PowerDNS: Implemented AUTODNSSEC (#856)

* PowerDNS: Implemented AUTODNSSEC
2024-05-11 05:55:12 +00:00 · 2020-09-17 14:46:15 +02:00
parent 5c0f69ea44
commit 52c50c88b3
4 changed files with 83 additions and 3 deletions
--- a/providers/powerdns/dnssec.go
+++ b/providers/powerdns/dnssec.go
@ -0,0 +1,74 @@
+package powerdns
+
+import (
+	"context"
+	"github.com/StackExchange/dnscontrol/v3/models"
+	"github.com/mittwald/go-powerdns/apis/cryptokeys"
+)
+
+// getDNSSECCorrections returns corrections that update a domain's DNSSEC state.
+func (api *PowerDNS) getDNSSECCorrections(dc *models.DomainConfig) ([]*models.Correction, error) {
+	cryptokeys, getErr := api.client.Cryptokeys().ListCryptokeys(context.Background(), api.ServerName, dc.Name)
+	if getErr != nil {
+		return nil, getErr
+	}
+
+	// check if any of the avail. key is active and published
+	hasEnabledKey := false
+	var keyID int
+
+	if len(cryptokeys) > 0 {
+		for _, cryptoKey := range cryptokeys {
+			if cryptoKey.Active && cryptoKey.Published {
+				hasEnabledKey = true
+				keyID = cryptoKey.ID
+				break
+			}
+		}
+	}
+
+	// dnssec is enabled, we want it to be disabled
+	if hasEnabledKey && !dc.AutoDNSSEC {
+		return []*models.Correction{
+			{
+				Msg: "Disable DNSSEC",
+				F:   func() error { _, err := api.removeDnssec(dc.Name, keyID); return err },
+			},
+		}, nil
+	}
+
+	// dnssec is disabled, we want it to be enabled
+	if !hasEnabledKey && dc.AutoDNSSEC {
+		return []*models.Correction{
+			{
+				Msg: "Enable DNSSEC",
+				F:   func() error { _, err := api.enableDnssec(dc.Name); return err },
+			},
+		}, nil
+	}
+
+	return nil, nil
+}
+
+// enableDnssec creates a active and published cryptokey on this domain
+func (api *PowerDNS) enableDnssec(domain string) (bool, error) {
+	// if there is now key, create one and enable it
+	_, err := api.client.Cryptokeys().CreateCryptokey(context.Background(), api.ServerName, domain, cryptokeys.Cryptokey{
+		KeyType:   "csk",
+		Active:    true,
+		Published: true,
+	})
+	if err != nil {
+		return false, err
+	}
+	return true, nil
+}
+
+// removeDnssec removes the cryptokey from this zone
+func (api *PowerDNS) removeDnssec(domain string, keyID int) (bool, error) {
+	err := api.client.Cryptokeys().DeleteCryptokey(context.Background(), api.ServerName, domain, keyID)
+	if err != nil {
+		return false, err
+	}
+	return true, nil
+}
--- a/providers/powerdns/powerdnsProvider.go
+++ b/providers/powerdns/powerdnsProvider.go
@ -24,7 +24,7 @@ var features = providers.DocumentationNotes{
 	providers.CanUseSRV:              providers.Can(),
 	providers.CanUseTLSA:             providers.Can(),
 	providers.CanUseSSHFP:            providers.Can(),
-	providers.CanAutoDNSSEC:          providers.Unimplemented("Need support in library first"),
+	providers.CanAutoDNSSEC:          providers.Can(),
 	providers.DocCreateDomains:       providers.Can(),
 	providers.DocOfficiallySupported: providers.Cannot(),
 	providers.CanGetZones:            providers.Can(),
@ -195,7 +195,11 @@ func (api *PowerDNS) GetDomainCorrections(dc *models.DomainConfig) ([]*models.Co
 	}

 	// DNSSec corrections
-	// TODO: Implementing of on-demand DNSSec creation in library
+	dnssecCorrections, err := api.getDNSSECCorrections(dc)
+	if err != nil {
+		return nil, err
+	}
+	corrections = append(corrections, dnssecCorrections...)

 	return corrections, nil
 }