '())) + (zones knot-configuration-zones + (default '()))) + +(define-syntax define-zone-entries + (syntax-rules () + ((_ id (name ttl class type data) ...) + (define id (list (make-zone-entry name ttl class type data) ...))))) + +(define (error-out msg) + (raise (condition (&message (message msg))))) + +(define (verify-knot-key-configuration key) + (unless (knot-key-configuration? key) + (error-out "keys must be a list of only knot-key-configuration.")) + (let ((id (knot-key-configuration-id key))) + (unless (and (string? id) (not (equal? id ""))) + (error-out "key id must be a non empty string."))) + (unless (memq '(#f hmac-md5 hmac-sha1 hmac-sha224 hmac-sha256 hmac-sha38= 4 hmac-sha512) + (knot-key-configuration-algorithm key)) + (error-out "algorithm must be one of: #f, 'hmac-md5, 'hmac-sha1, +'hmac-sha224, 'hmac-sha256, 'hmac-sha384 or 'hmac-sha512"))) + +(define (verify-knot-keystore-configuration keystore) + (unless (knot-keystore-configuration? keystore) + (error-out "keystores must be a list of only knot-keystore-configurati= on.")) + (let ((id (knot-keystore-configuration-id keystore))) + (unless (and (string? id) (not (equal? id ""))) + (error-out "keystore id must be a non empty string."))) + (unless (memq '(pem pkcs11) + (knot-keystore-configuration-backend keystore)) + (error-out "backend must be one of: 'pem or 'pkcs11"))) + +(define (verify-knot-policy-configuration policy) + (unless (knot-keystore-configuration? policy) + (error-out "policies must be a list of only knot-policy-configuration.= ")) + (let ((id (knot-policy-configuration-id policy))) + (unless (and (string? id) (not (equal? id ""))) + (error-out "policy id must be a non empty string.")))) + +(define (verify-knot-acl-configuration acl) + (unless (knot-acl-configuration? acl) + (error-out "acls must be a list of only knot-acl-configuration.")) + (let ((id (knot-acl-configuration-id acl)) + (address (knot-acl-configuration-address acl)) + (key (knot-acl-configuration-key acl)) + (action (knot-acl-configuration-action acl))) + (unless (and (string? id) (not (equal? id ""))) + (error-out "acl id must be a non empty string.")) + (unless (and (list? address) + (fold (lambda (x1 x2) (and (string? x1) (string? x2))) ""= address)) + (error-out "acl address must be a list of strings."))) + (unless (boolean? (knot-acl-configuration-deny? acl)) + (error-out "deny? must be #t or #f."))) + +(define (verify-knot-zone-configuration zone) + (unless (knot-zone-configuration? zone) + (error-out "zones must be a list of only knot-zone-configuration.")) + (let ((domain (knot-zone-configuration-domain zone))) + (unless (and (string? domain) (not (equal? domain ""))) + (error-out "zone domain must be a non empty string.")))) + +(define (verify-knot-remote-configuration remote) + (unless (knot-remote-configuration? remote) + (error-out "remotes must be a list of only knot-remote-configuration."= )) + (let ((id (knot-remote-configuration-id remote))) + (unless (and (string? id) (not (equal? id ""))) + (error-out "remote id must be a non empty string.")))) + +(define (verify-knot-configuration config) + (unless (package? (knot-configuration-knot config)) + (error-out "knot configuration field must be a package.")) + (unless (string? (knot-configuration-run-directory config)) + (error-out "run-directory must be a string.")) + (unless (list? (knot-configuration-keys config)) + (error-out "keys must be a list of knot-key-configuration.")) + (for-each (lambda (key) (verify-knot-key-configuration key)) + (knot-configuration-keys config)) + (unless (list? (knot-configuration-keystores config)) + (error-out "keystores must be a list of knot-keystore-configuration.")) + (for-each (lambda (keystore) (verify-knot-keystore-configuration keystor= e)) + (knot-configuration-keystores config)) + (unless (list? (knot-configuration-acls config)) + (error-out "acls must be a list of knot-acl-configuration.")) + (for-each (lambda (acl) (verify-knot-acl-configuration acl)) + (knot-configuration-acls config)) + (unless (list? (knot-configuration-zones config)) + (error-out "zones must be a list of knot-zone-configuration.")) + (for-each (lambda (zone) (verify-knot-zone-configuration zone)) + (knot-configuration-zones config)) + (unless (list? (knot-configuration-policies config)) + (error-out "policies must be a list of knot-policy-configuration.")) + (for-each (lambda (policy) (verify-knot-policy-configuration policy)) + (knot-configuration-policies config)) + (unless (list? (knot-configuration-remotes