diff --git a/data/templates/dns-forwarding/recursor.conf.lua.j2 b/data/templates/dns-forwarding/recursor.conf.lua.j2
index 8026442c7..622283ad8 100644
--- a/data/templates/dns-forwarding/recursor.conf.lua.j2
+++ b/data/templates/dns-forwarding/recursor.conf.lua.j2
@@ -1,8 +1,36 @@
-- Autogenerated by VyOS (service_dns_forwarding.py) --
-- Do not edit, your changes will get overwritten --
-- Load DNSSEC root keys from dns-root-data package.
dofile("/usr/share/pdns-recursor/lua-config/rootkeys.lua")
-- Load lua from vyos-hostsd --
dofile("{{ config_dir }}/recursor.vyos-hostsd.conf.lua")
+
+-- ZoneToCache --
+{% if zone_cache is vyos_defined %}
+{% set option_mapping = {
+ 'refresh': 'refreshPeriod',
+ 'retry_interval': 'retryOnErrorPeriod',
+ 'max_zone_size': 'maxReceivedMBytes'
+} %}
+{% for name, conf in zone_cache.items() %}
+{% set source = conf.source.items() | first %}
+{% set settings = [] %}
+{% for key, val in conf.options.items() %}
+{% set mapped_key = option_mapping.get(key, key) %}
+{% if key == 'refresh' %}
+{% set val = val['interval'] %}
+{% endif %}
+{% if key in ['dnssec', 'zonemd'] %}
+{% set _ = settings.append(mapped_key ~ ' = "' ~ val ~ '"') %}
+{% else %}
+{% set _ = settings.append(mapped_key ~ ' = ' ~ val) %}
+{% endif %}
+{% endfor %}
+
+zoneToCache("{{ name }}", "{{ source[0] }}", "{{ source[1] }}", { {{ settings | join(', ') }} })
+
+{% endfor %}
+
+{% endif %}
diff --git a/interface-definitions/service_dns_forwarding.xml.in b/interface-definitions/service_dns_forwarding.xml.in
index 5667028b7..d0bc2e6c8 100644
--- a/interface-definitions/service_dns_forwarding.xml.in
+++ b/interface-definitions/service_dns_forwarding.xml.in
@@ -1,802 +1,975 @@
<?xml version="1.0"?>
<!-- DNS forwarder configuration -->
<interfaceDefinition>
<node name="service">
<children>
<node name="dns">
<properties>
<help>Domain Name System (DNS) related services</help>
</properties>
<children>
<node name="forwarding" owner="${vyos_conf_scripts_dir}/service_dns_forwarding.py">
<properties>
<help>DNS forwarding</help>
<priority>918</priority>
</properties>
<children>
<leafNode name="cache-size">
<properties>
<help>DNS forwarding cache size</help>
<valueHelp>
<format>u32:0-2147483647</format>
<description>DNS forwarding cache size</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-2147483647"/>
</constraint>
</properties>
<defaultValue>10000</defaultValue>
</leafNode>
<leafNode name="dhcp">
<properties>
<help>Interfaces whose DHCP client nameservers to forward requests to</help>
<completionHelp>
<script>${vyos_completion_dir}/list_interfaces</script>
</completionHelp>
<multi/>
</properties>
</leafNode>
<leafNode name="dns64-prefix">
<properties>
<help>Help to communicate between IPv6-only client and IPv4-only server</help>
<valueHelp>
<format>ipv6net</format>
<description>IPv6 address and /96 only prefix length</description>
</valueHelp>
<constraint>
<validator name="ipv6-prefix"/>
</constraint>
</properties>
</leafNode>
<leafNode name="dnssec">
<properties>
<help>DNSSEC mode</help>
<completionHelp>
<list>off process-no-validate process log-fail validate</list>
</completionHelp>
<valueHelp>
<format>off</format>
<description>No DNSSEC processing whatsoever!</description>
</valueHelp>
<valueHelp>
<format>process-no-validate</format>
<description>Respond with DNSSEC records to clients that ask for it. No validation done at all!</description>
</valueHelp>
<valueHelp>
<format>process</format>
<description>Respond with DNSSEC records to clients that ask for it. Validation for clients that request it.</description>
</valueHelp>
<valueHelp>
<format>log-fail</format>
<description>Similar behaviour to process, but validate RRSIGs on responses and log bogus responses.</description>
</valueHelp>
<valueHelp>
<format>validate</format>
<description>Full blown DNSSEC validation. Send SERVFAIL to clients on bogus responses.</description>
</valueHelp>
<constraint>
<regex>(off|process-no-validate|process|log-fail|validate)</regex>
</constraint>
</properties>
<defaultValue>process-no-validate</defaultValue>
</leafNode>
<tagNode name="domain">
<properties>
<help>Domain to forward to a custom DNS server</help>
<valueHelp>
<format>txt</format>
<description>An absolute DNS domain name</description>
</valueHelp>
<constraint>
<validator name="fqdn"/>
</constraint>
</properties>
<children>
#include <include/name-server-ipv4-ipv6-port.xml.i>
<leafNode name="addnta">
<properties>
<help>Add NTA (negative trust anchor) for this domain (must be set if the domain does not support DNSSEC)</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="recursion-desired">
<properties>
<help>Set the "recursion desired" bit in requests to the upstream nameserver</help>
<valueless/>
</properties>
</leafNode>
</children>
</tagNode>
<tagNode name="authoritative-domain">
<properties>
<help>Domain to host authoritative records for</help>
<valueHelp>
<format>txt</format>
<description>An absolute DNS domain name</description>
</valueHelp>
<constraint>
<regex>((?!-)[-_a-zA-Z0-9.]{1,63}|@|any)(?<!\.)</regex>
</constraint>
</properties>
<children>
<node name="records">
<properties>
<help>DNS zone records</help>
</properties>
<children>
<tagNode name="a">
<properties>
<help>A record</help>
<valueHelp>
<format>txt</format>
<description>A DNS name relative to the root record</description>
</valueHelp>
<valueHelp>
<format>@</format>
<description>Root record</description>
</valueHelp>
<valueHelp>
<format>any</format>
<description>Wildcard record (any subdomain)</description>
</valueHelp>
<constraint>
<regex>([-_a-zA-Z0-9.]{1,63}|@|any)(?<!\.)</regex>
</constraint>
</properties>
<children>
<leafNode name="address">
<properties>
<help>IPv4 address</help>
<valueHelp>
<format>ipv4</format>
<description>IPv4 address</description>
</valueHelp>
<multi/>
<constraint>
<validator name="ipv4-address"/>
</constraint>
</properties>
</leafNode>
#include <include/dns/time-to-live.xml.i>
<leafNode name="ttl">
<defaultValue>300</defaultValue>
</leafNode>
#include <include/generic-disable-node.xml.i>
</children>
</tagNode>
<tagNode name="aaaa">
<properties>
<help>AAAA record</help>
<valueHelp>
<format>txt</format>
<description>A DNS name relative to the root record</description>
</valueHelp>
<valueHelp>
<format>@</format>
<description>Root record</description>
</valueHelp>
<valueHelp>
<format>any</format>
<description>Wildcard record (any subdomain)</description>
</valueHelp>
<constraint>
<regex>([-_a-zA-Z0-9.]{1,63}|@|any)(?<!\.)</regex>
</constraint>
</properties>
<children>
<leafNode name="address">
<properties>
<help>IPv6 address</help>
<valueHelp>
<format>ipv6</format>
<description>IPv6 address</description>
</valueHelp>
<multi/>
<constraint>
<validator name="ipv6-address"/>
</constraint>
</properties>
</leafNode>
#include <include/dns/time-to-live.xml.i>
<leafNode name="ttl">
<defaultValue>300</defaultValue>
</leafNode>
#include <include/generic-disable-node.xml.i>
</children>
</tagNode>
<tagNode name="cname">
<properties>
<help>CNAME record</help>
<valueHelp>
<format>txt</format>
<description>A DNS name relative to the root record</description>
</valueHelp>
<valueHelp>
<format>@</format>
<description>Root record</description>
</valueHelp>
<constraint>
