From 8e54345708f990a27c75f7d71966e9076484f9ae Mon Sep 17 00:00:00 2001 From: Jeremy Rand Date: Fri, 24 Dec 2021 06:01:28 +0000 Subject: [PATCH] Cirrus: Add Unbound tests --- .cirrus.yml | 57 +++++++++++++++++++++++ README.md | 28 +++-------- _doc/unbound/conf.d/ncdns-dnssec-off.conf | 4 ++ _doc/unbound/conf.d/ncdns-dnssec-on.conf | 6 +++ _doc/unbound/conf.d/ncdns.conf | 7 +++ 5 files changed, 80 insertions(+), 22 deletions(-) create mode 100644 _doc/unbound/conf.d/ncdns-dnssec-off.conf create mode 100644 _doc/unbound/conf.d/ncdns-dnssec-on.conf create mode 100644 _doc/unbound/conf.d/ncdns.conf diff --git a/.cirrus.yml b/.cirrus.yml index 047c25f..9e083d0 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -223,6 +223,63 @@ task: GOX_TAGS: "" GO_VERSION: latest +task: + name: Resolve Tests Electrum Unbound + container: + image: fedora:latest + cpu: 1 + memory: 1G + install_script: + - curl -o /usr/bin/electrum-nmc https://www.namecoin.org/files/electrum-nmc/electrum-nmc-4.0.0b0/electrum-nmc-nc4.0.0b0-x86_64.AppImage + - chmod +x /usr/bin/electrum-nmc + # Extract Electrum-NMC AppImage + - electrum-nmc --offline version + - curl -o ncdns.tar.gz https://api.cirrus-ci.com/v1/artifact/build/$CIRRUS_BUILD_ID/Cross-Compile%20Go%20latest/binaries/dist/ncdns--linux_amd64.tar.gz + - tar -xaf ./ncdns.tar.gz + - mv ./ncdns-*/bin/* /usr/bin/ + - dnf install -y bind-dnssec-utils # For dnssec-keygen + - dnf install -y bind-utils # For dig + - dnf install -y unbound + # Set up DNSSEC + - mkdir KSK + - dnssec-keygen -a RSASHA256 -3 -b 2048 -f KSK -K KSK bit + - mkdir ZSK + - dnssec-keygen -a RSASHA256 -3 -b 2048 -K ZSK bit + - mkdir -p /etc/unbound/keys/ /etc/unbound/conf.d/ + - cp KSK/*.key /etc/unbound/keys/bit.key + - cp _doc/unbound/conf.d/ncdns.conf /etc/unbound/conf.d/ + - cp _doc/unbound/conf.d/ncdns-dnssec-on.conf /etc/unbound/conf.d/ + electrum_background_script: + - electrum-nmc $ELECTRUM_ARGS -v + ncdns_background_script: + - ncdns -ncdns.namecoinrpcusername user -ncdns.namecoinrpcpassword pass -ncdns.bind :5391 -ncdns.privatekey ./KSK/*.private -ncdns.publickey ./KSK/*.key -ncdns.zoneprivatekey ./ZSK/*.private -ncdns.zonepublickey ./ZSK/*.key -xlog.severity DEBUG + unbound_background_script: + - unbound + resolve_electrum_script: + - while ! electrum-nmc $ELECTRUM_ARGS name_show d/namecoin + - do + - echo Waiting for Electrum-NMC to sync... + - sleep 1s + - done + - electrum-nmc $ELECTRUM_ARGS name_show d/namecoin | grep $NAMECOIN_IP + resolve_ncdns_script: + - dig -p 5391 @127.0.0.1 namecoin.bit + - dig -p 5391 @127.0.0.1 namecoin.bit | grep $NAMECOIN_IP + - dig -p 5391 +tcp @127.0.0.1 namecoin.bit + - dig -p 5391 +tcp @127.0.0.1 namecoin.bit | grep $NAMECOIN_IP + resolve_unbound_script: + - dig -p 53 @127.0.0.1 namecoin.bit + - dig -p 53 @127.0.0.1 namecoin.bit | grep $NAMECOIN_IP + depends_on: + - "Cross-Compile Go latest" + env: + # Workaround FUSE/Docker incompatibility. + # See https://github.com/AppImage/AppImageKit/issues/828#issuecomment-730002566 + APPIMAGE_EXTRACT_AND_RUN: 1 + NO_CLEANUP: 1 + NAMECOIN_IP: "91.219.237.223" + ELECTRUM_ARGS: "--rpcport 8336 --rpcuser user --rpcpassword pass" + task: # GitHub Release Upload # TODO: implement this. diff --git a/README.md b/README.md index a1cc947..a59d2b4 100644 --- a/README.md +++ b/README.md @@ -28,19 +28,9 @@ Using ncdns with a recursive resolver ------------------------------------- Of course the daemon can also be used simply as an authoritative nameserver