config)) + (error-out "remotes must be a list of knot-remote-configuration.")) + (for-each (lambda (remote) (verify-knot-remote-configuration remote)) + (knot-configuration-remotes config)) + #t) + +(define (format-string-list l) + "Formats a list of string in YAML" + (if (eq? l '()) + "" + (let ((l (reverse l))) + (string-append + "[" + (fold (lambda (x1 x2) + (string-append (if (symbol? x1) (symbol->string x1) x1) = ", " + (if (symbol? x2) (symbol->string x2) x2))) + (car l) (cdr l)) + "]")))) + +(define (knot-acl-config acls) + (with-output-to-string + (lambda () + (for-each + (lambda (acl-config) + (let ((id (knot-acl-configuration-id acl-config)) + (address (knot-acl-configuration-address acl-config)) + (key (knot-acl-configuration-key acl-config)) + (action (knot-acl-configuration-action acl-config)) + (deny? (knot-acl-configuration-deny? acl-config))) + (format #t " - id: ~a\n" id) + (unless (eq? address '()) + (format #t " address: ~a\n" (format-string-list address= ))) + (unless (eq? key '()) + (format #t " key: ~a\n" (format-string-list key))) + (unless (eq? action '()) + (format #t " action: ~a\n" (format-string-list action))) + (format #t " deny: ~a\n" (if deny? "on" "off")))) + acls)))) + +(define (knot-key-config keys) + (with-output-to-string + (lambda () + (for-each + (lambda (key-config) + (let ((id (knot-key-configuration-id key-config)) + (algorithm (knot-key-configuration-algorithm key-config)) + (secret (knot-key-configuration-secret key-config))) + (format #t " - id: ~a\n" id) + (if algorithm + (format #t " algorithm: ~a\n" (symbol->string algorit= hm))) + (format #t " secret: ~a\n" secret))) + keys)))) + +(define (knot-keystore-config keystores) + (with-output-to-string + (lambda () + (for-each + (lambda (keystore-config) + (let ((id (knot-keystore-configuration-id keystore-config)) + (backend (knot-keystore-configuration-backend keystore-con= fig)) + (config (knot-keystore-configuration-config keystore-confi= g))) + (format #t " - id: ~a\n" id) + (format #t " backend: ~a\n" (symbol->string backend)) + (format #t " config: \"~a\"\n" config))) + keystores)))) + +(define (knot-policy-config policies) + (with-output-to-string + (lambda () + (for-each + (lambda (policy-config) + (let ((id (knot-policy-configuration-id policy-config)) + (keystore (knot-policy-configuration-keystore policy-confi= g)) + (manual? (knot-policy-configuration-manual? policy-config)) + (single-type-signing? (knot-policy-configuration-single-ty= pe-signing? + policy-config)) + (algorithm (knot-policy-configuration-algorithm policy-con= fig)) + (ksk-size (knot-policy-configuration-ksk-size policy-confi= g)) + (zsk-size (knot-policy-configuration-zsk-size policy-confi= g)) + (dnskey-ttl (knot-policy-configuration-dnskey-ttl policy-c= onfig)) + (zsk-lifetime (knot-policy-configuration-zsk-lifetime poli= cy-config)) + (propagation-delay (knot-policy-configuration-propagation-= delay + policy-config)) + (rrsig-lifetime (knot-policy-configuration-rrsig-lifetime + policy-config)) + (nsec3? (knot-policy-configuration-nsec3? policy-config)) + (nsec3-iterations (knot-policy-configuration-nsec3-iterati= ons + policy-config)) + (nsec3-salt-length (knot-policy-configuration-nsec3-salt-l= ength + policy-config)) + (nsec3-salt-lifetime (knot-policy-configuration-nsec3-salt= -lifetime + policy-config))) + (format #t " - id: ~a\n" id) + (format #t " keystore: ~a\n" keystore) + (format #t " manual: ~a\n" (if manual? "on" "off")) + (format #t " single-type-signing: ~a\n" (if single-type-s= igning? + "on" "off")) + (format #t " algorithm: ~a\n" algorithm) + (format #t " ksk-size: ~a\n" (number->string ksk-size)) + (format #t " zsk-size: ~a\n" (number->string zsk-size)) + (unless (eq? dnskey-ttl 'default) + (format #t " dnskey-ttl: ~a\n" dnskey-ttl)) + (format #t " zsk-lifetime: ~a\n" zsk-lifetime) + (format #t " propagation-delay: ~a\n" propagation-delay) + (format #t " rrsig-lifetime: ~a\n" rrsig-lifetime) + (format #t " nsec3: ~a\n" (if nsec3? "on" "off")) + (format #t " nsec3-iterations: ~a\n" + (number->string nsec3-iterations)) + (format #t " nsec3-salt-length: ~a\n" + (number->string nsec3-salt-length)) + (format #t " nsec3-salt-lifetime: ~a\n" nsec3-salt-lifeti= me))) + policies)))) + +(define (knot-remote-config remotes) + (with-output-to-string + (lambda () + (for-each + (lambda (remote-config) + (let ((id (knot-remote-configuration-id remote-config)) + (address (knot-remote-configuration-address remote-config)) + (via (knot-remote-configuration-via remote-config)) + (key (knot-remote-configuration-key remote-config))) + (format #t " - id: ~a\n" id) + (unless (eq? address '()) + (format #t " address: ~a\n" (format-string-list address= ))) + (unless (eq? via '()) + (format #t " via: ~a\n" (format-string-list via))) + (if key + (format #t " key: ~a\n" key)))) + remotes)))) + +(define (serialize-zone-entries entries) + (with-output-to-string + (lambda () + (for-each + (lambda (entry) + (let ((name (zone-entry-name entry)) + (ttl (zone-entry-ttl entry)) + (class (zone-entry-class entry)) + (type (zone-entry-type entry)) + (data (zone-entry-data entry))) + (format #t "~a ~a ~a ~a ~a\n" name ttl class type data))) + entries)))) + +(define (serialize-zone-file zone domain) + (computed-file (string-append domain ".zone") + #~(begin + (call-with-output-file #$output + (lambda (port) + (format port "$ORIGIN ~a.\n" + #$(zone-file-origin zone)) + (format port "@ IN SOA ~a ~a (~a ~a ~a ~a ~a)\n" + #$(zone-file-ns zone) + #$(zone-file-mail zone) + #$(zone-file-serial zone) + #$(zone-file-refresh zone) + #$(zone-file-retry zone) + #$(zone-file-expiry zone) + #$(zone-file-nx zone)) + (format port "~a\n" + #$(serialize-zone-entries (zone-file-entries zone)))))= ))) + +(define (knot-zone-config zone) + (let ((content (knot-zone-configuration-zone zone))) + #~(with-output-to-string + (lambda () + (let ((domain #$(knot-zone-configuration-domain zone)) + (file #$(knot-zone-configuration-file zone)) + (master (list #$@(knot-zone-configuration-master zone))) + (ddns-master #$(knot-zone-configuration-ddns-master zone)) + (notify (list #$@(knot-zone-configuration-notify zone))) + (acl (list #$@(knot-zone-configuration-acl zone))) + (semantic-checks? #$(knot-zone-configuration-semantic-chec= ks? zone)) + (disable-any? #$(knot-zone-configuration-disable-any? zone= )) + (dnssec-policy #$(knot-zone-configuration-dnssec-policy zo= ne)) + (serial-policy '#$(knot-zone-configuration-serial-policy z= one))) + (format #t " - domain: ~a\n" domain) + (if (eq? master '()) + ;; This server is a master + (if (equal? file "") + (format #t " file: ~a\n" + #$(serialize-zone-file content + (knot-zone-configuration-domain= zone))) + (format #t " file: ~a\n" file)) + ;; This server is a slave (has masters) + (begin + (format #t " master: ~a\n" + #$(format-string-list + (knot-zone-configuration-master zone))) + (if ddns-master (format #t " ddns-master ~a\n" ddns= -master)))) + (unless (eq? notify '()) + (format #t " notify: ~a\n" + #$(format-string-list + (knot-zone-configuration-notify zone)))) + (unless (eq? acl '()) + (format #t " acl: ~a\n" + #$(format-string-list + (knot-zone-configuration-acl zone)))) + (format #t " semantic-checks: ~a\n" (if semantic-checks? = "on" "off")) + (format #t " disable-any: ~a\n" (if disable-any? "on" "of= f")) + (if dnssec-policy + (begin + (format #t " dnssec-signing: on\n") + (format #t " dnssec-policy: ~a\n" dnssec-policy))) + (format #t " serial-policy: ~a\n" + (symbol->string serial-policy))))))) + +(define (knot-config-file config) + (verify-knot-configuration config) + (computed-file "knot.conf" + #~(begin + (call-with-output-file #$output + (lambda (port) + (format port "server:\n") + (format port " rundir: ~a\n" #$(knot-configuration-run-dire= ctory config)) + (format port " user: knot\n") + (format port " listen: ~a@~a\n" + #$(knot-configuration-listen-v4 config) + #$(knot-configuration-listen-port config)) + (format port " listen: ~a@~a\n" + #$(knot-configuration-listen-v6 config) + #$(knot-configuration-listen-port config)) + (format port "\nkey:\n") + (format port #$(knot-key-config (knot-configuration-keys confi= g))) + (format port "\nkeystore:\n") + (format port #$(knot-keystore-config (knot-configuration-keyst= ores config))) + (format port "\nacl:\n") + (format port #$(knot-acl-config (knot-configuration-acls confi= g))) + (format port "\nremote:\n") + (format port #$(knot-remote-config (knot-configuration-remotes= config))) + (format port "\npolicy:\n") + (format port #$(knot-policy-config (knot-configuration-policie= s config))) + (unless #$(eq? (knot-configuration-zones config) '()) + (format port "\nzone:\n") + (format port "~a\n" + (string-concatenate + (list #$@(map knot-zone-config + (knot-configuration-zones config))))= ))))))) + +(define %knot-accounts + (list (user-group (name "knot") (system? #t)) + (user-account + (name "knot") + (group "knot") + (system? #t) + (comment "knot dns server user") + (home-directory "/var/empty") + (shell (file-append shadow "/sbin/nologin"))))) + +(define (knot-activation config) + #~(begin + (use-modules (guix build utils)) + (define (mkdir-p/perms directory owner perms) + (mkdir-p directory) + (chown directory (passwd:uid owner) (passwd:gid owner)) + (chmod directory perms)) + (mkdir-p/perms #$(knot-configuration-run-directory config) + (getpwnam "knot") #o755) + (mkdir-p/perms "/var/lib/knot" (getpwnam "knot") #o755) + (mkdir-p/perms "/var/lib/knot/keys" (getpwnam "knot") #o755) + (mkdir-p/perms "/var/lib/knot/keys/keys" (getpwnam "knot") #o755))) + +(define (knot-shepherd-service config) + (let* ((config-file (knot-config-file config)) + (knot (knot-configuration-knot config))) + (list (shepherd-service + (documentation "Run the Knot DNS daemon.") + (provision '(knot dns)) + (requirement '(networking)) + (start #~(make-forkexec-constructor + (list (string-append #$knot "/sbin/knotd") + "-c" #$config-file))) + (stop #~(make-kill-destructor)))))) + +(define knot-service-type + (service-type (name 'knot) + (extensions + (list (service-extension shepherd-root-service-type + knot-shepherd-service) + (service-extension activation-service-type + knot-activation) + (service-extension account-service-type + (const %knot-accounts)))))) --=20 2.12.2 --MP_/MyOo8_wXfzTw1brvzp/AUPE-- ------------=_1495874582-4903-1-- From unknown Sun Jun 15 08:42:48 2025 X-Loop: help-debbugs@gnu.org Subject: bug#26829: Add knot service Resent-From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 28 May 2017 17:35:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 26829 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 26829@debbugs.gnu.org Cc: julien@lepiller.eu Received: via spool by 26829-submit@debbugs.gnu.org id=B26829.149599286513914 (code B ref 26829); Sun, 28 May 2017 17:35:01 +0000 Received: (at 26829) by debbugs.gnu.org; 28 May 2017 17:34:25 +0000 Received: from localhost ([127.0.0.1]:41932 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dF25B-0003cM-3m for submit@debbugs.gnu.org; Sun, 28 May 2017 13:34:25 -0400 Received: from eggs.gnu.org ([208.118.235.92]:39714) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dF259-0003cA-Uq for 26829@debbugs.gnu.org; Sun, 28 May 2017 13:34:24 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dF253-0006Mr-T7 for 26829@debbugs.gnu.org; Sun, 28 May 2017 13:34:18 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_40,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:47206) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dF24v-0006Lt-VO; Sun, 28 May 2017 13:34:09 -0400 Received: from reverse-83.fdn.fr ([80.67.176.83]:49684 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1dF24v-0007eT-9v; Sun, 28 May 2017 13:34:09 -0400 From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) References: <20170508172223.7fbc9705@lepiller.eu> <20170527104145.2d8b6867@lepiller.eu> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 9 Prairial an 225 de la =?UTF-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-unknown-linux-gnu Date: Sun, 28 May 2017 19:34:06 +0200 In-Reply-To: <20170527104145.2d8b6867@lepiller.eu> (Julien Lepiller's message of "Sat, 27 May 2017 10:41:45 +0200") Message-ID: <8737bosx69.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Hi Julien, Julien Lepiller skribis: > So, pushed as ba69e8f7ce21a81bdd5b99fdb1cc64492443e15c. Very nice and very useful notably for self-hosting use cases! I have two minor comments: 1. What it would it take to write tests for this? I assume we could simply make DNS requests locally? 2. For things like: +@item @code{nsec3-salt-lifetime} (default: @code{"30d"}) I prefer using an integer denoting the number of seconds, and then letting users do the multiplication or use (string->duration "30d"). I did that for =E2=80=98guix-publish-service=E2=80=99. Thoughts? Thank you! Ludo=E2=80=99. From unknown Sun Jun 15 08:42:48 2025 X-Loop: help-debbugs@gnu.org Subject: bug#26829: Add knot service Resent-From: julien lepiller Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 29 May 2017 07:56:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 26829 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 26829@debbugs.gnu.org Received: via spool by 26829-submit@debbugs.gnu.org id=B26829.149604453220741 (code B ref 26829); Mon, 29 May 2017 07:56:01 +0000 Received: (at 26829) by debbugs.gnu.org; 29 May 2017 07:55:32 +0000 Received: from localhost ([127.0.0.1]:42468 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dFFWW-0005OT-K7 for submit@debbugs.gnu.org; Mon, 29 May 2017 03:55:32 -0400 Received: from