<regex>([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)</regex>
</constraint>
</properties>
<children>
<leafNode name="target">
<properties>
<help>Target DNS name</help>
<valueHelp>
<format>name.example.com</format>
<description>Absolute DNS name</description>
</valueHelp>
<constraint>
<regex>[-_a-zA-Z0-9.]{1,63}(?<!\.)</regex>
</constraint>
</properties>
</leafNode>
#include <include/dns/time-to-live.xml.i>
<leafNode name="ttl">
<defaultValue>300</defaultValue>
</leafNode>
#include <include/generic-disable-node.xml.i>
</children>
</tagNode>
<tagNode name="mx">
<properties>
<help>MX record</help>
<valueHelp>
<format>txt</format>
<description>A DNS name relative to the root record</description>
</valueHelp>
<valueHelp>
<format>@</format>
<description>Root record</description>
</valueHelp>
<constraint>
<regex>([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)</regex>
</constraint>
</properties>
<children>
<tagNode name="server">
<properties>
<help>Mail server</help>
<valueHelp>
<format>name.example.com</format>
<description>Absolute DNS name</description>
</valueHelp>
<constraint>
<regex>[-_a-zA-Z0-9.]{1,63}(?<!\.)</regex>
</constraint>
</properties>
<children>
<leafNode name="priority">
<properties>
<help>Server priority</help>
<valueHelp>
<format>u32:1-999</format>
<description>Server priority (lower numbers are higher priority)</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-999"/>
</constraint>
</properties>
<defaultValue>10</defaultValue>
</leafNode>
</children>
</tagNode>
#include <include/dns/time-to-live.xml.i>
<leafNode name="ttl">
<defaultValue>300</defaultValue>
</leafNode>
#include <include/generic-disable-node.xml.i>
</children>
</tagNode>
<tagNode name="ns">
<properties>
<help>NS record</help>
<valueHelp>
<format>txt</format>
<description>A DNS name relative to the root record</description>
</valueHelp>
<constraint>
<regex>([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)</regex>
</constraint>
</properties>
<children>
<leafNode name="target">
<properties>
<help>Target DNS server authoritative for subdomain</help>
<valueHelp>
<format>nsXX.example.com</format>
<description>Absolute DNS name</description>
</valueHelp>
<constraint>
<regex>[-_a-zA-Z0-9.]{1,63}(?<!\.)</regex>
</constraint>
<multi/>
</properties>
</leafNode>
#include <include/dns/time-to-live.xml.i>
<leafNode name="ttl">
<defaultValue>300</defaultValue>
</leafNode>
#include <include/generic-disable-node.xml.i>
</children>
</tagNode>
<tagNode name="ptr">
<properties>
<help>PTR record</help>
<valueHelp>
<format>txt</format>
<description>A DNS name relative to the root record</description>
</valueHelp>
<valueHelp>
<format>@</format>
<description>Root record</description>
</valueHelp>
<constraint>
<regex>([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)</regex>
</constraint>
</properties>
<children>
<leafNode name="target">
<properties>
<help>Target DNS name</help>
<valueHelp>
<format>name.example.com</format>
<description>Absolute DNS name</description>
</valueHelp>
<constraint>
<regex>[-_a-zA-Z0-9.]{1,63}(?<!\.)</regex>
</constraint>
</properties>
</leafNode>
#include <include/dns/time-to-live.xml.i>
<leafNode name="ttl">
<defaultValue>300</defaultValue>
</leafNode>
#include <include/generic-disable-node.xml.i>
</children>
</tagNode>
<tagNode name="txt">
<properties>
<help>TXT record</help>
<valueHelp>
<format>txt</format>
<description>A DNS name relative to the root record</description>
</valueHelp>
<valueHelp>
<format>@</format>
<description>Root record</description>
</valueHelp>
<constraint>
<regex>([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)</regex>
</constraint>
</properties>
<children>
<leafNode name="value">
<properties>
<help>Record contents</help>
<valueHelp>
<format>txt</format>
<description>Record contents</description>
</valueHelp>
<multi/>
</properties>
</leafNode>
#include <include/dns/time-to-live.xml.i>
<leafNode name="ttl">
<defaultValue>300</defaultValue>
</leafNode>
#include <include/generic-disable-node.xml.i>
</children>
</tagNode>
<tagNode name="spf">
<properties>
<help>SPF record</help>
<valueHelp>
<format>txt</format>
<description>A DNS name relative to the root record</description>
</valueHelp>
<valueHelp>
<format>@</format>
<description>Root record</description>
</valueHelp>
<constraint>
<regex>([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)</regex>
</constraint>
</properties>
<children>
<leafNode name="value">
<properties>
<help>Record contents</help>
<valueHelp>
<format>txt</format>
<description>Record contents</description>
</valueHelp>
</properties>
</leafNode>
#include <include/dns/time-to-live.xml.i>
<leafNode name="ttl">
<defaultValue>300</defaultValue>
</leafNode>
#include <include/generic-disable-node.xml.i>
</children>
</tagNode>
<tagNode name="srv">
<properties>
<help>SRV record</help>
<valueHelp>
<format>txt</format>
<description>A DNS name relative to the root record</description>
</valueHelp>
<valueHelp>
<format>@</format>
<description>Root record</description>
</valueHelp>
<constraint>
<regex>([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)</regex>
</constraint>
</properties>
<children>
<tagNode name="entry">
<properties>
<help>Service entry</help>
<valueHelp>
<format>u32:0-65535</format>
<description>Entry number</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-65535"/>
</constraint>
</properties>
<children>
<leafNode name="hostname">
<properties>
<help>Server hostname</help>
<valueHelp>
<format>name.example.com</format>
<description>Absolute DNS name</description>
</valueHelp>
<constraint>
<regex>[-_a-zA-Z0-9.]{1,63}(?<!\.)</regex>
</constraint>
</properties>
</leafNode>
<leafNode name="port">
<properties>
<help>Port number</help>
<valueHelp>
<format>u32:0-65535</format>
<description>TCP/UDP port number</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-65536"/>
</constraint>
</properties>
</leafNode>
<leafNode name="priority">
<properties>
<help>Entry priority</help>
<valueHelp>
<format>u32:0-65535</format>
<description>Entry priority (lower numbers are higher priority)</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-65535"/>
</constraint>
</properties>
<defaultValue>10</defaultValue>
</leafNode>
<leafNode name="weight">
<properties>
<help>Entry weight</help>
<valueHelp>
<format>u32:0-65535</format>
<description>Entry weight</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-65535"/>
</constraint>
</properties>
<defaultValue>0</defaultValue>
</leafNode>
</children>
</tagNode>
#include <include/dns/time-to-live.xml.i>
<leafNode name="ttl">
<defaultValue>300</defaultValue>
</leafNode>
#include <include/generic-disable-node.xml.i>
</children>
</tagNode>
<tagNode name="naptr">
<properties>
<help>NAPTR record</help>
<valueHelp>
<format>txt</format>
<description>A DNS name relative to the root record</description>
</valueHelp>
<valueHelp>
<format>@</format>
<description>Root record</description>
</valueHelp>
<constraint>
<regex>([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)</regex>
</constraint>
</properties>
<children>
<tagNode name="rule">
<properties>
<help>NAPTR rule</help>
<valueHelp>
<format>u32:0-65535</format>
<description>Rule number</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-65535"/>
