[metrics-bugs] #33476 [Internal Services/Tor Sysadmin Team]: Allow for the dnsel.torproject.org zone to be reloaded by the tordnsel user on check-01

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Feb 27 19:46:05 UTC 2020 

#33476: Allow for the dnsel.torproject.org zone to be reloaded by the tordnsel user
on check-01
-------------------------------------------------+------------------------
 Reporter:  irl                                  |          Owner:  tpa
     Type:  task                                 |         Status:  closed
 Priority:  Medium                               |      Milestone:
Component:  Internal Services/Tor Sysadmin Team  |        Version:
 Severity:  Normal                               |     Resolution:  fixed
 Keywords:                                       |  Actual Points:
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+------------------------
Changes (by anarcat):

 * status:  new => closed
 * resolution:   => fixed


Comment:

 i reviewed the little "keys" literature I have, and it looks like a pain
 in the butt. the procedure would look something like this:

  1. `dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST test-01.torproject.org`
  2. that creates a keyfile that needs to be dropped in the bind config
 directory:
     {{{
 key "test-01.torproject.org." {
   algorithm hmac-sha512;
   secret "[CENSORED]==";
 };
 }}}
  3. then you can allow that key to issue updates for that `HOST` with a
 config like that in the `zone {}` block:
     {{{
         allow-update { key "test-01.torproject.org"; };
 }}}

 Naturally, there are a few problems here:

  1. this is for an entire zone, not a single host, so i'd need to dig into
 that `-n` option
  2. config files with secrets. would need to dig into how to convert
 trocla secrets into dnssec keys
  3. `allow-update` just allows updates to the zone, not reloads

 So that doesn't do what we want. So I'd need more research.

 Since everything is on the same host, we don't need to operate over the
 network like dnssec keys do. We can just use `sudo` to reload things, like
 this:

 {{{
 %tordnsel                       ALL=(tordnsel)                  NOPASSWD:
 /usr/sbin/rndc reload dnsel.torproject.org
 }}}

 So there, you have it; to reload the zone file, run this sudo command as a
 user in the `tordnsel` group and you're clear to go:

 {{{
 sudo rndc reload dnsel.torproject.org
 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33476#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the metrics-bugs mailing list