dau94-h03-89-91-205-84.dsl.sta.abo.bbox.fr ([89.91.205.84]:35013 helo=skaro.lepiller.eu) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dFFWT-0005OE-VJ for 26829@debbugs.gnu.org; Mon, 29 May 2017 03:55:30 -0400 Received: from localhost (localhost [127.0.0.1]) by skaro.lepiller.eu (Postfix) with ESMTP id 0923880FAD for <26829@debbugs.gnu.org>; Mon, 29 May 2017 09:55:23 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lepiller.eu; s=default; t=1496044523; bh=dbD7xZut2j8ad/OubWRym1GFAcRL0I0HQ2ld5UrsSgE=; h=Date:From:To:Subject:In-Reply-To:References:From; b=oZvw3H+AuH3QBq9NLw0JdE0vjAQeyFNdgEbD4AiDrXH2WLLp4ql5+eT6Wa8QeoWBS W+7vX5Lvagkea7rewjMdtHwefAbMz3xIyW5EylU0mlXxm7QSVSRpp1rUZR2HH7cXRZ GzyPl+5PxFXf+yb6e0mSbgwowTN4kXgzk5wyJwrS4Xza7jdOAX7kLaRVwbu27IG7pV UzY0WWTKw67RpZsJtg86QkJzZGA9gDrb7AfFBuaPDkdk8jrNj25t1x27jkDk71dgaz bLlEjCOc2ckXzScKoqhQPYu/jqvgI9jOcrQVRO9lmPSZRMP7pjqybYMU6F8WT+1S7B l5ckSyjIZ20lAfWop/KetdZJ2m3IQIMZ0AKj/Zg6PCJ9dU/gIRokcaTly2jHu5z4pF nCUdThVA4MBsQNGhVxm1LIPitq80bF7lgqYXIDM1oJKqs9VTLqxH75h3nVtVwxJQXO fx/VjavC2O5da3I/dbzMRy60THHBVHj+RCB1aPWhyvnXJqNTg2EiR8hr18nhn/EQrv Tfg31iagpetVFfmN1eFI//Wb4SYehJJ0bfU18AR21ixiromIXFkcoONLViL4Ulhf4E 5t9bN20/+BPEQ18fCpZaJ5y7w1szTJS9HiKNxxy+/Oxk0mr441ovPZa54aK7F7Qq2k 1ciq7vE/lWX/DrYkL/pUbdrk= X-Virus-Scanned: Debian amavisd-new at lepiller.eu Received: from skaro.lepiller.eu ([127.0.0.1]) by localhost (lepiller.eu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h6-LfYgbnRGs for <26829@debbugs.gnu.org>; Mon, 29 May 2017 09:55:19 +0200 (CEST) Received: from webmail.lepiller.eu (localhost [127.0.0.1]) by skaro.lepiller.eu (Postfix) with ESMTPA id E260A7FF7F for <26829@debbugs.gnu.org>; Mon, 29 May 2017 09:55:18 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lepiller.eu; s=default; t=1496044518; bh=dbD7xZut2j8ad/OubWRym1GFAcRL0I0HQ2ld5UrsSgE=; h=Date:From:To:Subject:In-Reply-To:References:From; b=FRGEXwdTZ3brc8MRKGKxR0UhJZItYCB03L34DuELUBahnuG+Agy8dq8olBKYCCZos PrDbfyXxKz7v42XDIdtLMIVQSPwkLHtUE82HP6ufFCha6KCDI5dI8dl9yx8piizs8w 4dnhyfddcfT8+HoL8aiI6d0b/ONBtFTwrlpB08OmEqFPt0VPA8s3HkSWXa/blSkQp/ ogGJQHhycimJsUyBCpf/mMZDaA+mGAPFWRqzwuqQTOAgJNI2t1Oit75dyMzkgggJg5 R/GRKgmj/BZ3Mhu3jW9EBAzjIavB/EwDKPIXkjIWX8ZrqjT8MQyRGDM3mT6GNdpKlc Onon9T+cOPZ8AbNqPT4Hw/4OlzALbG9rkmEBGwtRRoc80qVLJQMkhfoM9oA3gWFO7S GDzkTPvw9f98cS50M6H22bUjf1U3dw8IuyLQiD6oYcSk5H9kc4ENaEuue+GhOcgYlI CbORWNuMaDTp135bwNLt36wOv3y227ru9mn7o8EOOBYFWyoMWcELkTxHARLb3ayJqE V0W6prLy1kIsS3QjrSZObdQwtGZpl4T0irl52tTj95qx0q6sQRMxzB7LRUSvolKHcR 9CvrUI4ODoH9TKetmCZ/Q7jLWS5iI7YnTn4dfJMCgNLEFhLwOJ9G9UlvrlZi5ovwob TYcLNJ8wChiC04147a4rd9Y8= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Mon, 29 May 2017 09:55:18 +0200 From: julien lepiller In-Reply-To: <8737bosx69.fsf@gnu.org> References: <20170508172223.7fbc9705@lepiller.eu> <20170527104145.2d8b6867@lepiller.eu> <8737bosx69.fsf@gnu.org> Message-ID: <92fb9449ec88661f0fb9d43664792ffa@lepiller.eu> X-Sender: julien@lepiller.eu User-Agent: Roundcube Webmail/1.2.5 X-Spam-Score: 0.4 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.4 (/) Le 2017-05-28 19:34, ludo@gnu.org a écrit : > Hi Julien, > > Julien Lepiller skribis: > >> So, pushed as ba69e8f7ce21a81bdd5b99fdb1cc64492443e15c. > > Very nice and very useful notably for self-hosting use cases! That's exactly why I did that :). I'm currently self-hosting my services on debian, and I would like to move to guixSD at some point, so I'm writing services I need. > > I have two minor comments: > > 1. What it would it take to write tests for this? I assume we could > simply make DNS requests locally? I have never written a system test, so I don't know how it works. If we check only that requests are answered correctly locally, I think that would be great but limited to the "master" scenario. Then there is the "slave" scenario, where we would need a zone transfer between two hosts. And we could also check that transfer occurs only to authorized slaves. > > 2. For things like: > > +@item @code{nsec3-salt-lifetime} (default: @code{"30d"}) > > I prefer using an integer denoting the number of seconds, and then > letting users do the multiplication or use (string->duration > "30d"). > I did that for ‘guix-publish-service’. I didn't know it existed, but it looks nicer indeed. I'll see what I can do. > > Thoughts? I'll be away for a few days, but I'll send patches as soon as I can. > > Thank you! > > Ludo’. From unknown Sun Jun 15 08:42:48 2025 X-Loop: help-debbugs@gnu.org Subject: bug#26829: Add knot service Resent-From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 