</constraint>
</properties>
<children>
<leafNode name="order">
<properties>
<help>Rule order</help>
<valueHelp>
<format>u32:0-65535</format>
<description>Rule order (lower order is evaluated first)</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-65535"/>
</constraint>
</properties>
</leafNode>
<leafNode name="preference">
<properties>
<help>Rule preference</help>
<valueHelp>
<format>u32:0-65535</format>
<description>Rule preference</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-65535"/>
</constraint>
</properties>
<defaultValue>0</defaultValue>
</leafNode>
<leafNode name="lookup-srv">
<properties>
<help>S flag</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="lookup-a">
<properties>
<help>A flag</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="resolve-uri">
<properties>
<help>U flag</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="protocol-specific">
<properties>
<help>P flag</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="service">
<properties>
<help>Service type</help>
<constraint>
<regex>[a-zA-Z][a-zA-Z0-9]{0,31}(\+[a-zA-Z][a-zA-Z0-9]{0,31})?</regex>
</constraint>
</properties>
</leafNode>
<leafNode name="regexp">
<properties>
<help>Regular expression</help>
</properties>
</leafNode>
<leafNode name="replacement">
<properties>
<help>Replacement DNS name</help>
<valueHelp>
<format>name.example.com</format>
<description>Absolute DNS name</description>
</valueHelp>
<constraint>
<regex>[-_a-zA-Z0-9.]{1,63}(?<!\.)</regex>
</constraint>
</properties>
</leafNode>
</children>
</tagNode>
#include <include/dns/time-to-live.xml.i>
<leafNode name="ttl">
<defaultValue>300</defaultValue>
</leafNode>
#include <include/generic-disable-node.xml.i>
</children>
</tagNode>
</children>
</node>
#include <include/generic-disable-node.xml.i>
</children>
</tagNode>
<leafNode name="ignore-hosts-file">
<properties>
<help>Do not use local /etc/hosts file in name resolution</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="no-serve-rfc1918">
<properties>
<help>Makes the server authoritatively not aware of RFC1918 addresses</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="allow-from">
<properties>
<help>Networks allowed to query this server</help>
<valueHelp>
<format>ipv4net</format>
<description>IP address and prefix length</description>
</valueHelp>
<valueHelp>
<format>ipv6net</format>
<description>IPv6 address and prefix length</description>
</valueHelp>
<multi/>
<constraint>
<validator name="ip-prefix"/>
</constraint>
</properties>
</leafNode>
#include <include/listen-address.xml.i>
#include <include/port-number.xml.i>
<leafNode name="port">
<defaultValue>53</defaultValue>
</leafNode>
<leafNode name="negative-ttl">
<properties>
<help>Maximum amount of time negative entries are cached</help>
<valueHelp>
<format>u32:0-7200</format>
<description>Seconds to cache NXDOMAIN entries</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-7200"/>
</constraint>
</properties>
<defaultValue>3600</defaultValue>
</leafNode>
<leafNode name="serve-stale-extension">
<properties>
<help>Number of times the expired TTL of a record is extended by 30 seconds when serving stale</help>
<valueHelp>
<format>u32:0-65535</format>
<description>Number of times to extend the TTL</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-65535"/>
</constraint>
</properties>
<defaultValue>0</defaultValue>
</leafNode>
<leafNode name="timeout">
<properties>
<help>Number of milliseconds to wait for a remote authoritative server to respond</help>
<valueHelp>
<format>u32:10-60000</format>
<description>Network timeout in milliseconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 10-60000"/>
</constraint>
</properties>
<defaultValue>1500</defaultValue>
</leafNode>
#include <include/name-server-ipv4-ipv6-port.xml.i>
#include <include/source-address-ipv4-ipv6-multi.xml.i>
<leafNode name="source-address">
<defaultValue>0.0.0.0 ::</defaultValue>
</leafNode>
<leafNode name="system">
<properties>
<help>Use system name servers</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="exclude-throttle-address">
<properties>
<help>IP address or subnet</help>
<valueHelp>
<format>ipv4</format>
<description>IPv4 address to match</description>
</valueHelp>
<valueHelp>
<format>ipv4net</format>
<description>IPv4 prefix to match</description>
</valueHelp>
<valueHelp>
<format>ipv6</format>
<description>IPv6 address</description>
</valueHelp>
<valueHelp>
<format>ipv6net</format>
<description>IPv6 address</description>
</valueHelp>
<multi/>
<constraint>
<validator name="ipv4-address"/>
<validator name="ipv4-prefix"/>
<validator name="ipv6-address"/>
<validator name="ipv6-prefix"/>
</constraint>
</properties>
</leafNode>
<node name="options">
<properties>
<help>DNS server options</help>
</properties>
<children>
<leafNode name="ecs-add-for">
<properties>
<help>Client netmask for which EDNS Client Subnet will be added</help>
<valueHelp>
<format>ipv4net</format>
<description>IPv4 prefix to match</description>
</valueHelp>
<valueHelp>
<format>!ipv4net</format>
<description>Match everything except the specified IPv4 prefix</description>
</valueHelp>
<valueHelp>
<format>ipv6net</format>
<description>IPv6 prefix to match</description>
</valueHelp>
<valueHelp>
<format>!ipv6net</format>
<description>Match everything except the specified IPv6 prefix</description>
</valueHelp>
<constraint>
<validator name="ipv4-prefix"/>
<validator name="ipv4-prefix-exclude"/>
<validator name="ipv6-prefix"/>
<validator name="ipv6-prefix-exclude"/>
</constraint>
<multi/>
</properties>
</leafNode>
<leafNode name="ecs-ipv4-bits">
<properties>
<help>Number of bits of IPv4 address to pass for EDNS Client Subnet</help>
<valueHelp>
<format>u32:0-32</format>
<description>Number of bits of IPv4 address</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-32"/>
</constraint>
</properties>
</leafNode>
<leafNode name="edns-subnet-allow-list">
<properties>
<help>Netmask or domain that we should enable EDNS subnet for</help>
<valueHelp>
<format>txt</format>
<description>Netmask or domain</description>
</valueHelp>
<multi/>
</properties>
</leafNode>
</children>
</node>
+ <tagNode name="zone-cache">
+ <properties>
+ <help>Load a zone into the recursor cache</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Domain name</description>
+ </valueHelp>
+ <constraint>
+ <validator name="fqdn"/>
+ </constraint>
+ </properties>
+ <children>
+ <node name="source">
+ <properties>
+ <help>Zone source</help>
+ </properties>
+ <children>
+ <leafNode name="axfr">
+ <properties>
+ <help>DNS server address</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>IPv4 address</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ipv6</format>
+ <description>IPv6 address</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ip-address"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="url">
+ <properties>
+ <help>Source URL</help>
+ <valueHelp>
+ <format>url</format>
+ <description>Zone file URL</description>
+ </valueHelp>
+ <constraint>
+ <validator name="url" argument="--scheme http --scheme https"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ <node name="options">
+ <properties>
+ <help>Zone caching options</help>
