jonathanio
diff --git a/‎HACKING.md
Lines changed: 18 additions & 2 deletions b/‎HACKING.md
Lines changed: 18 additions & 2 deletions
diff --git a/‎README.md
Lines changed: 9 additions & 1 deletion b/‎README.md
Lines changed: 9 additions & 1 deletion
diff --git a/‎nix/checks.nix
Lines changed: 107 additions & 8 deletions b/‎nix/checks.nix
Lines changed: 107 additions & 8 deletions
diff --git a/‎nix/devshells.nix
Lines changed: 31 additions & 0 deletions b/‎nix/devshells.nix
Lines changed: 31 additions & 0 deletions
diff --git a/‎nix/resolver.crt
Lines changed: 24 additions & 0 deletions b/‎nix/resolver.crt
Lines changed: 24 additions & 0 deletions
diff --git a/‎nix/resolver.key
Lines changed: 28 additions & 0 deletions b/‎nix/resolver.key
Lines changed: 28 additions & 0 deletions
@@ -64,8 +64,12 @@ and [linking them to Nix packages](https://nixos.org/manual/nixos/stable/index.h
 This project's NixOS test sets up three machines:
 
 1. An OpenVPN server,
-2. An OpenVPN client, and
-3. A DNS resolver running [Dnsmasq](https://thekelleys.org.uk/dnsmasq/doc.html).
+2. An OpenVPN client,
+3. A DNS resolver running an instance of
+   [dnsmasq](https://thekelleys.org.uk/dnsmasq/doc.html) bound only to the
+   loopback address, plus an instance of
+   [RouteDNS](https://github.com/folbricht/routedns) bound to an address
+   reachable by the other machines.
 
 The OpenVPN server and client run a [point-to-point configuration with a static
 key](https://openvpn.net/community-resources/static-key-mini-howto/).  The
@@ -77,6 +81,10 @@ and then asserts that certain hostnames are resolvable _from the client_ that
 would not be resolvable unless the client were configured to use the DNS
 settings specified in its OpenVPN configuration file.
 
+The resolver machine uses dnsmasq for actual name resolution, plus DNSSEC
+validation.  The RouteDNS instance running on the same machine terminates
+DNS-over-TLS and forwards queries to Dnsmasq.
+
 #### Extending the NixOS test
 
 If you are implementing a new feature or correcting a bug in
@@ -113,6 +121,10 @@ $ nix build -L '.#checks.x86_64-linux.update-systemd-resolved'
 [^supported-systems]: Run `nix flake show` to view flake outputs namespaced by
                       all supported systems.
 
+#### Maintaining NixOS test assets
+
+##### Regenerating the DNS-over-TLS keypair
+
 ### Entering the Nix development shell
 
 To enter the Nix development shell, run the following command:
@@ -127,3 +139,7 @@ shell.
 #### Summary of available commands
 
