Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Give more freedom when configuring Zonemaster::LDNS #134

Merged
8 commits merged into from Apr 28, 2022
Merged

Give more freedom when configuring Zonemaster::LDNS #134

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
b6a937e
Options to provide OpenSSL distinct inc/lib paths
Mar 1, 2022
97576ce
Pass custom OpenSSL paths to LDNS C compiler
Mar 3, 2022
a29ed65
Add POD for optional features
Mar 1, 2022
9e46c8d
Update DNS data used in tests
Feb 16, 2022
9d23ca9
Editorial updates
Mar 7, 2022
156cca2
Fix default value in documentation
Apr 7, 2022
580888f
Document new OpenSSL options in README
Apr 7, 2022
f39abb9
Update documentation
Apr 7, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
98 changes: 89 additions & 9 deletions Makefile.PL
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,17 +14,69 @@ all_from 'lib/Zonemaster/LDNS.pm';
repository 'https://github.com/zonemaster/zonemaster-ldns';
bugtracker 'https://github.com/zonemaster/zonemaster-ldns/issues';

=head1 Optional features

=over

=item --[no-]ed25519

Enable (or disable) support for Ed25519 in both openssl and ldns.
Enabled by default.

=item --[no-]idn

Enable (or disable) support for converting IDN labels in U-label format (with
non-ASCII Unicode characters) to the same IDN labels in A-label format (encoded
in ASCII).
Enabled by default.

=item --[no-]internal-ldns

When enabled, an included version of ldns is statically linked into
Zonemaster::LDNS.
When disabled, libldns is dynamically linked just like other dependencies.
Enabled by default.

=item --[no-]randomize

Experimental.
Randomizes the capitalization of returned domain names.
Disabled by default.

=item --prefix-openssl=PATH

Search for OpenSSL headers and libraries in PATH.
The LDNS script will look for an "include" and a "lib" folder.

=item --openssl-inc=PATH

Search for OpenSSL include in PATH.
The PATH is passed to the LDNS compiler via the CFLAGS variable.

=item --openssl-lib=PATH

Search for OpenSSL library in PATH.
The PATH is passed to the LDNS compiler via the LDFLAGS variable.

=back

=cut

my $opt_ed25519 = 1;
my $opt_idn = 1;
my $opt_internal_ldns = 1;
my $opt_randomize = 0;
my $opt_prefix_openssl = "";
my $opt_openssl_inc = "";
my $opt_openssl_lib = "";
GetOptions(
'ed25519!' => \$opt_ed25519,
'idn!' => \$opt_idn,
'internal-ldns!' => \$opt_internal_ldns,
'randomize!' => \$opt_randomize,
'prefix-openssl=s' => \$opt_prefix_openssl,
'openssl-inc=s' => \$opt_openssl_inc,
'openssl-lib=s' => \$opt_openssl_lib,
);

configure_requires 'Devel::CheckLib';
Expand All @@ -42,12 +94,31 @@ cc_src_paths 'src';
# OpenSSL

my %assert_lib_args_openssl;
if ( $opt_prefix_openssl ) {
print "Custom prefix for OpenSSL: $opt_prefix_openssl\n";
cc_include_paths "$opt_prefix_openssl/include";
cc_libs "-L$opt_prefix_openssl/lib", "crypto";
$assert_lib_args_openssl{incpath} = "$opt_prefix_openssl/include";
$assert_lib_args_openssl{libpath} = "$opt_prefix_openssl/lib";
my $custom_openssl = ( $opt_prefix_openssl or $opt_openssl_inc or $opt_openssl_lib );
if ( $custom_openssl ) {
my $openssl_incpath = "";
my $openssl_libpath = "";

if ( $opt_prefix_openssl ) {
print "Custom prefix for OpenSSL: $opt_prefix_openssl\n";
$openssl_incpath = "$opt_prefix_openssl/include";
$openssl_libpath = "$opt_prefix_openssl/lib";
}

if ( $opt_openssl_inc ) {
print "Custom include directory for OpenSSL: $opt_openssl_inc\n";
$openssl_incpath = "$opt_openssl_inc";
}

if ( $opt_openssl_lib ) {
print "Custom library directory for OpenSSL: $opt_openssl_lib\n";
$openssl_libpath = "$opt_openssl_lib";
}

cc_include_paths "$openssl_incpath";
cc_libs "-L$openssl_libpath", "crypto";
$assert_lib_args_openssl{incpath} = "$openssl_incpath";
$assert_lib_args_openssl{libpath} = "$openssl_libpath";
}
else {
cc_libs 'crypto';
Expand Down Expand Up @@ -156,11 +227,18 @@ CONFIGURE_FLAGS += --disable-ldns-config --disable-dane