29 May 2017 16:37:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 26829 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: julien lepiller Cc: 26829@debbugs.gnu.org Received: via spool by 26829-submit@debbugs.gnu.org id=B26829.149607579016936 (code B ref 26829); Mon, 29 May 2017 16:37:01 +0000 Received: (at 26829) by debbugs.gnu.org; 29 May 2017 16:36:30 +0000 Received: from localhost ([127.0.0.1]:43564 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dFNeg-0004P6-0j for submit@debbugs.gnu.org; Mon, 29 May 2017 12:36:30 -0400 Received: from eggs.gnu.org ([208.118.235.92]:45628) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dFNed-0004Ou-Uq for 26829@debbugs.gnu.org; Mon, 29 May 2017 12:36:28 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dFNeV-000207-M3 for 26829@debbugs.gnu.org; Mon, 29 May 2017 12:36:22 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:35982) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dFNeV-000203-Im; Mon, 29 May 2017 12:36:19 -0400 Received: from [193.50.110.67] (port=46950 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1dFNeV-0002gD-1h; Mon, 29 May 2017 12:36:19 -0400 From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) References: <20170508172223.7fbc9705@lepiller.eu> <20170527104145.2d8b6867@lepiller.eu> <8737bosx69.fsf@gnu.org> <92fb9449ec88661f0fb9d43664792ffa@lepiller.eu> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 10 Prairial an 225 de la =?UTF-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-unknown-linux-gnu Date: Mon, 29 May 2017 18:36:17 +0200 In-Reply-To: <92fb9449ec88661f0fb9d43664792ffa@lepiller.eu> (julien lepiller's message of "Mon, 29 May 2017 09:55:18 +0200") Message-ID: <87lgpf7h8e.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Hello, julien lepiller skribis: > Le 2017-05-28 19:34, ludo@gnu.org a =C3=A9crit=C2=A0: >> Hi Julien, >> >> Julien Lepiller skribis: >> >>> So, pushed as ba69e8f7ce21a81bdd5b99fdb1cc64492443e15c. >> >> Very nice and very useful notably for self-hosting use cases! > That's exactly why I did that :). I'm currently self-hosting my > services on debian, and I would like to move to guixSD at some point, > so I'm writing services I need. Excellent. :-) >> I have two minor comments: >> >> 1. What it would it take to write tests for this? I assume we could >> simply make DNS requests locally? > I have never written a system test, so I don't know how it works. If > we check only that requests are answered correctly locally, I think > that would be great but limited to the "master" scenario. Then there > is the "slave" scenario, where we would need a zone transfer between > two hosts. And we could also check that transfer occurs only to > authorized slaves. OK. I guess I know too little about DNS to make any useful comment. >> 2. For things like: >> >> +@item @code{nsec3-salt-lifetime} (default: @code{"30d"}) >> >> I prefer using an integer denoting the number of seconds, and then >> letting users do the multiplication or use (string->duration >> "30d"). >> I did that for =E2=80=98guix-publish-service=E2=80=99. > I didn't know it existed, but it looks nicer indeed. I'll see what I > can do. OK! Note that I=E2=80=99m not saying that the service code should use =E2=80=98string->duration=E2=80=99 directly, but rather that the service co= de should use integers to represent duration (in seconds). Thank you, Ludo=E2=80=99. From unknown Sun Jun 15 08:42:48 2025 X-Loop: help-debbugs@gnu.org Subject: bug#26829: Add knot service Resent-From: Julien Lepiller Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 31 May 2017 19:42:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 26829 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 26829@debbugs.gnu.org Received: via spool by 26829-submit@debbugs.gnu.org id=B26829.149625971719777 (code B ref 26829); Wed, 31 May 2017 19:42:02 +0000 Received: (at 26829) by debbugs.gnu.org; 31 May 2017 19:41:57 +0000 Received: from localhost ([127.0.0.1]:47873 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dG9VE-00058u-Sw for submit@debbugs.gnu.org; Wed, 31 May 2017 15:41:57 -0400 Received: from dau94-h03-89-91-205-84.dsl.sta.abo.bbox.fr ([89.91.205.84]:38965 helo=skaro.lepiller.eu) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dG9VC-00058g-Iw for 26829@debbugs.gnu.org; Wed, 31 May 2017 15:41:55 -0400 Received: from localhost (localhost [127.0.0.1]) by skaro.lepiller.eu (Postfix) with ESMTP id F157A815A6 for <26829@debbugs.gnu.org>; Wed, 31 May 2017 21:41:47 