for bit. directly. One way to do this is to run a recursive resolver (such as -Unbound) and configure it to serve the zone as a 'stub zone'. Here is an example -unbound configuration: +Unbound) and configure it to serve the zone as a 'stub zone'. An example Unbound configuration file `ncdns.conf` is in `_doc/unbound`. - server: - do-not-query-localhost: no - stub-zone: - name: bit. - stub-addr: 127.0.0.1@1153 - -If you don't want to use DNSSEC, also add: - - server: - domain-insecure: bit. +If you don't want to use DNSSEC, also add `ncdns-dnssec-off.conf` to Unbound's configuration. If you do want to use DNSSEC, see the instructions below. @@ -71,13 +61,7 @@ if you want to use the key as a trust anchor with a recursive resolver such as unbound, you should specify `bit`.) If using Unbound as a recursive resolver, you should add the KSK's public key file -as a trust anchor to unbound like so: - - server: - trust-anchor-file: "/etc/unbound/keys/bit.key" - -`bit.key` should be the file containing the KSK DNSKEY (or DS) which ncdns is -configured to use. +as a trust anchor to unbound, as in `ncdns-dnssec-on.conf` in `_doc/unbound`. Building -------- @@ -139,7 +123,7 @@ ncdns uses a configuration file which is looked for at `../etc/ncdns.conf` this and all options on the command line. An annotated example configuration file `ncdns.conf.example` is available in doc. -You will need to setup a `namecoind`, `namecoin-qt` or compatible Namecoin node +You will need to setup a `namecoind`, `namecoin-qt`, `electrum-nmc`, or compatible Namecoin node and enable the JSON-RPC interface. You will then need to provide `ncdns` with the address of this interface and any necessary username and password via the configuration file. @@ -147,9 +131,9 @@ configuration file. If you only want to resolve .bit names yourself, here is a suggested setup on Linux: - - Install `namecoind` (or `namecoin-qt`) and set it to start automatically + - Install `namecoind` (or `namecoin-qt` or `electrum-nmc`) and set it to start automatically at boot or login. Set up the JSON-RPC interface and make sure it works - by making a test query: `namecoind name_show d/example`. + by making a test query: `namecoin-cli name_show d/example` or `electrum-nmc name_show d/example`. - Write a ncdns configuration file and set ncdns up to start at boot. Since Unbound will tie up port 53, set a different port (ideally one >=1024, diff --git a/_doc/unbound/conf.d/ncdns-dnssec-off.conf b/_doc/unbound/conf.d/ncdns-dnssec-off.conf new file mode 100644 index 0000000..605f16b --- /dev/null +++ b/_doc/unbound/conf.d/ncdns-dnssec-off.conf @@ -0,0 +1,4 @@ +# Include this file if ncdns has DNSSEC disabled. + +server: + domain-insecure: bit. diff --git a/_doc/unbound/conf.d/ncdns-dnssec-on.conf b/_doc/unbound/conf.d/ncdns-dnssec-on.conf new file mode 100644 index 0000000..076e7a2 --- /dev/null +++ b/_doc/unbound/conf.d/ncdns-dnssec-on.conf @@ -0,0 +1,6 @@ +# Include this file if ncdns has DNSSEC enabled. + +server: + # bit.key should be the file containing the KSK DNSKEY (or DS) which ncdns is + # configured to use. + trust-anchor-file: "/etc/unbound/keys/bit.key" diff --git a/_doc/unbound/conf.d/ncdns.conf b/_doc/unbound/conf.d/ncdns.conf new file mode 100644 index 0000000..abbf8e4 --- /dev/null +++ b/_doc/unbound/conf.d/ncdns.conf @@ -0,0 +1,7 @@ +# Include this file if ncdns is in use. + +server: + do-not-query-localhost: no +stub-zone: + name: bit. + stub-addr: 127.0.0.1@5391