END_CONFIGURE_FLAGS

my $openssl_make = <<END_ED25519;
my $openssl_make = <<END_OPENSSL_MAKE;

CONFIGURE_FLAGS += --with-ssl=$opt_prefix_openssl

END_ED25519
END_OPENSSL_MAKE

my $openssl_flags = <<END_OPENSSL_FLAGS;

CFLAGS += -I$opt_openssl_inc
LDFLAGS += -L$opt_openssl_lib

END_OPENSSL_FLAGS

my $ed25519_make = <<'END_ED25519';

Expand All @@ -176,13 +254,14 @@ END_NO_ED25519

my $internal_ldns_make = <<'END_INTERNAL_LDNS';

CFLAGS += -fPIC
LDFROM += ldns/.libs/libldns.a

config :: ldns/.libs/libldns.a

ldns/.libs/libldns.a: ldns/configure
cd ldns ;\
./configure CFLAGS=-fPIC $(CONFIGURE_FLAGS) ;\
./configure CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" $(CONFIGURE_FLAGS) ;\
make lib

ldns/configure:
Expand All @@ -203,6 +282,7 @@ END_INTERNAL_LDNS
$postamble .= $openssl_make if $opt_prefix_openssl;
$postamble .= $ed25519_make if $opt_ed25519;
$postamble .= $no_ed25519_make if !$opt_ed25519;
$postamble .= $openssl_flags if ( $opt_openssl_inc or $opt_openssl_lib );
$postamble .= $internal_ldns_make;
}

Expand Down
7 changes: 6 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -173,7 +173,8 @@ Randomizes the capitalization of returned domain names.
### Custom OpenSSL

Disabled by default.
Enabled with `--prefix-openssl=/path/to/openssl`.
Enabled with `--prefix-openssl=/path/to/openssl` or
`--openssl-inc=/path/to/openssl_inc` or `--openssl-lib=/path/to/openssl_lib`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should it be "and" instead of "or" on line 177 (updated text) to match the statement on line 190-191 (updated text):

same parent directory, use `--openssl-inc` and `--openssl-lib` options to
specify both paths.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't want to restrict the usage of the options. One could use them separately. Hence the "or" line 177. About the documentation line 190-191, I think the meaning is also correct. You need both options to "specify both paths", hence the "and". Are you saying that this is confusing?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the text in 189-191 says that both should be set if not headers and libraries are in the same directory.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Which is how I expect people to use such options. But I again I didn't want to restrict the usage. The line 177 is the documentation of the following line in Makefile.PL:

zonemaster-ldns/Makefile.PL

Line 97 in f39abb9

my $custom_openssl = ( $opt_prefix_openssl or $opt_openssl_inc or $opt_openssl_lib );

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you say "and" above but "or" in the documentation.

You have added a lot of POD docuementation into Makefile.PL, which we do not have in other repositories. The documentation overlaps with the documentation in the README.md file. Wouldn't it be better to put the documentation in one place and then refer from the other?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

which we do not have in other repositories

Looking at other repositories, I don't think we provide arguments to pass options to Makefile.PL.

Wouldn't it be better to put the documentation in one place and then refer from the other?

I guess this would be better indeed. I'd say it would be better to have it close to the code so that you can refer to it easily without needing several files. And you can run perldoc Makefile.PL to access the documentation.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would be fine to state "run perldoc Makefile.PL" in README.md.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure about removing the documentation from the README. And on another hand I think it's nice to provide POD for the Makefile.PL file. Can't we try to keep both documentation for now?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If there are no conflicts between them there is at least no short-term harm. So that is OK.


Enabling this makes the build tools look for OpenSSL in a non-standard place.