+ </properties>
+ <children>
+ <leafNode name="timeout">
+ <properties>
+ <help>Zone retrieval timeout</help>
+ <valueHelp>
+ <format>u32:1-3600</format>
+ <description>Request timeout in seconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-3600"/>
+ </constraint>
+ </properties>
+ <defaultValue>20</defaultValue>
+ </leafNode>
+ <node name="refresh">
+ <properties>
+ <help>Zone caching options</help>
+ </properties>
+ <children>
+ <leafNode name="on-reload">
+ <properties>
+ <help>Retrieval zone only at startup and on reload</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="interval">
+ <properties>
+ <help>Periodic zone retrieval interval</help>
+ <valueHelp>
+ <format>u32:0-31536000</format>
+ <description>Retrieval interval in seconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-31536000"/>
+ </constraint>
+ </properties>
+ <defaultValue>86400</defaultValue>
+ </leafNode>
+ </children>
+ </node>
+ <leafNode name="retry-interval">
+ <properties>
+ <help>Retry interval after zone retrieval errors</help>
+ <valueHelp>
+ <format>u32:1-86400</format>
+ <description>Retry period in seconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-86400"/>
+ </constraint>
+ </properties>
+ <defaultValue>60</defaultValue>
+ </leafNode>
+ <leafNode name="max-zone-size">
+ <properties>
+ <help>Maximum zone size in megabytes</help>
+ <valueHelp>
+ <format>u32:0</format>
+ <description>No restriction</description>
+ </valueHelp>
+ <valueHelp>
+ <format>u32:1-1024</format>
+ <description>Size in megabytes</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-1024"/>
+ </constraint>
+ </properties>
+ <defaultValue>0</defaultValue>
+ </leafNode>
+ <leafNode name="zonemd">
+ <properties>
+ <help>Message Digest for DNS Zones (RFC 8976)</help>
+ <completionHelp>
+ <list>ignore validate require</list>
+ </completionHelp>
+ <valueHelp>
+ <format>ignore</format>
+ <description>Ignore ZONEMD records</description>
+ </valueHelp>
+ <valueHelp>
+ <format>validate</format>
+ <description>Validate ZONEMD if present</description>
+ </valueHelp>
+ <valueHelp>
+ <format>require</format>
+ <description>Require valid ZONEMD record to be present</description>
+ </valueHelp>
+ <constraint>
+ <regex>(ignore|validate|require)</regex>
+ </constraint>
+ </properties>
+ <defaultValue>validate</defaultValue>
+ </leafNode>
+ <leafNode name="dnssec">
+ <properties>
+ <help>DNSSEC mode</help>
+ <completionHelp>
+ <list>ignore validate require</list>
+ </completionHelp>
+ <valueHelp>
+ <format>ignore</format>
+ <description>Do not do DNSSEC validation</description>
+ </valueHelp>
+ <valueHelp>
+ <format>validate</format>
+ <description>Reject zones with incorrect signatures but accept unsigned zones</description>
+ </valueHelp>
+ <valueHelp>
+ <format>require</format>
+ <description>Require DNSSEC validation</description>
+ </valueHelp>
+ <constraint>
+ <regex>(ignore|validate|require)</regex>
+ </constraint>
+ </properties>
+ <defaultValue>validate</defaultValue>
+ </leafNode>
+ </children>
+ </node>
+ </children>
+ </tagNode>
</children>
</node>
</children>
</node>
</children>
</node>
</interfaceDefinition>
diff --git a/python/vyos/utils/convert.py b/python/vyos/utils/convert.py
index 41e65081f..dd4266f57 100644
--- a/python/vyos/utils/convert.py
+++ b/python/vyos/utils/convert.py
@@ -1,205 +1,237 @@
# Copyright 2023-2024 VyOS maintainers and contributors <maintainers@vyos.io>
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library. If not, see <http://www.gnu.org/licenses/>.
+import re
+
+# Define the number of seconds in each time unit
+time_units = {
+ 'y': 60 * 60 * 24 * 365.25, # year
+ 'w': 60 * 60 * 24 * 7, # week
+ 'd': 60 * 60 * 24, # day
+ 'h': 60 * 60, # hour
+ 'm': 60, # minute
+ 's': 1 # second
+}
+
+
+def human_to_seconds(time_str):
+ """ Converts a human-readable interval such as 1w4d18h35m59s
+ to number of seconds
+ """
+
+ time_patterns = {
+ 'y': r'(\d+)\s*y',
+ 'w': r'(\d+)\s*w',
+ 'd': r'(\d+)\s*d',
+ 'h': r'(\d+)\s*h',
+ 'm': r'(\d+)\s*m',
+ 's': r'(\d+)\s*s'
+ }
+
+ total_seconds = 0
+
+ for unit, pattern in time_patterns.items():
+ match = re.search(pattern, time_str)
+ if match:
+ value = int(match.group(1))
+ total_seconds += value * time_units[unit]
+
+ return int(total_seconds)
+
def seconds_to_human(s, separator=""):
""" Converts number of seconds passed to a human-readable
interval such as 1w4d18h35m59s
"""
s = int(s)
-
- year = 60 * 60 * 24 * 365.25
- week = 60 * 60 * 24 * 7
- day = 60 * 60 * 24
- hour = 60 * 60
-
result = []
- years = s // year
+ years = s // time_units['y']
if years > 0:
result.append(f'{int(years)}y')
- s = int(s % year)
+ s = int(s % time_units['y'])
- weeks = s // week
+ weeks = s // time_units['w']
if weeks > 0:
result.append(f'{weeks}w')
- s = s % week
+ s = s % time_units['w']
- days = s // day
+ days = s // time_units['d']
if days > 0:
result.append(f'{days}d')
- s = s % day
+ s = s % time_units['d']
- hours = s // hour
+ hours = s // time_units['h']
if hours > 0:
result.append(f'{hours}h')
- s = s % hour
+ s = s % time_units['h']
- minutes = s // 60
+ minutes = s // time_units['m']
if minutes > 0:
result.append(f'{minutes}m')
s = s % 60
seconds = s
if seconds > 0:
result.append(f'{seconds}s')
return separator.join(result)
+
def bytes_to_human(bytes, initial_exponent=0, precision=2,
int_below_exponent=0):
""" Converts a value in bytes to a human-readable size string like 640 KB
The initial_exponent parameter is the exponent of 2,
e.g. 10 (1024) for kilobytes, 20 (1024 * 1024) for megabytes.
"""
if bytes == 0:
return "0 B"
from math import log2
bytes = bytes * (2**initial_exponent)
# log2 is a float, while range checking requires an int
exponent = int(log2(bytes))
if exponent < int_below_exponent:
precision = 0
if exponent < 10:
value = bytes
suffix = "B"
elif exponent in range(10, 20):
value = bytes / 1024
suffix = "KB"
elif exponent in range(20, 30):
value = bytes / 1024**2
suffix = "MB"
elif exponent in range(30, 40):
value = bytes / 1024**3
suffix = "GB"
else:
value = bytes / 1024**4
suffix = "TB"
# Add a new case when the first machine with petabyte RAM
# hits the market.
size_string = "{0:.{1}f} {2}".format(value, precision, suffix)
return size_string
def human_to_bytes(value):
""" Converts a data amount with a unit suffix to bytes, like 2K to 2048 """
from re import match as re_match
res = re_match(r'^\s*(\d+(?:\.\d+)?)\s*([a-zA-Z]+)\s*$', value)
if not res:
raise ValueError(f"'{value}' is not a valid data amount")
else:
amount = float(res.group(1))
unit = res.group(2).lower()
if unit == 'b':
res = amount
elif (unit == 'k') or (unit == 'kb'):
res = amount * 1024
elif (unit == 'm') or (unit == 'mb'):
res = amount * 1024**2
elif (unit == 'g') or (unit == 'gb'):
res = amount * 1024**3
elif (unit == 't') or (unit == 'tb'):
res = amount * 1024**4
else:
raise ValueError(f"Unsupported data unit '{unit}'")
# There cannot be fractional bytes, so we convert them to integer.
# However, truncating causes problems with conversion back to human unit,
# so we round instead -- that seems to work well enough.
return round(res)
def mac_to_eui64(mac, prefix=None):
"""
Convert a MAC address to a EUI64 address or, with prefix provided, a full
IPv6 address.
