Commit Graph

162 Commits

Author SHA1 Message Date
Viktor Szépe cd959bc522
Fix typos (#2406) 2024-07-21 07:01:25 -04:00
KiekerJan 1a239c55bb
More robust reading of sshd configuration (#2330)
Use sshd -T instead of directly reading the configuration files
2024-03-23 11:16:40 -04:00
Teal Dulcet 1d79f9bb2b Fixed PERF401 (manual-list-comprehension): Use a list comprehension to create a transformed list 2024-03-10 07:56:49 -04:00
Teal Dulcet f0377dd59e Fixed SIM105 (suppressible-exception) 2024-03-10 07:56:49 -04:00
Teal Dulcet 0e9193651d Fixed PLW1514 (unspecified-encoding): `open` in text mode without explicit `encoding` argument 2024-03-10 07:56:49 -04:00
Teal Dulcet c719fce40a Fixed UP032 (f-string): Use f-string instead of `format` call 2024-03-10 07:56:49 -04:00
Teal Dulcet ca8f06d590 Fixed PLR1711 (useless-return): Useless `return` statement at end of function 2024-03-10 07:54:51 -04:00
Teal Dulcet 57d05c1ab2 Fixed B007 (unused-loop-control-variable) 2024-03-10 07:54:51 -04:00
Teal Dulcet c953e5784d Fixed C401 (unnecessary-generator-set): Unnecessary generator (rewrite as a `set` comprehension) 2024-03-10 07:54:51 -04:00
Teal Dulcet 81a4da0181 Fixed SIM110 (reimplemented-builtin) 2024-03-10 07:54:51 -04:00
Teal Dulcet 99d3929f99 Fixed E711 (none-comparison) 2024-03-10 07:54:51 -04:00
Teal Dulcet 541f31b1ba Fixed FURB113 (repeated-append) 2024-03-10 07:54:51 -04:00
Teal Dulcet 67b9d0b279 Fixed PLW0108 (unnecessary-lambda): Lambda may be unnecessary; consider inlining inner function 2024-03-10 07:54:51 -04:00
Teal Dulcet 3d72c32b1d Fixed W605 (invalid-escape-sequence) 2024-03-10 07:54:51 -04:00
Teal Dulcet 14a5613dc8 Fixed UP031 (printf-string-formatting): Use format specifiers instead of percent format 2024-03-10 07:54:51 -04:00
Teal Dulcet fba92de051 Fixed SIM108 (if-else-block-instead-of-if-exp) 2024-03-10 07:54:51 -04:00
Teal Dulcet 51dc7615f7 Fixed RSE102 (unnecessary-paren-on-raise-exception): Unnecessary parentheses on raised exception 2024-03-10 07:54:51 -04:00
Teal Dulcet 13b38cc04d Fixed F841 (unused-variable) 2024-03-10 07:54:51 -04:00
Teal Dulcet 2b426851f9 Fixed UP032 (f-string): Use f-string instead of `format` call 2024-03-10 07:54:51 -04:00
Teal Dulcet 6bfd1e5140 Fixed W293 (blank-line-with-whitespace): Blank line contains whitespace 2024-03-10 07:54:51 -04:00
Teal Dulcet 555ecc1ebb Fixed PIE810 (multiple-starts-ends-with): Call `startswith` once with a `tuple` 2024-03-10 07:54:51 -04:00
Teal Dulcet dd61844ced Fixed EM101 (raw-string-in-exception): Exception must not use a string literal, assign to variable first 2024-03-10 07:54:51 -04:00
Teal Dulcet 49124cc9ca Fixed PLR6201 (literal-membership): Use a `set` literal when testing for membership 2024-03-10 07:54:51 -04:00
Teal Dulcet cb922ec286 Fixed UP015 (redundant-open-modes): Unnecessary open mode parameters 2024-03-10 07:54:49 -04:00
Teal Dulcet 0ee64f2fe8 Fixed F401 (unused-import) 2024-03-10 07:54:21 -04:00
Joshua Tauberer e828d63a85 Allow secondary DNS xfr: items to be hostnames that are resolved to IP addresses when generating the nsd configuration 2023-05-13 07:00:10 -04:00
KiekerJan c9584148a0
Fix issue where sshkeygen fails when ipv6 is disabled (#2248) 2023-05-13 06:39:46 -04:00
Hugh Secker-Walker 820a39b865
chore(python open): Refactor open and gzip.open to use context manager (#2203)
Co-authored-by: Hugh Secker-Walker <hsw+miac@hodain.net>
2023-01-15 08:28:43 -05:00
KiekerJan 0fc5105da5
Fixes to DNS lookups during status checks when there are timeouts, enforce timeouts better (#2191)
* add dns query handling changes

