T6294: Service dns forwarding add the ability to configure ZonetoCache

[HollyGurza]

Change Summary

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Code style update (formatting, renaming)
• Refactoring (no functional changes)
• Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
• Other (please describe):

Related Task(s)

• https://vyos.dev/T6294

Related PR(s)

Component(s) name

Proposed changes

How to test

conf
set service dns forwarding allow-from '127.0.0.0/24'
set service dns forwarding listen-address '127.0.0.1'
set service dns forwarding zone-to-cache test source url 'https://www.internic.net/domain/root.zone'
commit

vyos@vyos# sudo rec_control dump-cache cache.tmp
dumped 15052 records

sudo journalctl | grep DNS
...
Jul 29 09:46:40 vyos systemd[1]: Started pdns-recursor.service - PowerDNS Recursor.
Jul 29 09:46:40 vyos pdns-recursor[9685]: msg="Getting zone by URL" subsystem="ztc" level="0" tid="2" ts="1722246400.869" zone="test"
Jul 29 09:46:55 vyos pdns-recursor[9685]: msg="ZONEMD digest validation" subsystem="ztc" level="0" tid="2" ts="1722246415.065" validationDone="0" validationSuccess="0" zone="test"
Jul 29 09:46:55 vyos pdns-recursor[9685]: msg="Loaded zone into cache" subsystem="ztc" level="0" tid="2" ts="1722246415.092" refresh="86400" zone="test"

Smoketest result

vyos@vyos:~$ python3 /usr/libexec/vyos/tests/smoke/cli/test_service_dns_forwarding.py
test_basic_forwarding (__main__.TestServicePowerDNS.test_basic_forwarding) ... 
service_dns_forwarding: ConfigError('DNS forwarding requires a listen-address')


service_dns_forwarding: ConfigError('DNS forwarding requires a listen-address')

ok
test_dns64 (__main__.TestServicePowerDNS.test_dns64) ... 
service_dns_forwarding: ConfigError('DNS 6to4 prefix must be of length /96')

ok
test_dnssec (__main__.TestServicePowerDNS.test_dnssec) ... ok
test_domain_forwarding (__main__.TestServicePowerDNS.test_domain_forwarding) ... ok
test_ecs_add_for (__main__.TestServicePowerDNS.test_ecs_add_for) ... ok
test_ecs_ipv4_bits (__main__.TestServicePowerDNS.test_ecs_ipv4_bits) ... ok
test_edns_subnet_allow_list (__main__.TestServicePowerDNS.test_edns_subnet_allow_list) ... ok
test_exclude_throttle_adress (__main__.TestServicePowerDNS.test_exclude_throttle_adress) ... ok
test_external_nameserver (__main__.TestServicePowerDNS.test_external_nameserver) ... ok
test_listening_port (__main__.TestServicePowerDNS.test_listening_port) ... ok
test_multiple_ns_records (__main__.TestServicePowerDNS.test_multiple_ns_records) ... ok
test_no_rfc1918_forwarding (__main__.TestServicePowerDNS.test_no_rfc1918_forwarding) ... ok
test_serve_stale_extension (__main__.TestServicePowerDNS.test_serve_stale_extension) ... ok
test_zone_to_cache_axfr (__main__.TestServicePowerDNS.test_zone_to_cache_axfr) ... ok
test_zone_to_cache_options (__main__.TestServicePowerDNS.test_zone_to_cache_options) ... ok
test_zone_to_cache_url (__main__.TestServicePowerDNS.test_zone_to_cache_url) ... ok
test_zone_to_cache_wrong_source (__main__.TestServicePowerDNS.test_zone_to_cache_wrong_source) ... 
service_dns_forwarding: ConfigError('Invalid configuration for zone "smoketest": Please select one source\ntype "url" or "axfr".')

ok

----------------------------------------------------------------------
Ran 17 tests in 68.981s

OK

Checklist:

• I have read the CONTRIBUTING document
• I have linked this PR to one or more Phabricator Task(s)
• I have run the components SMOKETESTS if applicable
• My commit headlines contain a valid Task id
• My change requires a change to the documentation
• I have updated the documentation accordingly

[github-actions]

👍
No issues in PR Title / Commit Title

[github-actions]

✅ No issues found in unused-imports check.. Please refer the workflow run

[github-actions]

CI integration 👍 passed!