Thankfully copied from https://gist.github.com/wido/f5e32576bb57b5cc6f934e177a37a0d3
"""
import re
from ipaddress import ip_network
# http://tools.ietf.org/html/rfc4291#section-2.5.1
eui64 = re.sub(r'[.:-]', '', mac).lower()
eui64 = eui64[0:6] + 'fffe' + eui64[6:]
eui64 = hex(int(eui64[0:2], 16) ^ 2)[2:].zfill(2) + eui64[2:]
if prefix is None:
return ':'.join(re.findall(r'.{4}', eui64))
else:
try:
net = ip_network(prefix, strict=False)
euil = int('0x{0}'.format(eui64), 16)
return str(net[euil])
except: # pylint: disable=bare-except
return
def convert_data(data) -> dict | list | tuple | str | int | float | bool | None:
"""Filter and convert multiple types of data to types usable in CLI/API
WARNING: Must not be used for anything except formatting output for API or CLI
On the output allowed everything supported in JSON.
Args:
data (Any): input data
Returns:
dict | list | tuple | str | int | float | bool | None: converted data
"""
from base64 import b64encode
# return original data for types which do not require conversion
if isinstance(data, str | int | float | bool | None):
return data
if isinstance(data, list):
list_tmp = []
for item in data:
list_tmp.append(convert_data(item))
return list_tmp
if isinstance(data, tuple):
list_tmp = list(data)
tuple_tmp = tuple(convert_data(list_tmp))
return tuple_tmp
if isinstance(data, bytes | bytearray):
try:
return data.decode()
except UnicodeDecodeError:
return b64encode(data).decode()
if isinstance(data, set | frozenset):
list_tmp = convert_data(list(data))
return list_tmp
if isinstance(data, dict):
dict_tmp = {}
for key, value in data.items():
dict_tmp[key] = convert_data(value)
return dict_tmp
# do not return anything for other types
# which cannot be converted to JSON
# for example: complex | range | memoryview
return
diff --git a/smoketest/scripts/cli/test_service_dns_forwarding.py b/smoketest/scripts/cli/test_service_dns_forwarding.py
index 4db1d7495..9a3f4933e 100755
--- a/smoketest/scripts/cli/test_service_dns_forwarding.py
+++ b/smoketest/scripts/cli/test_service_dns_forwarding.py
@@ -1,305 +1,344 @@
#!/usr/bin/env python3
#
# Copyright (C) 2019-2024 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import re
import unittest
from base_vyostest_shim import VyOSUnitTestSHIM
from vyos.configsession import ConfigSessionError
from vyos.template import bracketize_ipv6
from vyos.utils.file import read_file
from vyos.utils.process import process_named_running
PDNS_REC_RUN_DIR = '/run/pdns-recursor'
CONFIG_FILE = f'{PDNS_REC_RUN_DIR}/recursor.conf'
+PDNS_REC_LUA_CONF_FILE = f'{PDNS_REC_RUN_DIR}/recursor.conf.lua'
FORWARD_FILE = f'{PDNS_REC_RUN_DIR}/recursor.forward-zones.conf'
HOSTSD_FILE = f'{PDNS_REC_RUN_DIR}/recursor.vyos-hostsd.conf.lua'
PROCESS_NAME= 'pdns_recursor'
base_path = ['service', 'dns', 'forwarding']
allow_from = ['192.0.2.0/24', '2001:db8::/32']
listen_adress = ['127.0.0.1', '::1']
def get_config_value(key, file=CONFIG_FILE):
tmp = read_file(file)
tmp = re.findall(r'\n{}=+(.*)'.format(key), tmp)
return tmp[0]
class TestServicePowerDNS(VyOSUnitTestSHIM.TestCase):
@classmethod
def setUpClass(cls):
super(TestServicePowerDNS, cls).setUpClass()
# ensure we can also run this test on a live system - so lets clean
# out the current configuration :)
cls.cli_delete(cls, base_path)
def tearDown(self):
# Check for running process
self.assertTrue(process_named_running(PROCESS_NAME))
# Delete DNS forwarding configuration
self.cli_delete(base_path)
self.cli_commit()
# Check for running process
self.assertFalse(process_named_running(PROCESS_NAME))
def setUp(self):
# forward to base class
super().setUp()
for network in allow_from:
self.cli_set(base_path + ['allow-from', network])
for address in listen_adress:
self.cli_set(base_path + ['listen-address', address])
def test_basic_forwarding(self):
# Check basic DNS forwarding settings
cache_size = '20'
negative_ttl = '120'
# remove code from setUp() as in this test-case we validate the proper
# handling of assertions when specific CLI nodes are missing
self.cli_delete(base_path)
self.cli_set(base_path + ['cache-size', cache_size])
self.cli_set(base_path + ['negative-ttl', negative_ttl])
# check validate() - allow from must be defined
with self.assertRaises(ConfigSessionError):
self.cli_commit()
for network in allow_from:
self.cli_set(base_path + ['allow-from', network])
# check validate() - listen-address must be defined
with self.assertRaises(ConfigSessionError):
self.cli_commit()
for address in listen_adress:
self.cli_set(base_path + ['listen-address', address])
# configure DNSSEC
self.cli_set(base_path + ['dnssec', 'validate'])
# Do not use local /etc/hosts file in name resolution
self.cli_set(base_path + ['ignore-hosts-file'])
# commit changes
self.cli_commit()
# Check configured cache-size
tmp = get_config_value('max-cache-entries')
self.assertEqual(tmp, cache_size)
# Networks allowed to query this server
tmp = get_config_value('allow-from')
self.assertEqual(tmp, ','.join(allow_from))
# Addresses to listen for DNS queries
tmp = get_config_value('local-address')
self.assertEqual(tmp, ','.join(listen_adress))
# Maximum amount of time negative entries are cached
tmp = get_config_value('max-negative-ttl')
self.assertEqual(tmp, negative_ttl)
# Do not use local /etc/hosts file in name resolution
tmp = get_config_value('export-etc-hosts')
self.assertEqual(tmp, 'no')
# RFC1918 addresses are looked up by default
tmp = get_config_value('serve-rfc1918')
self.assertEqual(tmp, 'yes')
# verify default port configuration
tmp = get_config_value('local-port')
self.assertEqual(tmp, '53')