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lepiller.eu; s=default; t=1496259708; bh=iBd+ObNnNZnJnNytAmpcNgoEPAnQF6ucUj0246OUjPk=; h=Date:From:To:Subject:In-Reply-To:References:From; b=YnOuQz6hPX7gKu4IaoQFdLLUFsWsgCNzbMgxBC7yr8HnPhvbWoThkUhUdLl0QJ9E6 cN+l7a+d/b1ZycvxpMCmoXBlw/sSFqPLnMJ5Yl1dD33lB4Kqwxcx7Rg4mZt8ZlWoaZ zp303SiyGvGO+vqGHBri8E+I0J4auFMaeWCsfdPDtTnYMpj/PsBylNWj8at8Qrg35r Fts6woDoVzhR94aM006HHiNf3dSmqRJGqIfh0jTwPbDL9vcdn7B4SfIvjaNn4kIW4+ PyEe51gDf51umHGs1XHPQLuLlNAw5beLqhM50tSw9xbtbtgZOtMgHmKGlAdkHiDx09 VUd34I0sq4GRIa08I7ahlS//o+GfEAF8b3KsMz9R/9HcfYpig6POtVE+/HzAzbyf4G HAkSGQfFwAnNvqMwBRd/yP5/DPw4ZlZxw4n+va7XAxxXwDXB5GGEX8ytweNS9KbKzX pkHygx8MxWRMB26tYllhKBO40aLPNDN1jPd8WI1TzDIEVU8M+akCyg8fikDj0e+gvL TJkiALzR1OihIWGAtWF7up2n2Y71Vciz/Hr3bj3nTpdwnLwmlaK9FWOFhcQiFuniGF UuYS2nGm7Mb5Ni8w1Z2iAbVyoP1IMTJQJ1tebAL558jhQzZkd17SAjbnbKKQtQL3n1 dVESn0jfOcyWN3LQxj8ZUr04= X-Virus-Scanned: Debian amavisd-new at lepiller.eu Received: from skaro.lepiller.eu ([127.0.0.1]) by localhost (lepiller.eu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5JggmBENiQFG for <26829@debbugs.gnu.org>; Wed, 31 May 2017 21:41:44 +0200 (CEST) Received: from localhost (89-92-10-219.hfc.dyn.abo.bbox.fr [89.92.10.219]) by skaro.lepiller.eu (Postfix) with ESMTPSA id D21697FC58 for <26829@debbugs.gnu.org>; Wed, 31 May 2017 21:41:43 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lepiller.eu; s=default; t=1496259703; bh=iBd+ObNnNZnJnNytAmpcNgoEPAnQF6ucUj0246OUjPk=; h=Date:From:To:Subject:In-Reply-To:References:From; b=GklDjRQQTsAwAHo0cpwgcq/gK8X/xg+dg13jR3qzoWCuzik2vcU+32Qvc7ovsIO/0 q5eU32YWLQ1oQqNwODjWwJhVxFY92vhO3BoOH+bVhNvRX1g+1dmokdnbU7im1/2WFw 7QdPDoamW5xh8ABJW21Q+bnH3/lTZ+n3s8+nFDHofViJLjj61gHJHBvgZy+UukZ/KO CUOoQ9CaiuHwi4qBkqLQUNacpo4YsHWbbS6JICbCQe04HJXclz9yiKgY0v5rDyvReK jc8v0TM7eqjQQGMrG10ARRKaC47x8zPfLEnkEtsmyJZdtV0UIksmLcP8S0gLMY7rP/ l/K+IAEx92zyCay61i/Spo4GtWguthoVK9FxcBnUZVw+58h8ThAlyFmYl04kJmqeb7 apYiU2qscbDoLM0GQVHfWJ4iDDZWL9/KebUKAvuLLZU40QkzfaPWDkLrrura2Amn0c JTkzXzBXmQdoYA6fjTDLLdWxCFZabVStpayyPWHphbiJRGbfhndzL4D6K2TOsSWEL/ 1YvwdAYQw4aygJ58PY1AFIAdDc40o0/644uGBjMYrGxjtgNy734LsrSkY0VrhURheL 8HxvVVlpToHfAhnd6E90ZnJ8knQt/RqEUZMBZVFRfHZp84jcO7fMVfC6jpLm5l8o94 Bglt7avD/w0JVkqS5Ccu+pk0= Date: Wed, 31 May 2017 21:41:39 +0200 From: Julien Lepiller Message-ID: <20170531214139.41779e0e@lepiller.eu> In-Reply-To: <87lgpf7h8e.fsf@gnu.org> References: <20170508172223.7fbc9705@lepiller.eu> <20170527104145.2d8b6867@lepiller.eu> <8737bosx69.fsf@gnu.org> <92fb9449ec88661f0fb9d43664792ffa@lepiller.eu> <87lgpf7h8e.fsf@gnu.org> X-Mailer: Claws Mail 3.15.0-dirty (GTK+ 2.24.31; x86_64-unknown-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.4 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.4 (/) Le Mon, 29 May 2017 18:36:17 +0200, ludo@gnu.org (Ludovic Court=C3=A8s) a =C3=A9crit : > Hello, >=20 > julien lepiller skribis: >=20 > > Le 2017-05-28 19:34, ludo@gnu.org a =C3=A9crit=C2=A0: =20 > >> Hi Julien, > >> > >> Julien Lepiller skribis: > >> =20 > >>> So, pushed as ba69e8f7ce21a81bdd5b99fdb1cc64492443e15c. =20 > >> > >> Very nice and very useful notably for self-hosting use cases! =20 > > That's exactly why I did that :). I'm currently self-hosting my > > services on debian, and I would like to move to guixSD at some > > point, so I'm writing services I need. =20 >=20 > Excellent. :-) >=20 > >> I have two minor comments: > >> > >> 1. What it would it take to write tests for this? I assume we > >> could simply make DNS requests locally? =20 > > I have never written a system test, so I don't know how it works. If > > we check only that requests are answered correctly locally, I think > > that would be great but limited to the "master" scenario. Then there > > is the "slave" scenario, where we would need a zone transfer between > > two hosts. And we could also check that transfer occurs only to > > authorized slaves. =20 >=20 > OK. I guess I know too little about DNS to make any useful comment. >=20 > >> 2. For things like: > >> > >> +@item @code{nsec3-salt-lifetime} (default: @code{"30d"}) > >> > >> I prefer using an integer denoting the number of seconds, and > >> then letting users do the multiplication or use (string->duration > >> "30d"). > >> I did that for =E2=80=98guix-publish-service=E2=80=99. =20 > > I didn't know it existed, but it looks nicer indeed. I'll see what I > > can do. =20 >=20 > OK! Note that I=E2=80=99m not saying that the service code should use > =E2=80=98string->duration=E2=80=99 directly, but rather that the service = code should > use integers to