* replace exception pass with error message

* simplify dns exception catching

* Add not set case to blacklist lookup result handling
2023-01-15 08:20:08 -05:00
alento-group 32c68874c5
Fix NSD not restarting (#2182)
A previous commit (0a970f4bb2) broke nsd restarting. This fixes that change by reverting it.

Josh added: Use nsd-control with reconfig and reload if they succeed and only fall back to restarting nsd if they fail

Co-authored-by: Joshua Tauberer <jt@occams.info>
2022-10-30 08:16:03 -04:00
Joshua Tauberer ddf8e857fd
Support Ubuntu 22.04 Jammy Jellyfish (#2083) 2022-10-11 21:18:34 -04:00
Joshua Tauberer 0a970f4bb2 Use nsd-control to refresh nsd after zone files are rewritten rather than 'service nsd restart'
I am not sure if this was the problem but nsd didn't serve updated zonefiles on my box and 'service nsd restart' must have been used, so maybe it doesn't reload zones.
2022-10-08 07:24:57 -04:00
Sudheesh Singanamalla d7244ed920
Fixes #2149 Append ; in policy strings for DMARC settings (#2151)
Signed-off-by: Sudheesh Singanamalla <sudheesh@cloudflare.com>
2022-08-19 13:23:42 -04:00
Rauno Moisto 78569e9a88 Fix DeprecationWarning in dnspython query vs resolve method
The resolve method disables resolving relative names by default. This change probably makes a7710e90 unnecessary. @JoshData added some additional changes from query to resolve.
2022-07-28 14:02:46 -04:00
Joshua Tauberer cb564a130a Fix DNS secondary nameserver refesh failure retry period
Fixes #1979
2022-01-08 09:38:41 -05:00
drpixie df46e1311b
Include NSD config files from /etc/nsd/nsd.conf.d/*.conf (#2035)
And write MIAB dns zone config into /etc/nsd/nsd.conf.d/zones.conf. Delete lingering old zones.conf file.

Co-authored-by: Joshua Tauberer <jt@occams.info>
2021-09-24 08:07:40 -04:00
Joshua Tauberer e283a12047 Add null SPF, DMARC, and MX records for automatically generated autoconfig, autodiscover, and mta-sts subdomains; add null MX records for custom A-record subdomains
All A/AAAA-resolvable domains that don't send or receive mail should have these null records.