def test_dnssec(self):
# DNSSEC option testing
options = ['off', 'process-no-validate', 'process', 'log-fail', 'validate']
for option in options:
self.cli_set(base_path + ['dnssec', option])
# commit changes
self.cli_commit()
tmp = get_config_value('dnssec')
self.assertEqual(tmp, option)
def test_external_nameserver(self):
# Externe Domain Name Servers (DNS) addresses
nameservers = {'192.0.2.1': {}, '192.0.2.2': {'port': '53'}, '2001:db8::1': {'port': '853'}}
for h,p in nameservers.items():
if 'port' in p:
self.cli_set(base_path + ['name-server', h, 'port', p['port']])
else:
self.cli_set(base_path + ['name-server', h])
# commit changes
self.cli_commit()
tmp = get_config_value(r'\+.', file=FORWARD_FILE)
canonical_entries = [(lambda h, p: f"{bracketize_ipv6(h)}:{p['port'] if 'port' in p else 53}")(h, p)
for (h, p) in nameservers.items()]
self.assertEqual(tmp, ', '.join(canonical_entries))
# Do not use local /etc/hosts file in name resolution
# default: yes
tmp = get_config_value('export-etc-hosts')
self.assertEqual(tmp, 'yes')
def test_domain_forwarding(self):
domains = ['vyos.io', 'vyos.net', 'vyos.com']
nameservers = {'192.0.2.1': {}, '192.0.2.2': {'port': '53'}, '2001:db8::1': {'port': '853'}}
for domain in domains:
for h,p in nameservers.items():
if 'port' in p:
self.cli_set(base_path + ['domain', domain, 'name-server', h, 'port', p['port']])
else:
self.cli_set(base_path + ['domain', domain, 'name-server', h])
# Test 'recursion-desired' flag for only one domain
if domain == domains[0]:
self.cli_set(base_path + ['domain', domain, 'recursion-desired'])
# Test 'negative trust anchor' flag for the second domain only
if domain == domains[1]:
self.cli_set(base_path + ['domain', domain, 'addnta'])
# commit changes
self.cli_commit()
# Test configured name-servers
hosts_conf = read_file(HOSTSD_FILE)
for domain in domains:
# Test 'recursion-desired' flag for the first domain only
if domain == domains[0]: key =f'\+{domain}'
else: key =f'{domain}'
tmp = get_config_value(key, file=FORWARD_FILE)
canonical_entries = [(lambda h, p: f"{bracketize_ipv6(h)}:{p['port'] if 'port' in p else 53}")(h, p)
for (h, p) in nameservers.items()]
self.assertEqual(tmp, ', '.join(canonical_entries))
# Test 'negative trust anchor' flag for the second domain only
if domain == domains[1]:
self.assertIn(f'addNTA("{domain}", "static")', hosts_conf)
def test_no_rfc1918_forwarding(self):
self.cli_set(base_path + ['no-serve-rfc1918'])
# commit changes
self.cli_commit()
# verify configuration
tmp = get_config_value('serve-rfc1918')
self.assertEqual(tmp, 'no')
def test_dns64(self):
dns_prefix = '64:ff9b::/96'
# Check dns64-prefix - must be prefix /96
self.cli_set(base_path + ['dns64-prefix', '2001:db8:aabb::/64'])
with self.assertRaises(ConfigSessionError):
self.cli_commit()
self.cli_set(base_path + ['dns64-prefix', dns_prefix])
# commit changes
self.cli_commit()
# verify dns64-prefix configuration
tmp = get_config_value('dns64-prefix')
self.assertEqual(tmp, dns_prefix)
def test_exclude_throttle_adress(self):
exclude_throttle_adress_examples = [
'192.168.128.255',
'10.0.0.0/25',
'2001:db8:85a3:8d3:1319:8a2e:370:7348',
'64:ff9b::/96'
]
for exclude_throttle_adress in exclude_throttle_adress_examples:
self.cli_set(base_path + ['exclude-throttle-address', exclude_throttle_adress])
# commit changes
self.cli_commit()
# verify dont-throttle-netmasks configuration
tmp = get_config_value('dont-throttle-netmasks')
self.assertEqual(tmp, ','.join(exclude_throttle_adress_examples))
def test_serve_stale_extension(self):
server_stale = '20'
self.cli_set(base_path + ['serve-stale-extension', server_stale])
# commit changes
self.cli_commit()
# verify configuration
tmp = get_config_value('serve-stale-extensions')
self.assertEqual(tmp, server_stale)
def test_listening_port(self):
# We can listen on a different port compared to '53' but only one at a time
for port in ['10053', '10054']:
self.cli_set(base_path + ['port', port])
# commit changes
self.cli_commit()
# verify local-port configuration
tmp = get_config_value('local-port')
self.assertEqual(tmp, port)
def test_ecs_add_for(self):
options = ['0.0.0.0/0', '!10.0.0.0/8', 'fc00::/7', '!fe80::/10']
for param in options:
self.cli_set(base_path + ['options', 'ecs-add-for', param])
# commit changes
self.cli_commit()
# verify ecs_add_for configuration
tmp = get_config_value('ecs-add-for')
self.assertEqual(tmp, ','.join(options))
def test_ecs_ipv4_bits(self):
option_value = '24'
self.cli_set(base_path + ['options', 'ecs-ipv4-bits', option_value])
# commit changes
self.cli_commit()
# verify ecs_ipv4_bits configuration
tmp = get_config_value('ecs-ipv4-bits')
self.assertEqual(tmp, option_value)
def test_edns_subnet_allow_list(self):
options = ['192.0.2.1/32', 'example.com', 'fe80::/10']
for param in options:
self.cli_set(base_path + ['options', 'edns-subnet-allow-list', param])
# commit changes
self.cli_commit()
# verify edns_subnet_allow_list configuration
tmp = get_config_value('edns-subnet-allow-list')
self.assertEqual(tmp, ','.join(options))
def test_multiple_ns_records(self):
test_zone = 'example.com'
self.cli_set(base_path + ['authoritative-domain', test_zone, 'records', 'ns', 'test', 'target', f'ns1.{test_zone}'])
self.cli_set(base_path + ['authoritative-domain', test_zone, 'records', 'ns', 'test', 'target', f'ns2.{test_zone}'])
self.cli_commit()
zone_config = read_file(f'{PDNS_REC_RUN_DIR}/zone.{test_zone}.conf')
self.assertRegex(zone_config, fr'test\s+\d+\s+NS\s+ns1\.{test_zone}\.')
self.assertRegex(zone_config, fr'test\s+\d+\s+NS\s+ns2\.{test_zone}\.')
