Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

(WIP) Cirrus: Add Unbound tests #153

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 55 additions & 0 deletions .cirrus.yml
Original file line number Diff line number Diff line change
Expand Up @@ -223,6 +223,61 @@ task:
GOX_TAGS: ""
GO_VERSION: latest

task:
name: Resolve Tests Electrum Unbound
compute_engine_instance:
image_project: cirrus-images
image: family/docker-builder
platform: linux
cpu: 1
memory: 1G
install_script:
- curl -o /usr/bin/electrum-nmc https://www.namecoin.org/files/electrum-nmc/electrum-nmc-4.0.0b0/electrum-nmc-nc4.0.0b0-x86_64.AppImage
- chmod +x /usr/bin/electrum-nmc
- curl -o ncdns.tar.gz https://api.cirrus-ci.com/v1/artifact/build/$CIRRUS_BUILD_ID/Cross-Compile%20Go%20latest/binaries/dist/ncdns--linux_amd64.tar.gz
- tar -xaf ./ncdns.tar.gz
- mv ./ncdns-*/bin/* /usr/bin/
- apt-get install -y libcap-dev # For ncdns
- apt-get install -y bind9-utils # For dnssec-keygen
- apt-get install -y bind9-dnsutils # For dig
- apt-get install -y unbound
# Set up DNSSEC
- mkdir KSK
- dnssec-keygen -a RSASHA256 -3 -b 2048 -f KSK -K KSK bit
- mkdir ZSK
- dnssec-keygen -a RSASHA256 -3 -b 2048 -K ZSK bit
- mkdir -p /etc/unbound/keys/ /etc/unbound/conf.d/
- cp KSK/*.key /etc/unbound/keys/bit.key
- cp _doc/unbound/conf.d/ncdns.conf /etc/unbound/conf.d/
- cp _doc/unbound/conf.d/ncdns-dnssec-on.conf /etc/unbound/conf.d/
electrum_background_script:
- electrum-nmc $ELECTRUM_ARGS -v daemon
ncdns_background_script:
- ncdns -ncdns.namecoinrpcusername user -ncdns.namecoinrpcpassword pass -ncdns.bind :5391 -ncdns.privatekey $PWD/KSK/*.private -ncdns.publickey $PWD/KSK/*.key -ncdns.zoneprivatekey $PWD/ZSK/*.private -ncdns.zonepublickey $PWD/ZSK/*.key -xlog.severity DEBUG
resolve_electrum_script:
- while ! electrum-nmc $ELECTRUM_ARGS name_show d/namecoin
- do
- echo Waiting for Electrum-NMC to sync...
- sleep 1s
- done
- electrum-nmc $ELECTRUM_ARGS name_show d/namecoin | grep $NAMECOIN_IP
resolve_ncdns_script:
- dig -p 5391 @127.0.0.1 namecoin.bit
- dig -p 5391 @127.0.0.1 namecoin.bit | grep $NAMECOIN_IP
- dig -p 5391 +tcp @127.0.0.1 namecoin.bit
- dig -p 5391 +tcp @127.0.0.1 namecoin.bit | grep $NAMECOIN_IP
resolve_unbound_script:
- dig -p 53 @127.0.0.1 namecoin.bit
- dig -p 53 @127.0.0.1 namecoin.bit | grep $NAMECOIN_IP
depends_on:
- "Cross-Compile Go latest"
env:
NAMECOIN_IP: "91.219.237.223"
ELECTRUM_ARGS: "--rpcport 8336 --rpcuser user --rpcpassword pass"
# Necessary for Electrum-NMC to find its data directory (for some reason
# HOME isn't set by default in docker_builder)
HOME: /root

task:
# GitHub Release Upload
# TODO: implement this.
Expand Down
28 changes: 6 additions & 22 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -28,19 +28,9 @@ Using ncdns with a recursive resolver
-------------------------------------
Of course the daemon can also be used simply as an authoritative nameserver for
bit. directly. One way to do this is to run a recursive resolver (such as
Unbound) and configure it to serve the zone as a 'stub zone'. Here is an example
unbound configuration:
Unbound) and configure it to serve the zone as a 'stub zone'. An example Unbound configuration file `ncdns.conf` is in `_doc/unbound`.

server:
do-not-query-localhost: no
stub-zone:
name: bit.
stub-addr: 127.0.0.1@1153

If you don't want to use DNSSEC, also add:

server:
domain-insecure: bit.
If you don't want to use DNSSEC, also add `ncdns-dnssec-off.conf` to Unbound's configuration.

If you do want to use DNSSEC, see the instructions below.

Expand Down Expand Up @@ -71,13 +61,7 @@ if you want to use the key as a trust anchor with a recursive resolver such as
unbound, you should specify `bit`.)

If using Unbound as a recursive resolver, you should add the KSK's public key file
as a trust anchor to unbound like so:

server:
trust-anchor-file: "/etc/unbound/keys/bit.key"

`bit.key` should be the file containing the KSK DNSKEY (or DS) which ncdns is
configured to use.
as a trust anchor to unbound, as in `ncdns-dnssec-on.conf` in `_doc/unbound`.

Building
--------
Expand Down Expand Up @@ -139,17 +123,17 @@ ncdns uses a configuration file which is looked for at `../etc/ncdns.conf`
this and all options on the command line. An annotated example configuration
file `ncdns.conf.example` is available in doc.

You will need to setup a `namecoind`, `namecoin-qt` or compatible Namecoin node
You will need to setup a `namecoind`, `namecoin-qt`, `electrum-nmc`, or compatible Namecoin node
and enable the JSON-RPC interface. You will then need to provide `ncdns` with
the address of this interface and any necessary username and password via the
configuration file.

If you only want to resolve .bit names yourself, here is a suggested setup on
Linux:

- Install `namecoind` (or `namecoin-qt`) and set it to start automatically
- Install `namecoind` (or `namecoin-qt` or `electrum-nmc`) and set it to start automatically
at boot or login. Set up the JSON-RPC interface and make sure it works
by making a test query: `namecoind name_show d/example`.
by making a test query: `namecoin-cli name_show d/example` or `electrum-nmc name_show d/example`.

- Write a ncdns configuration file and set ncdns up to start at boot.
Since Unbound will tie up port 53, set a different port (ideally one >=1024,
Expand Down
4 changes: 4 additions & 0 deletions _doc/unbound/conf.d/ncdns-dnssec-off.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
# Include this file if ncdns has DNSSEC disabled.

server:
domain-insecure: bit.
6 changes: 6 additions & 0 deletions _doc/unbound/conf.d/ncdns-dnssec-on.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
# Include this file if ncdns has DNSSEC enabled.

server:
# bit.key should be the file containing the KSK DNSKEY (or DS) which ncdns is
# configured to use.
trust-anchor-file: "/etc/unbound/keys/bit.key"
7 changes: 7 additions & 0 deletions _doc/unbound/conf.d/ncdns.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# Include this file if ncdns is in use.

server:
do-not-query-localhost: no
stub-zone:
name: bit.
stub-addr: 127.0.0.1@5391