 - `fmt`: format all Nix code in this project using [`alejandra`](https://github.com/kamadorueda/alejandra).
+- `mkdotcert`: regenerate the keypair used for encrypting DNS-over-TLS in the
+  NixOS system test.
+- `mkanchor`: regenerate the DNSSEC trust anchors configuration used with
+  dnsmasq in the NixOS system test.
@@ -307,7 +307,15 @@ OpenVPN, either through the server, or the client, configuration:
 | `DOMAIN` or `ADAPTER_DOMAIN_SUFFIX` | `example.com` | The primary domain for this host. If set multiple times, the first provided is used as the primary search domain for bare hostnames. Any subsequent `DOMAIN` options will be added as the equivalent of `DOMAIN-SEARCH` options. All requests for this domain as well will be routed to the `DNS` servers provided on this link. | [SetLinkDomains][resolved] |
 | `DOMAIN-SEARCH` | `example.com` | Secondary domains which will be used to search for bare hostnames (after any `DOMAIN`, if set) and in the order provided. All requests for this domain will be routed to the `DNS` servers provided on this link. | [SetLinkDomains][resolved] |
 | `DOMAIN-ROUTE` | `example.com` | All requests for these domains will be routed to the `DNS` servers provided on this link. They will *not* be used to search for bare hostnames, only routed. A `DOMAIN-ROUTE` option for `.` (single period) will instruct `systemd-resolved` to route the entire DNS name-space through to the `DNS` servers configured for this connection (unless a more specific route has been offered by another connection for a selected name/name-space). This is useful if you wish to prevent [DNS leakage](#dns-leakage). | [SetLinkDomains][resolved] |
-| `DNSSEC` | `yes`</br >`default` | Control of DNSSEC should be enabled (`yes`) or disabled (`no`), or `allow-downgrade` to switch off DNSSEC only if the server doesn't support it, for any queries over this link only, or use the system default (`default`). | [SetLinkDNSSEC][resolved] |
+| `DNSSEC` | `yes`, `true`</br >`no`, `false`</br >`default`</br >`allow-downgrade` | Control of DNSSEC should be enabled (`yes`, `true`) or disabled (`no`, `false`), or `allow-downgrade` to switch off DNSSEC only if the server doesn't support it, for any queries over this link only, or use the system default (`default`). | [SetLinkDNSSEC][resolved] |
+| `FLUSH-CACHES` | `yes`, `true`</br >`no`, `false` | Whether or not to flush all local DNS caches.  Enabled by default. | [FlushCaches][resolved] |
+| `RESET-SERVER-FEATURES` | `yes`, `true`</br >`no`, `false` | Whether or not to forget learnt DNS server feature levels.  Disabled by default. | [ResetServerFeatures][resolved] |
+| `RESET-STATISTICS` | `yes`, `true`</br >`no`, `false` | Whether or not to reset resolver statistics.  Disabled by default. | [ResetStatistics][resolved] |
+| `DEFAULT-ROUTE` | `yes`, `true`</br >`no`, `false` | If true, this link's configured DNS servers are used for resolving domain names that do not match any link's configured Domains= setting. If false, this link's configured DNS servers are never used for such domains, and are exclusively used for resolving names that match at least one of the domains configured on this link. Disabled by default. | [DNSDefaultRoute][resolved] |
+| `DNS-OVER-TLS` | `yes`, `true`</br >`no`, `false`</br >`opportunistic` |  If true all connections to the server will be encrypted. Note that this mode requires a DNS server that supports DNS-over-TLS and has a valid certificate. If the hostname was specified in DNS= by using the format "address#server_name" it is used to validate its certificate and also to enable Server Name Indication (SNI) when opening a TLS connection. Otherwise the certificate is checked against the server's IP. If the DNS server does not support DNS-over-TLS all DNS requests will fail. When set to "opportunistic" DNS request are attempted to send encrypted with DNS-over-TLS. If the DNS server does not support TLS, DNS-over-TLS is disabled. Note that this mode makes DNS-over-TLS vulnerable to "downgrade" attacks, where an attacker might be able to trigger a downgrade to non-encrypted mode by synthesizing a response that suggests DNS-over-TLS was not supported. If set to false, DNS lookups are send over UDP. | [SetLinkDNSOverTLS][resolved] |
+| `LLMNR` | `yes`, `true`</br >`no`, `false`</br >`resolve` | Takes a boolean or "resolve". When true, enables Link-Local Multicast Name Resolution[1] on the link. When set to "resolve", only resolution is enabled, but not host registration and announcement. Defaults to true. | [SetLinkLLMNR][resolved] |
+| `MULTICAST-DNS` | `yes`, `true`</br >`no`, `false`</br >`resolve` | When true, enables Multicast DNS support on the link. When set to "resolve", only resolution is enabled, but not host or service registration and announcement. Defaults to false. | [SetLinkMulticastDNS][resolved] |
+| `DNSSEC-NEGATIVE-TRUST-ANCHORS` | `trusted.org` | If specified and DNSSEC is enabled, look-ups done via the interface's DNS server will be subject to the list of negative trust anchors, and not require authentication for the specified domains, or anything below it. Use this to disable DNSSEC authentication for specific private domains, that cannot be proven valid using the Internet DNS hierarchy. Defaults to the empty list. | [SetLinkDNSSECNegativeTrustAnchors][resolved] |
 