+ def test_zone_cache_url(self):
+ self.cli_set(base_path + ['zone-cache', 'smoketest', 'source', 'url', 'https://www.internic.net/domain/root.zone'])
+ self.cli_commit()
+
+ lua_config = read_file(PDNS_REC_LUA_CONF_FILE)
+ self.assertIn('zoneToCache("smoketest", "url", "https://www.internic.net/domain/root.zone", { dnssec = "validate", zonemd = "validate", maxReceivedMBytes = 0, retryOnErrorPeriod = 60, refreshPeriod = 86400, timeout = 20 })', lua_config)
+
+ def test_zone_cache_axfr(self):
+
+ self.cli_set(base_path + ['zone-cache', 'smoketest', 'source', 'axfr', '127.0.0.1'])
+ self.cli_commit()
+
+ lua_config = read_file(PDNS_REC_LUA_CONF_FILE)
+ self.assertIn('zoneToCache("smoketest", "axfr", "127.0.0.1", { dnssec = "validate", zonemd = "validate", maxReceivedMBytes = 0, retryOnErrorPeriod = 60, refreshPeriod = 86400, timeout = 20 })', lua_config)
+
+ def test_zone_cache_options(self):
+ self.cli_set(base_path + ['zone-cache', 'smoketest', 'source', 'url', 'https://www.internic.net/domain/root.zone'])
+ self.cli_set(base_path + ['zone-cache', 'smoketest', 'options', 'dnssec', 'ignore'])
+ self.cli_set(base_path + ['zone-cache', 'smoketest', 'options', 'max-zone-size', '100'])
+ self.cli_set(base_path + ['zone-cache', 'smoketest', 'options', 'refresh', 'interval', '10'])
+ self.cli_set(base_path + ['zone-cache', 'smoketest', 'options', 'retry-interval', '90'])
+ self.cli_set(base_path + ['zone-cache', 'smoketest', 'options', 'timeout', '50'])
+ self.cli_set(base_path + ['zone-cache', 'smoketest', 'options', 'zonemd', 'require'])
+ self.cli_commit()
+
+ lua_config = read_file(PDNS_REC_LUA_CONF_FILE)
+ self.assertIn('zoneToCache("smoketest", "url", "https://www.internic.net/domain/root.zone", { dnssec = "ignore", maxReceivedMBytes = 100, refreshPeriod = 10, retryOnErrorPeriod = 90, timeout = 50, zonemd = "require" })', lua_config)
+
+ def test_zone_cache_wrong_source(self):
+ self.cli_set(base_path + ['zone-cache', 'smoketest', 'source', 'url', 'https://www.internic.net/domain/root.zone'])
+ self.cli_set(base_path + ['zone-cache', 'smoketest', 'source', 'axfr', '127.0.0.1'])
+
+ with self.assertRaises(ConfigSessionError):
+ self.cli_commit()
+ # correct config to correct finish the test
+ self.cli_delete(base_path + ['zone-cache', 'smoketest', 'source', 'axfr'])
+ self.cli_commit()
+
if __name__ == '__main__':
unittest.main(verbosity=2)
diff --git a/src/conf_mode/service_dns_forwarding.py b/src/conf_mode/service_dns_forwarding.py
index 70686534f..e3bdbc9f8 100755
--- a/src/conf_mode/service_dns_forwarding.py
+++ b/src/conf_mode/service_dns_forwarding.py
@@ -1,382 +1,402 @@
#!/usr/bin/env python3
#
# Copyright (C) 2018-2024 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
from sys import exit
from glob import glob
from vyos.config import Config
from vyos.hostsd_client import Client as hostsd_client
from vyos.template import render
from vyos.template import bracketize_ipv6
from vyos.utils.network import interface_exists
from vyos.utils.process import call
from vyos.utils.permission import chown
from vyos import ConfigError
from vyos import airbag
airbag.enable()
pdns_rec_user_group = 'pdns'
pdns_rec_run_dir = '/run/pdns-recursor'
pdns_rec_lua_conf_file = f'{pdns_rec_run_dir}/recursor.conf.lua'
pdns_rec_hostsd_lua_conf_file = f'{pdns_rec_run_dir}/recursor.vyos-hostsd.conf.lua'
pdns_rec_hostsd_zones_file = f'{pdns_rec_run_dir}/recursor.forward-zones.conf'
pdns_rec_config_file = f'{pdns_rec_run_dir}/recursor.conf'
pdns_rec_systemd_override = '/run/systemd/system/pdns-recursor.service.d/override.conf'
hostsd_tag = 'static'
def get_config(config=None):
if config:
conf = config
else:
conf = Config()
base = ['service', 'dns', 'forwarding']
if not conf.exists(base):
return None
dns = conf.get_config_dict(base, key_mangling=('-', '_'),
no_tag_node_value_mangle=True,
get_first_key=True,
with_recursive_defaults=True)
dns['config_file'] = pdns_rec_config_file
dns['config_dir'] = os.path.dirname(pdns_rec_config_file)
# some additions to the default dictionary
if 'system' in dns:
base_nameservers = ['system', 'name-server']
if conf.exists(base_nameservers):
dns.update({'system_name_server': conf.return_values(base_nameservers)})
if 'authoritative_domain' in dns:
dns['authoritative_zones'] = []
dns['authoritative_zone_errors'] = []
for node in dns['authoritative_domain']:
zonedata = dns['authoritative_domain'][node]
if ('disable' in zonedata) or (not 'records' in zonedata):
continue
zone = {
'name': node,
'file': "{}/zone.{}.conf".format(pdns_rec_run_dir, node),
'records': [],
}
recorddata = zonedata['records']
for rtype in [ 'a', 'aaaa', 'cname', 'mx', 'ns', 'ptr', 'txt', 'spf', 'srv', 'naptr' ]:
if rtype not in recorddata:
continue
for subnode in recorddata[rtype]:
if 'disable' in recorddata[rtype][subnode]:
continue
rdata = recorddata[rtype][subnode]
if rtype in [ 'a', 'aaaa' ]:
if not 'address' in rdata:
dns['authoritative_zone_errors'].append(f'{subnode}.{node}: at least one address is required')
continue
if subnode == 'any':
subnode = '*'
for address in rdata['address']:
zone['records'].append({
'name': subnode,
'type': rtype.upper(),
'ttl': rdata['ttl'],
'value': address
})
elif rtype in ['cname', 'ptr']:
if not 'target' in rdata:
dns['authoritative_zone_errors'].append(f'{subnode}.{node}: target is required')
continue
zone['records'].append({
'name': subnode,
'type': rtype.upper(),
'ttl': rdata['ttl'],
'value': '{}.'.format(rdata['target'])
})
elif rtype == 'ns':
if not 'target' in rdata:
dns['authoritative_zone_errors'].append(f'{subnode}.{node}: at least one target is required')
continue
for target in rdata['target']:
zone['records'].append({
'name': subnode,
'type': rtype.upper(),
'ttl': rdata['ttl'],
'value': f'{target}.'
})
elif rtype == 'mx':
if not 'server' in rdata:
dns['authoritative_zone_errors'].append(f'{subnode}.{node}: at least one server is required')
continue
for servername in rdata['server']:
serverdata = rdata['server'][servername]
zone['records'].append({
'name': subnode,
'type': rtype.upper(),
'ttl': rdata['ttl'],
'value': '{} {}.'.format(serverdata['priority'], servername)
})
elif rtype == 'txt':
if not 'value' in rdata:
dns['authoritative_zone_errors'].append(f'{subnode}.{node}: at least one value is required')
continue
for value in rdata['value']:
zone['records'].append({
'name': subnode,
'type': rtype.upper(),
'ttl': rdata['ttl'],
'value': "\"{}\"".format(value.replace("\"", "\\\""))
})
elif rtype == 'spf':
if not 'value' in rdata:
dns['authoritative_zone_errors'].append(f'{subnode}.{node}: value is required')
continue
zone['records'].append({
'name': subnode,
'type': rtype.upper(),
'ttl': rdata['ttl'],
'value': '"{}"'.format(rdata['value'].replace("\"", "\\\""))
})
elif rtype == 'srv':
if not 'entry' in rdata:
dns['authoritative_zone_errors'].append(f'{subnode}.{node}: at least one entry is required')
continue
for entryno in rdata['entry']:
entrydata = rdata['entry'][entryno]
if not 'hostname' in entrydata:
dns['authoritative_zone_errors'].append(f'{subnode}.{node}: hostname is required for entry {entryno}')
continue
if not 'port' in entrydata:
dns['authoritative_zone_errors'].append(f'{subnode}.{node}: port is required for entry {entryno}')
continue
zone['records'].append({
'name': subnode,
'type': rtype.upper(),
'ttl': rdata['ttl'],
'value': '{} {} {} {}.'.format(entrydata['priority'], entrydata['weight'], entrydata['port'], entrydata['hostname'])
})
elif rtype == 'naptr':
if not 'rule' in rdata:
dns['authoritative_zone_errors'].append(f'{subnode}.{node}: at least one rule is required')
continue
for ruleno in rdata['rule']:
ruledata = rdata['rule'][ruleno]
flags = ""
if 'lookup-srv' in ruledata:
flags += "S"
if 'lookup-a' in ruledata:
flags += "A"
if 'resolve-uri' in ruledata:
flags += "U"
if 'protocol-specific' in ruledata:
flags += "P"
if 'order' in ruledata:
order = ruledata['order']
else:
order = ruleno
if 'regexp' in ruledata:
regexp= ruledata['regexp'].replace("\"", "\\\"")
else:
regexp = ''
if ruledata['replacement']:
replacement = '{}.'.format(ruledata['replacement'])
else:
replacement = ''
zone['records'].append({
'name': subnode,
'type': rtype.upper(),
'ttl': rdata['ttl'],
'value': '{} {} "{}" "{}" "{}" {}'.format(order, ruledata['preference'], flags, ruledata['service'], regexp, replacement)
})
dns['authoritative_zones'].append(zone)
+ if 'zone_cache' in dns:
+ # convert refresh interval to sec:
+ for _, zone_conf in dns['zone_cache'].items():
+ if 'options' in zone_conf \
+ and 'refresh' in zone_conf['options']:
+
+ if 'on_reload' in zone_conf['options']['refresh']:
+ interval = 0
+ else:
+ interval = zone_conf['options']['refresh']['interval']
+ zone_conf['options']['refresh']['interval'] = interval
+
return dns
def verify(dns):
# bail out early - looks like removal from running config
if not dns:
return None
if 'listen_address' not in dns:
raise ConfigError('DNS forwarding requires a listen-address')
if 'allow_from' not in dns:
raise ConfigError('DNS forwarding requires an allow-from network')