Details

CI logs

• CLI Smoketests 👍 passed
• Config tests 👍 passed
• RAID1 tests 👍 passed

[dmbaturin]

I think the UI and help strings can be improved.

[c-po]

@Mergifyio rebase

[mergify]

rebase

✅ Branch has been successfully rebased

[c-po]

From a CLI perspective (both completion help and constraint) I think it would be easier to just make this seconds only

[HollyGurza]

the first version used seconds, but was reworked after this comment:
#3896 (comment)

@dmbaturin what do you think about this?

[dmbaturin]

Let's just do seconds for ease of validation. We can later add suffixed values, once we have a validator for them. It shouldn't be a problem because a number without any suffix is interpreted as seconds anyway, so we'll only need to relax the validation to allow human-readable values like 1d12h.

[HollyGurza]

fixed

[c-po]

Retry every 24855 days? I think the bounds are to relaxed. I'd go for 1 - 86400 so from one second to once a day.

[HollyGurza]

fixed

[c-po]

I assume 0 refers to "ignore the size". If this is the case, please add a dedicated value help explaining the special meaning of 0

[HollyGurza]

fixed

[c-po]

Plase make it even more obvious:

<valueHelp>
  <format>u32:0</format>
  <description>No restriction</description>
</valueHelp>
<valueHelp>
  <format>u32:1-1024</format>
  <description>Size in megabytes</description>
</valueHelp>

[HollyGurza]

fixed

[c-po]

What's ZONEMD mode? Maybe add a bit more context. to the help string.

Please also add

<completionHelp>
  <list>ignore validate require</list>
</completionHelp>

to improve the user experience on the CLI

[HollyGurza]

fixed

[c-po]

Plase make it even more obvious:

<valueHelp>
  <format>u32:0</format>
  <description>No restriction</description>
</valueHelp>
<valueHelp>
  <format>u32:1-1024</format>
  <description>Size in megabytes</description>
</valueHelp>

Roman already addressed the issue.

[24fpsDaVinci]

when I try to add root zone . as per https://docs.powerdns.com/recursor/lua-config/ztc.html#example
I get node.tag auto complete, is this correct behavior? I couldnt find any reference to "node.tag" in pdns-recursor docs

vyos@vyos# set service dns forwarding zone-cache . 
Possible completions:
 > node.tag             Load a zone into the recursor cache

      

then /run/pdns-recursor/recursor.conf.lua ends up being

zoneToCache("node.tag", "url", "https://www.internic.net/domain/root.zone", { dnssec = "validate", zonemd = "validate", maxReceivedMBytes = 0, retryOnErrorPeriod = 60, refreshPeriod = 86400, timeout = 20 })

[HollyGurza]

when I try to add root zone . as per https://docs.powerdns.com/recursor/lua-config/ztc.html#example I get node.tag auto complete, is this correct behavior? I couldnt find any reference to "node.tag" in pdns-recursor docs

vyos@vyos# set service dns forwarding zone-cache . 
Possible completions:
 > node.tag             Load a zone into the recursor cache

      

then /run/pdns-recursor/recursor.conf.lua ends up being

zoneToCache("node.tag", "url", "https://www.internic.net/domain/root.zone", { dnssec = "validate", zonemd = "validate", maxReceivedMBytes = 0, retryOnErrorPeriod = 60, refreshPeriod = 86400, timeout = 20 })

Thank you for testing, I think it's incorrect behavior.
created a bug report for this: https://vyos.dev/T6893