 **Note**: There are no local or system options to be configured. All configuration
 for this script is handled through OpenVPN, including, for example, the name of
 
@@ -82,6 +82,14 @@
         nodes = {
           resolver = {
             networking.domain = vpnDomain;
+
+            networking.firewall = {
+              #allowedTCPPorts = [resolverPort 5353];
+              #allowedUDPPorts = [resolverPort 5353];
+              allowedTCPPorts = [5353];
+              allowedUDPPorts = [5353];
+            };
+
             services.dnsmasq = {
               enable = true;
               resolveLocalQueries = false;
@@ -118,12 +126,48 @@
                   "server-cname,server-cname.${vpnDomain},server"
                   "client-cname,client-cname.${vpnDomain},client"
                 ];
+
+                dnssec = true;
+                trust-anchor = lib.importJSON ./trust-anchor.json;
               };
             };
 
-            networking.firewall = {
-              allowedTCPPorts = [resolverPort];
-              allowedUDPPorts = [resolverPort];
+            services.routedns = {
+              enable = true;
+
+              settings = {
+                resolvers = {
+                  local-tcp = {
+                    address = "127.0.0.1:53";
+                    protocol = "tcp";
+                  };
+
+                  local-udp = {
+                    address = "127.0.0.1:53";
+                    protocol = "udp";
+                  };
+                };
+
+                listeners = let
+                  commonConfig = {
+                    address = ":5353";
+
+                    # Generated with `mkcert`.
+                    server-crt = ./resolver.crt;
+                    server-key = ./resolver.key;
+                  };
+                in {
+                  local-dot = commonConfig // {
+                    protocol = "dot";
+                    resolver = "local-tcp";
+                  };
+
+                  local-dtls = commonConfig // {
+                    protocol = "dtls";
+                    resolver = "local-udp";
+                  };
+                };
+              };
             };
           };
 
@@ -176,8 +220,14 @@
             polkitRules = mkPolkitRulesForService config.systemd.services.${serviceAttrName};
           in {
             networking.useNetworkd = true;
-            services.resolved.enable = true;
-            services.resolved.dnssec = "false";
+
+            services.resolved = {
+              enable = true;
+              dnssec = "false"; # overridden for VPN interface
+              extraConfig = ''
+                MulticastDNS=no
+              '';
+            };
 
             users.users.openvpn = {
               description = "openvpn client user";
@@ -218,14 +268,29 @@
 
                 config ${perSystem.config.packages.update-systemd-resolved}/libexec/openvpn/update-systemd-resolved.conf
 
-                dhcp-option DNS ${resolverIP}
+                dhcp-option DNS ${resolverIP}:5353#resolver
                 dhcp-option DOMAIN ${vpnDomain}
+
+                dhcp-option FLUSH-CACHES yes
+                dhcp-option RESET-SERVER-FEATURES true
+                dhcp-option RESET-STATISTICS yes
+
+                dhcp-option DEFAULT-ROUTE yes
+                dhcp-option DNS-OVER-TLS yes
+                dhcp-option LLMNR resolve
+                dhcp-option MULTICAST-DNS default
+
+                dhcp-option DNSSEC true
+                dhcp-option DNSSEC-NEGATIVE-TRUST-ANCHORS ${vpnDomain}
               '';
             };
 
             # Add our generated ruleset to the system's polkit rules
             environment.etc."polkit-1/rules.d/10-update-systemd-resolved.rules".source = polkitRules;
 
+            # `mkcert` CA
+            security.pki.certificateFiles = [./rootCA.pem];
+
             security.polkit = {
               enable = true;
               debug = true;
@@ -292,6 +357,11 @@
               machine.execute('systemctl status -l {0} 1>&2'.format(unit))
               raise(e)
 
+          def dump_resolved_info(machine):
+            with machine.nested('printing resolved status and statistics'):
+              machine.succeed('resolvectl status 1>&2')
+              machine.succeed('resolvectl statistics 1>&2')
+
           def assert_hostname_match(machine, expected, *args):
             cmd = shlex.join(['dig', '+short', *args])
 