Expand All @@ -185,6 +186,10 @@ Technically this does two things:
> **Note:** The `lib` directory under the given path must be known to the
> dynamic linker or feature checks will fail.

If both headers and libraries directories (`include` and `lib`) are not in the
same parent directory, use `--openssl-inc` and `--openssl-lib` options to
specify both paths.


[DNS::LDNS]: http://search.cpan.org/~erikoest/DNS-LDNS/
[Docker Hub]: https://hub.docker.com/u/zonemaster
Expand Down
22 changes: 10 additions & 12 deletions t/rr.t
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,8 +103,8 @@ subtest 'DNSKEY' => sub {
isa_ok( $rr, 'Zonemaster::LDNS::RR::DNSKEY' );
ok( $rr->flags == 256 or $rr->flags == 257 );
is( $rr->protocol, 3 );
# Alg 8 will replace 5. Now (December 2017) both are used.
ok( $rr->algorithm == 5 or $rr->algorithm == 8 );
# Alg 8 has replaced 5. Now (February 2022) only alg 8 is used.
ok( $rr->algorithm == 8 );
}
}
};
Expand All @@ -122,9 +122,9 @@ subtest 'RRSIG' => sub {
is( $rr->signer, 'se.' );
is( $rr->labels, 1 );
if ( $rr->typecovered eq 'DNSKEY' ) {
# .SE KSK should not change very often. 59407 will replace 59747.
# Now (December 2017) both are used.
ok( $rr->keytag == 59747 or $rr->keytag == 59407 );
# .SE KSK should not change very often. 59407 has replaced 59747.
# Now (February 2022) only 59407 is used.
ok( $rr->keytag == 59407 );
}
}
}
Expand Down Expand Up @@ -172,19 +172,17 @@ subtest 'DS' => sub {
my $pd = $se->query( 'nic.se', 'DS' );
plan skip_all => 'No response, cannot test' if not $pd;

# As of February 2022, new KSK with keytag 22643 and algo 13 is used
my $nic_key = Zonemaster::LDNS::RR->new(
'nic.se IN DNSKEY 257 3 5 AwEAAdhJAx197qFpGGXuQn8XH0tQpQSfjvLKMcreRvJyO+f3F3weIHR3 6E8DObolHFp+m1YkxsgnHYjUFN4E9sKa38ZXU0oHTSsB3adExJkINA/t INDlKrzUDn4cIbyUCqHNGe0et+lHmjmfZdj62GJlHgVmxizYkoBd7Rg0 wxzEOo7CA3ZadaHuqmVJ2HvqRCoe+5NDsYpnDia7WggvLTe0vorV6kDc u6d5N9AUPwBsR7YUkbetfXMtUebux71kHCGUJdmzp84MeDi9wXYIssjR oTC5wUF2H3I2Mnj5GqdyBwQCdj5otFbRAx3jiMD+ROxXJxOFdFq7fWi1 yPqUf1jpJ+8='
'nic.se IN DNSKEY 257 3 13 lkpZSlU70pd1LHrXqZttOAYKmX046YqYQg1aQJsv1y0xKr+qJS+3Ue1tM5VCYPU3lKuzq93nz0Lm/AV9jeoumQ=='
);
my $made = Zonemaster::LDNS::RR->new_from_string( 'nic.se IN NS a.ns.se' );
foreach my $rr ( $pd->answer ) {
isa_ok( $rr, 'Zonemaster::LDNS::RR::DS' );
is( $rr->keytag, 16696 );
is( $rr->algorithm, 5 );
is( $rr->keytag, 22643 );
is( $rr->algorithm, 13 );
ok( $rr->digtype == 1 or $rr->digtype == 2 );
ok(
$rr->hexdigest eq '40079ddf8d09e7f10bb248a69b6630478a28ef969dde399f95bc3b39f8cbacd7'
or $rr->hexdigest eq 'ef5d421412a5eaf1230071affd4f585e3b2b1a60'
);
ok( $rr->hexdigest eq 'aa0b38f6755c2777992a74935d50a2a3480effef1a60bf8643d12c307465c9da' );
ok( $rr->verify( $nic_key ), 'derived from expected DNSKEY' );
ok( !$rr->verify( $made ), 'does not match a non-DS non-DNSKEY record' );
}
Expand Down