WIP: Authoritative DNS support

matthias-trequested to merge
dns into master

Like you suggested, I signed up for Cloudflare (with an e-mail account meant for spam) to try it out. I found that they aren't serving any data before a valid NS record is set up. They monitor the parent zone for this to change and send an email when validation passes. This implies potential downtime, if propagation reaches a consumer before Cloudflare. I agree with Cloudflare on this: why worry about spammers when the Domain Name System offers a way to avoid it. Therefore, like Cloudflare's, this implementation allows to add records before publishing and check NS records on publish. Later, we can set up periodic automatic attempts to publish to replicate Cloudflare's UX in this regard.

With our API now aiming to validate zone data in JSON form in PUT /dns{/domain}, checking the records out with a GET is no longer necessary to be confident about what to expect. Thus, the live field does not store any records anymore and is now a boolean.

When the domain supports DNSSEC, publishing additionally checks for DS records. Please hear me out. First, users are going to their registrar anyway, for the NS records. I believe it is better UX to make them add both in one go. Prompting them to log in to their registrars for a second time will be annyoing. Second, we want DNSSEC to be deployed as widely as possible. Third, this permits and governs changes of ownership. I believe these decisions will allow for a good user experience while letting us focus on interesting things and not worry about abuse.

The following are ways to represent DNS zone files:

  1. Semantic JSON, where assigned numbers (record types, crypto algorithm types, etc.) are replaced by their corresponding mnemonic strings, data is structured into fields... Very readable, easy to validate.
  2. Zone files, obviously. Everybody has them, everything supports them. Semi-readable, non-trivial to parse and validate.

Currently the API accepts 1, which it validates with a schema. To accomodate the DNS server, an encoder from 1 to 2 is ready. Both of those are implemented in https://git.sr.ht/~matthias_t/dns-data. Eventually, we might add support for accepting 2 in the API, and also write a plugin for CoreDNS to read 1 from the database.

This still lacks tests, but is otherwise ready for a review.

Edited by matthias-t

Merge request reports