@@ -313,6 +383,18 @@
             with machine.nested('checking that hostname resolves to expected address "{0}" from {1}'.format(expected, machine.name)):
               retry(hostname_matches)
 
+          def extract_interface_property(machine, interface, property, *args):
+            with machine.nested('extracting property "{0}" of interface "{1}"'.format(property, interface)):
+              cmd = shlex.join(['resolvectl', *args, property, interface])
+              return machine.succeed("{0} | grep -m1 -Po '(?<=:\s).*'".format(cmd)).rstrip()
+
+          def assert_interface_property(machine, interface, property, expected, *args):
+            with machine.nested('checking that property "{0}" of interface "{1}" is "{2}"'.format(property, interface, expected)):
+              actual = extract_interface_property(machine, interface, property, *args)
+              machine.log('property "{0}" of interface "{1}" is "{2}"'.format(property, interface, actual))
+              if actual != expected:
+                raise Exception('expected property "{0}" of interface "{1}" to be "{2}", but got "{3}"'.format(property, interface, expected, actual))
+
           # Machine.wait_for_open_port only checks ports on localhost
           def wait_for_open_host_port(machine, host, port, extra=[]):
             cmd = shlex.join(['nc'] + extra + ['-z', host, str(port)])
@@ -330,20 +412,37 @@
 
           resolver.start()
           wait_for_unit_with_output(resolver, 'dnsmasq')
+          wait_for_unit_with_output(resolver, 'routedns')
 
           server.start()
           wait_for_unit_with_output(server, '${serviceName}')
 
           client.start()
+
           wait_for_unit_with_output(client, '${serviceName}')
 
           # Block until we can reach the resolver (or until we hit the retry
           # timeout).  Pass `-u` flag to check UDP port; also check TCP port.
-          wait_for_open_host_port(client, '${resolverIP}', 53, extra=['-u'])
-          wait_for_open_host_port(client, '${resolverIP}', 53)
+          #wait_for_open_host_port(client, '${resolverIP}', 53, extra=['-u'])
+          #wait_for_open_host_port(client, '${resolverIP}', 53)
+          wait_for_open_host_port(client, '${resolverIP}', 5353, extra=['-u'])
+          wait_for_open_host_port(client, '${resolverIP}', 5353)
 
           assert_hostname_match(client, '${resolverIP}', 'resolver-cname.${vpnDomain}')
           assert_hostname_match(client, '${serverIP}', 'server-cname.${vpnDomain}')
+
+          dump_resolved_info(client)
+
+          assert_interface_property(client, '${interface}', 'default-route', 'yes')
+          assert_interface_property(client, '${interface}', 'llmnr', 'resolve')
+          assert_interface_property(client, '${interface}', 'mdns', 'no')
+          assert_interface_property(client, '${interface}', 'dnsovertls', 'yes')
+          assert_interface_property(client, '${interface}', 'dnssec', 'yes')
+
+          client.succeed('systemctl restart ${serviceName}')
+          wait_for_unit_with_output(client, '${serviceName}')
+
+          dump_resolved_info(client)
         '';
       };
   };
 
@@ -14,6 +14,37 @@
             exec ${config.treefmt.build.wrapper}/bin/treefmt "$@"
           '';
         }
+
+        {
+          name = "mkdotcert";
+          category = "maintenance";
+          help = "Generate the DNS-over-TLS keypair for use in system testing";
+          command = let
+            inherit (config.checks.update-systemd-resolved.nodes) resolver;
+          in ''
+            export CAROOT="''${PRJ_ROOT:-.}/nix"
+            ${pkgs.mkcert}/bin/mkcert -install || exit
+            ${pkgs.mkcert}/bin/mkcert \
+              -cert-file "''${CAROOT}/resolver.crt" \
+              -key-file "''${CAROOT}/resolver.key" \
+              ${resolver.networking.hostName} \
+              ${resolver.networking.hostName}.${resolver.networking.domain}
+          '';
+        }
+
+        {
+          name = "mkanchor";
+          category = "maintenance";
+          help = "Fetch DNSSEC root anchors and translate them to dnsmasq format";
+          command = ''
+            ${pkgs.xidel}/bin/xidel \
+              --input-format xml \
+              --output-format json-wrapped \
+              -e 'for $kd in //TrustAnchor/KeyDigest return string-join((//TrustAnchor/Zone, $kd/KeyTag, $kd/Algorithm, $kd/DigestType, $kd/Digest), ",")' \
+              https://data.iana.org/root-anchors/root-anchors.xml \
+            | ${pkgs.jq}/bin/jq flatten > "''${PRJ_ROOT}/nix/trust-anchor.json"
+          '';
+        }
       ];
 