represent duration (in seconds). So, the default value would be (string->duration "30d"), which is a number of second, and the configuration should use this number of seconds, right? >=20 > Thank you, > Ludo=E2=80=99. From unknown Sun Jun 15 08:42:48 2025 X-Loop: help-debbugs@gnu.org Subject: bug#26829: Add knot service Resent-From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 31 May 2017 21:19:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 26829 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: Julien Lepiller Cc: 26829@debbugs.gnu.org Received: via spool by 26829-submit@debbugs.gnu.org id=B26829.14962654903170 (code B ref 26829); Wed, 31 May 2017 21:19:01 +0000 Received: (at 26829) by debbugs.gnu.org; 31 May 2017 21:18:10 +0000 Received: from localhost ([127.0.0.1]:48012 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dGB0L-0000p4-Kx for submit@debbugs.gnu.org; Wed, 31 May 2017 17:18:09 -0400 Received: from eggs.gnu.org ([208.118.235.92]:38995) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dGB0K-0000os-HD for 26829@debbugs.gnu.org; Wed, 31 May 2017 17:18:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dGB0C-0004Zn-6E for 26829@debbugs.gnu.org; Wed, 31 May 2017 17:18:03 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:45170) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dGB0C-0004Zc-3T; Wed, 31 May 2017 17:18:00 -0400 Received: from reverse-83.fdn.fr ([80.67.176.83]:53470 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1dGB0B-0007P6-Fp; Wed, 31 May 2017 17:17:59 -0400 From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) References: <20170508172223.7fbc9705@lepiller.eu> <20170527104145.2d8b6867@lepiller.eu> <8737bosx69.fsf@gnu.org> <92fb9449ec88661f0fb9d43664792ffa@lepiller.eu> <87lgpf7h8e.fsf@gnu.org> <20170531214139.41779e0e@lepiller.eu> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 12 Prairial an 225 de la =?UTF-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-unknown-linux-gnu Date: Wed, 31 May 2017 23:17:56 +0200 In-Reply-To: <20170531214139.41779e0e@lepiller.eu> (Julien Lepiller's message of "Wed, 31 May 2017 21:41:39 +0200") Message-ID: <87vaog7mkb.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Julien Lepiller skribis: > Le Mon, 29 May 2017 18:36:17 +0200, > ludo@gnu.org (Ludovic Court=C3=A8s) a =C3=A9crit : > >> Hello, >>=20 >> julien lepiller skribis: >>=20 >> > Le 2017-05-28 19:34, ludo@gnu.org a =C3=A9crit=C2=A0:=20=20 >> >> Hi Julien, >> >> >> >> Julien Lepiller skribis: >> >>=20=20 >> >>> So, pushed as ba69e8f7ce21a81bdd5b99fdb1cc64492443e15c.=20=20 >> >> >> >> Very nice and very useful notably for self-hosting use cases!=20=20 >> > That's exactly why I did that :). I'm currently self-hosting my >> > services on debian, and I would like to move to guixSD at some >> > point, so I'm writing services I need.=20=20 >>=20 >> Excellent. :-) >>=20 >> >> I have two minor comments: >> >> >> >> 1. What it would it take to write tests for this? I assume we >> >> could simply make DNS requests locally?=20=20 >> > I have never written a system test, so I don't know how it works. If >> > we check only that requests are answered correctly locally, I think >> > that would be great but limited to the "master" scenario. Then there >> > is the "slave" scenario, where we would need a zone transfer between >> > two hosts. And we could also check that transfer occurs only to >> > authorized slaves.=20=20 >>=20 >> OK. I guess I know too little about DNS to make any useful comment. >>=20 >> >> 2. For things like: >> >> >> >> +@item @code{nsec3-salt-lifetime} (default: @code{"30d"}) >> >> >> >> I prefer using an integer denoting the number of seconds, and >> >> then letting users do the multiplication or use (string->duration >> >> "30d"). >> >> I did that for =E2=80=98guix-publish-service=E2=80=99.=20=20 >> > I didn't know it existed, but it looks nicer indeed. I'll see what I >> > can do.=20=20 >>=20 >> OK! Note that I=E2=80=99m not saying that the service code should use >> =E2=80=98string->duration=E2=80=99 directly, but rather that the service= code should >> use integers to represent duration (in seconds). > So, the default value would be (string->duration "30d"), which is a > number of second, and the configuration should use this number of > seconds, right? No, the (gnu services =E2=80=A6) modules should not depend on (guix ui), wh= ich is mostly for the CLI. So the default value would be (* 30 24 3600). We could (define hour 3600) (define day (* 24 hour)) etc. Ludo=E2=80=99.