This simplifies the handling of domains a bit by handling automatically generated subdomains more like other domains.
2021-05-15 16:42:14 -04:00
Joshua Tauberer e421addf1c Pre-load domain purpopses when building DNS zonefiles rather than querying mail domains at each subdomain 2021-05-09 08:16:07 -04:00
Joshua Tauberer 354a774989 Remove a debug line added in 8cda58fb 2021-05-09 07:34:44 -04:00
Joshua Tauberer 8cda58fb22 Speed up status checks a bit by removing a redundant check if the PRIMARY_HOSTNAME certificate is signed and valid 2021-04-12 19:42:12 -04:00
Joshua Tauberer 178c587654 Migrate to the ECDSAP256SHA256 (13) DNSSEC algorithm
* Stop generating RSASHA1-NSEC3-SHA1 keys on new installs since it is no longer recommended, but preserve the key on existing installs so that we continue to sign zones with existing keys to retain the chain of trust with existing DS records.
* Start generating ECDSAP256SHA256 keys during setup, the current best practice (in addition to RSASHA256 which is also ok). See https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml#dns-sec-alg-numbers-1 and https://www.cloudflare.com/dns/dnssec/ecdsa-and-dnssec/.
* Sign zones using all available keys rather than choosing just one based on the TLD to enable rotation/migration to the new key and to give the user some options since not every registrar/TLD supports every algorithm.
* Allow a user to drop a key from signing specific domains using DOMAINS= in our key configuration file. Signing the zones with extraneous keys may increase the size of DNS responses, which isn't ideal, although I don't know if this is a problem in practice. (Although a user can delete the RSASHA1-NSEC3-SHA1 key file, the other keys will be re-generated on upgrade.)
* When generating zonefiles, add a hash of all of the DNSSEC signing keys so that when the keys change the zone is definitely regenerated and re-signed.
* In status checks, if DNSSEC is not active (or not valid), offer to use all of the keys that have been generated (for RSASHA1-NSEC3-SHA1 on existing installs, RSASHA256, and now ECDSAP256SHA256) with all digest types, since not all registers support everything, but list them in an order that guides users to the best practice.
* In status checks, if the deployed DS record doesn't use a ECDSAP256SHA256 key, prompt the user to update their DS record.
* In status checks, if multiple DS records are set, only fail if none are valid. If some use ECDSAP256SHA256 and some don't, remind the user to delete the DS records that don't.
* Don't fail if the DS record uses the SHA384 digest (by pre-generating a DS record with that digest type) but don't recommend it because it is not in the IANA mandatory list yet (https://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml).

See #1953
2021-04-12 19:42:12 -04:00
Joshua Tauberer 6653dbb2e2 Sort the Custom DNS by zone and qname, and add an option to go back to the old sort order (creation order)
Update the zone grouping style on the users and aliases page to match.

Fixes #1927
2021-02-28 09:40:32 -05:00
Nicolas North 8025c41ee4
Bump TTL for NS records to 1800 (30 min) to 86400 (1 day) as some registries require this (#1892)
Co-authored-by: Nicolas North [norðurljósahviða] <nz@tillverka.xyz>
2021-01-03 17:57:54 -05:00
Victor b85b86e6de
Add download zonefile button to external DNS page (#1853)
Co-authored-by: Joshua Tauberer <jt@occams.info>
2020-11-16 06:03:41 -05:00
Joshua Tauberer 51aedcf6c3 Drop the MTA-STS TLSRPT record unless set explicitly 2020-09-21 15:57:17 -04:00
David Duque e6102eacfb
AXFR Transfers (for secondary DNS servers): Allow IPv6 addresses (#1787) 2020-07-08 18:26:47 -04:00
Joshua Tauberer 6fd3195275 Fix MTA-STS policy id so it does not have invalid characters, fixes #1779 2020-06-12 13:09:11 -04:00
Joshua Tauberer e03a6541ce Don't make autoconfig/autodiscover subdomains and SRV records when the parent domain has no user accounts
These subdomains/records are for automatic configuration of mail clients, but if there are no user accounts on a domain, there is no need to publish a DNS record, provision a TLS certificate, or create an nginx server config block.
2020-06-11 12:20:17 -04:00
Joshua Tauberer 3a4b8da8fd More for MTA-STS for incoming mail
* Create the mta_sts A/AAAA records even if there is no valid TLS certificate because we can't get a TLS certificate if we don't set up the domains.
* Make the policy id in the TXT record stable by using a hash of the policy file so that the DNS record doesn't change every day, which means no nightly notification and also it allows for longer caching by sending MTAs.
2020-05-30 08:04:09 -04:00
Joshua Tauberer 10bedad3a3 MTA-STS tweaks, add status check using postfix-mta-sts-resolver, change to enforce 2020-05-29 15:36:52 -04:00