       devshell = {
 
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEFTCCAn2gAwIBAgIQavGAznzoeOanX8TOEcjvqjANBgkqhkiG9w0BAQsFADBP
+MR4wHAYDVQQKExVta2NlcnQgZGV2ZWxvcG1lbnQgQ0ExEjAQBgNVBAsMCW1hdHRA
+c3J2MTEZMBcGA1UEAwwQbWtjZXJ0IG1hdHRAc3J2MTAeFw0yMzA3MjUwMjQxMzha
+Fw0yNTEwMjUwMjQxMzhaMD0xJzAlBgNVBAoTHm1rY2VydCBkZXZlbG9wbWVudCBj
+ZXJ0aWZpY2F0ZTESMBAGA1UECwwJbWF0dEBzcnYxMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEA1IJRUwXZPs/5MSwePreyKNoIAZtgJ2Rx+NGZWWEw/CAK
++rJBCCQDDbV2g7wS9i23tDeTO/2nMltYJgxmC3XYz0GCCspBUzRBxdyX32qQfx0w
+Jch9QA9TcBEnPJ+aljbxmqFMGtWJrrUkq3G0NxGmyTDQ0W8/i8kwKTlI9DOk0FSR
+TnZlKhREfgbW6QJ0yPu1cbbRCucOiB7ALbMdl47YG8a0UjrXcCCJYa2lWW3NbE7R
+RTAjFnS2khTwTqTwDpugyONLIIFN2tqWOU/J0/1CNvx0zZiR7k9YcWCpyveOnxtr
+nyRmCFGCicYRzX7PM2+LDB7n6+8X6blZ33fxVktjaQIDAQABo38wfTAOBgNVHQ8B
+Af8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHwYDVR0jBBgwFoAUaZsI266/
++Vb53ggYcWMMblNm6VwwNQYDVR0RBC4wLIIIcmVzb2x2ZXKCIHJlc29sdmVyLnVw
+ZGF0ZS5zeXN0ZW1kLnJlc29sdmVkMA0GCSqGSIb3DQEBCwUAA4IBgQAo0jhIlCof
+spCNraN+NMHowQttPCVTloqbXb5KlVC7a3+VffEZNFZM1VLkgkYqT3muy1zPoyQy
+PeoYapRR/3JY1/ws7hZ5bs4+xL1Bg74I4A9WbWKjJcqfHCOhZ7EigVJZc2FM45jP
+9OrJQh9lMBfSAaYsrgnHa/JJe9p3gYA8SD1Y9fxXPPKct7m8+Yi4Lxqh3Q9hvQLv
+5hWHkoGhbTDCYSrP/vJHlVKep0aTVo2pS09QvdqsYU5Mzf/KnvL9bVTCh+DY9IH+
+a5Izz9ss2d7OzVixax6AE5Xqsy2daq1RCXWnzJW8WRIZsnHJgFvXcHUhV15uJ05c
+sqpKsI+m8fCbva3d64/jMUlQ7CVobUAhzJ/+deqSpIIDMGZpQyJvY14zE4JfAokG
+tDcWfgGHpPnlVkWbzxiqPaXN7zXXFNDhOhAloE3Vg4JnG6dUE/6mFtWJlAo83qbb
+o5yKq3d48wI78yb/5lz+rx6ud+0Zr77A1kDk8ol3O6lOIxNO9KGCFYw=
+-----END CERTIFICATE-----
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDUglFTBdk+z/kx