# we can not use dict_search() when testing for domain servers
# as a domain will contains dot's which is out dictionary delimiter.
if 'domain' in dns:
for domain in dns['domain']:
if 'name_server' not in dns['domain'][domain]:
raise ConfigError(f'No server configured for domain {domain}!')
if 'dns64_prefix' in dns:
dns_prefix = dns['dns64_prefix'].split('/')[1]
# RFC 6147 requires prefix /96
if int(dns_prefix) != 96:
raise ConfigError('DNS 6to4 prefix must be of length /96')
if ('authoritative_zone_errors' in dns) and dns['authoritative_zone_errors']:
for error in dns['authoritative_zone_errors']:
print(error)
raise ConfigError('Invalid authoritative records have been defined')
if 'system' in dns:
if not 'system_name_server' in dns:
print('Warning: No "system name-server" configured')
+ if 'zone_cache' in dns:
+ for name, conf in dns['zone_cache'].items():
+ if ('source' not in conf) \
+ or ('url' in conf['source'] and 'axfr' in conf['source']):
+ raise ConfigError(f'Invalid configuration for zone "{name}": '
+ f'Please select one source type "url" or "axfr".')
+
return None
+
def generate(dns):
# bail out early - looks like removal from running config
if not dns:
return None
render(pdns_rec_systemd_override, 'dns-forwarding/override.conf.j2', dns)
render(pdns_rec_config_file, 'dns-forwarding/recursor.conf.j2', dns,
user=pdns_rec_user_group, group=pdns_rec_user_group)
render(pdns_rec_config_file, 'dns-forwarding/recursor.conf.j2', dns,
user=pdns_rec_user_group, group=pdns_rec_user_group)
render(pdns_rec_lua_conf_file, 'dns-forwarding/recursor.conf.lua.j2', dns,
user=pdns_rec_user_group, group=pdns_rec_user_group)
for zone_filename in glob(f'{pdns_rec_run_dir}/zone.*.conf'):
os.unlink(zone_filename)
if 'authoritative_zones' in dns:
for zone in dns['authoritative_zones']:
render(zone['file'], 'dns-forwarding/recursor.zone.conf.j2',
zone, user=pdns_rec_user_group, group=pdns_rec_user_group)
# if vyos-hostsd didn't create its files yet, create them (empty)
for file in [pdns_rec_hostsd_lua_conf_file, pdns_rec_hostsd_zones_file]:
with open(file, 'a'):
pass
chown(file, user=pdns_rec_user_group, group=pdns_rec_user_group)
return None
def apply(dns):
systemd_service = 'pdns-recursor.service'
# Reload systemd manager configuration
call('systemctl daemon-reload')
if not dns:
# DNS forwarding is removed in the commit
call(f'systemctl stop {systemd_service}')
if os.path.isfile(pdns_rec_config_file):
os.unlink(pdns_rec_config_file)
for zone_filename in glob(f'{pdns_rec_run_dir}/zone.*.conf'):
os.unlink(zone_filename)
else:
### first apply vyos-hostsd config
hc = hostsd_client()
# add static nameservers to hostsd so they can be joined with other
# sources
hc.delete_name_servers([hostsd_tag])
if 'name_server' in dns:
# 'name_server' is of the form
# {'192.0.2.1': {'port': 53}, '2001:db8::1': {'port': 853}, ...}
# canonicalize them as ['192.0.2.1:53', '[2001:db8::1]:853', ...]
nslist = [(lambda h, p: f"{bracketize_ipv6(h)}:{p['port']}")(h, p)
for (h, p) in dns['name_server'].items()]
hc.add_name_servers({hostsd_tag: nslist})
# delete all nameserver tags
hc.delete_name_server_tags_recursor(hc.get_name_server_tags_recursor())
## add nameserver tags - the order determines the nameserver order!
# our own tag (static)
hc.add_name_server_tags_recursor([hostsd_tag])
if 'system' in dns:
hc.add_name_server_tags_recursor(['system'])
else:
hc.delete_name_server_tags_recursor(['system'])
# add dhcp nameserver tags for configured interfaces
if 'system_name_server' in dns:
for interface in dns['system_name_server']:
# system_name_server key contains both IP addresses and interface
# names (DHCP) to use DNS servers. We need to check if the
# value is an interface name - only if this is the case, add the
# interface based DNS forwarder.
if interface_exists(interface):
hc.add_name_server_tags_recursor(['dhcp-' + interface,
'dhcpv6-' + interface ])
# hostsd will generate the forward-zones file
# the list and keys() are required as get returns a dict, not list
hc.delete_forward_zones(list(hc.get_forward_zones().keys()))
if 'domain' in dns:
zones = dns['domain']
for domain in zones.keys():
# 'name_server' is of the form
# {'192.0.2.1': {'port': 53}, '2001:db8::1': {'port': 853}, ...}
# canonicalize them as ['192.0.2.1:53', '[2001:db8::1]:853', ...]
zones[domain]['name_server'] = [(lambda h, p: f"{bracketize_ipv6(h)}:{p['port']}")(h, p)
for (h, p) in zones[domain]['name_server'].items()]
hc.add_forward_zones(zones)
# hostsd generates NTAs for the authoritative zones
# the list and keys() are required as get returns a dict, not list
hc.delete_authoritative_zones(list(hc.get_authoritative_zones()))
if 'authoritative_zones' in dns:
hc.add_authoritative_zones(list(map(lambda zone: zone['name'], dns['authoritative_zones'])))
# call hostsd to generate forward-zones and its lua-config-file
hc.apply()
### finally (re)start pdns-recursor
call(f'systemctl reload-or-restart {systemd_service}')
if __name__ == '__main__':
try:
c = get_config()
verify(c)
generate(c)
apply(c)
except ConfigError as e:
print(e)
exit(1)