+LB4+t7Io2ggBm2AnZHH40ZlZYTD8IAr6skEIJAMNtXaDvBL2Lbe0N5M7/acyW1gm
+DGYLddjPQYIKykFTNEHF3JffapB/HTAlyH1AD1NwESc8n5qWNvGaoUwa1YmutSSr
+cbQ3EabJMNDRbz+LyTApOUj0M6TQVJFOdmUqFER+BtbpAnTI+7VxttEK5w6IHsAt
+sx2XjtgbxrRSOtdwIIlhraVZbc1sTtFFMCMWdLaSFPBOpPAOm6DI40sggU3a2pY5
+T8nT/UI2/HTNmJHuT1hxYKnK946fG2ufJGYIUYKJxhHNfs8zb4sMHufr7xfpuVnf
+d/FWS2NpAgMBAAECggEAOEqM4EEcWtccWzokiNiACPI4TLSrs8OXrSFYTaTBJQgX
+4HB3aYCgjnETA7I+E5fooYRXK/z03RH1N57xKPf+hmgD2nfY9gFRqufUEwpXXFSO
+/HMvOljU8UqZ6iUc/c1wElXHoxQNdInnPMLRygSS+ZhEuDWPz6draoASIx3K+qPw
+Xq9j4ObVZepBSIA7bS/Sl/uFs/eUrx5dAG3Kcf/PJvV2eVV0Yx7R75C7+CNs+192
+EuYY9N8pwhcHtDVIzHXlheL/+VhBk1v8Xb8BfEgxjEZdUpe2AqG20nZwzkgHxFOa
+/r30dwRiRXBJILqQiaWI1mKeXVJ6qrXuLhyk8PuwAQKBgQDdnQ2gaZHG2L/a/Cb0
+W1KgAer1FO0dzbWHkAGhQuix3VLdIpLQnlo4GP6IWBC2NHltHeDzyprdkYKuGenz
+n7dh0hrLRMzhrLCKl6NkAcvDyOVTezCKSpNOUwYNR3lHeTKY+8Q3kqOEclQ+UPeg
+RSy+K5LwhVxy29cSKvuaxflxiQKBgQD1e54N4/q6zaECQU2kGBUmT0OEbtHwKFD5
+31zba2JqkW/eC9pRA/vNaiYYZDu/Ons9MBiBtxYIpQNeHh/HUeO+rBlXkMn37JuJ
+9FKDnp1aQ71UY8rDiPV4eqYQw8afrlqO4y9LK+82Vmd3N5Pn2WiDy2D0VZKG5Q6B
+sBQ90xVK4QKBgQDTKwQBBpdR0td94yd7UEm7DhjEz9vhulJvilkDQK5aTXrYHEmp
+YDq3mZlwcfn6pKXPw9jGdRh8aFsNasPy0Q38uCev6S8RG2xdo4Cdmth/Br7+fTQT
+klwrFhF+NczqviHohH7ENYZ6fjan6p8KqN+plfu+FFWzXKfjN/Hn2R2HgQKBgAPV
+6qJM7Z39mIZwfsYRmkL++g8XrDAUcS92Tf0fsGn528WcaczaQxTyk6XN6yERyNsr
+5TYhpjZ8XZEa52Q141kXV04G9SDqkYOWTbPAxrSiWlL3PDPR8APx5qZcaL4V+1RA
+OHz0MsimkPdL5wO4YemtQ9aNf7yb154vIiHVKoABAoGBAKqddjgcJd5Xcick+l2L
+EL1noAqpi7tUo+wdnKjYFIaNCqbRBz336DWWE8urxHoEbSBajt6oDuErYAVXBiIm
+fvhoQOhLJ2fzeVd3GbFUJd/ccb06vNaU3PAOkEKDlVShH4rSzz+Ms+FEiE5EIrhI
+pOoPAyw27H6Afgf9EXWPXxfG
+-----END PRIVATE KEY-----