Support TLSA records

Closes: #4
Handle SSHFP records
2021-06-19 15:49:54 +01:00 · 2021-06-19 15:42:11 +01:00 · 2021-06-16 17:03:15 +01:00 · 2021-06-16 17:01:01 +01:00 · 2021-06-16 17:00:53 +01:00
2 changed files with 127 additions and 16 deletions
--- a/README.md
+++ b/README.md
@@ -0,0 +1,79 @@
+# Mythic Beasts DNS manager
+
+A simple management agent for controlling your DNS entries on the Mythic Beasts platform using a (version-controllable) YAML file.
+
+This client uses the DNSv2 API (https://www.mythic-beasts.com/support/api/dnsv2) for which you'll need to create a key (https://www.mythic-beasts.com/customer/api-users).
+
+## Configuration
+
+1. Create an API key via https://www.mythic-beasts.com/customer/api-users
+2. Create a YAML file
+
+```yaml
+defaults:
+  ttl:
+    example.com: 3600
+  api: https://api.mythic-beasts.com/dns/v2/zones
+  api_host: api.mythic-beasts.com:443
+  realm: Mythic Beasts DNS API
+
+auth:
+  key: mykey
+  secret: mysecret
+
+zones:
+  example.com:
+```
+
+3. Under `zones -> example.com`, prepare your DNS entries using the schema:
+
+```yaml
+zones:
+  example.com:
+    name1:
+      TYPE: value
+    name2:
+      TYPE:
+        - value1
+        - value2
+    name3.subdomain:
+      TYPE: value
+```
+
+Currently only a single zone is supported.
+
+## Supported types
+
+The client currently supports all of the Record Types implemented by the Mythic Beasts API except `SSHFP` and `TLSA`.
+
+## Value syntax
+
+The value for simple record types is the plain value as expected (eg. `A: 10.54.22.9` or `AAAA: 2a01:332::2`).
+
+The value for complex types, such as `MX` is as per the standard zone file (eg. `MX: 10 mta.example.com`) At some point this will become parametrised.
+
+## The Root object (`@`)
+To refer to the base/root domain, use the `"@"` key:
+```yaml
+zones:
+  example.com:
+    "@":
+      A: 10.54.22.9
+      AAAA: 2a01:332::2
+      MX:
+        - 10 mta1.example.com
+        - 10 mta2.example.com
+```
+
+# Running
+Invoke the docker container with the input yaml file:
+```bash
+docker run --rm -ti -v "${PWD}:/a" -w /a fooflington/mythic-dns mafoo.org.uk.yml
+```
+
+## Dry run
+Pass the environment variable `DRY_RUN` to prevent any changes:
+
+```bash
+docker run --rm -ti -v "${PWD}:/a" -w /a -e DRY_RUN=1 fooflington/mythic-dns mafoo.org.uk.yml
+```
--- a/manage-dns.pl
+++ b/manage-dns.pl
@@ -13,6 +13,7 @@ use WWW::Form::UrlEncoded::PP qw/build_urlencoded/;
 my $in = YAML::Tiny->read(shift);
 my $ua = LWP::UserAgent->new;
 my %seen;
+my $DRY_RUN = $ENV{DRY_RUN};

 sub _debug {
    print STDERR ("=== DEBUG ===\n", Dumper(@_), "=== END ===\n") if $ENV{DEBUG} or $in->[0]->{debug};
@@ -39,9 +40,9 @@ my %supported_types = (
    MX => "yes",
    NS => "yes",
    PTR => "yes",
-    SSHFP => "not yet implemented",
+    SSHFP => "yes",
    SRV => "yes",
-    TLSA => "not yet implemented",
+    TLSA => "yes",
    TXT => "yes",
 );
 sub is_unsupported($) {
@@ -51,6 +52,8 @@ sub is_unsupported($) {
    return $supported_types{$type};
 }

+_notice("Dry run - no changes will be applied") if ${DRY_RUN};
+
 if($ENV{DEBUG} or $in->[0]->{debug}) {
    use LWP::Debug qw(+);
    $ua->add_handler(
@@ -133,6 +136,17 @@ sub format_record($$$$) {
        $record->{caa_property} = $property;
        $record->{caa_tag} = $property;
        $record->{data} = $data;
+    } elsif ($type eq 'SSHFP') {
+        my ($algo, $keytype, $data) = split(/\s+/, $value);
+        $record->{sshfp_type} = $keytype;
+        $record->{sshfp_algorithm} = $algo;
+        $record->{data} = $data;
+    } elsif ($type eq 'TLSA') {
+        my ($usage, $selector, $matching, $data) = split(/\s+/, $value);
+        $record->{tlsa_usage} = $usage;
+        $record->{tlsa_selector} = $selector;
+        $record->{tlsa_matching} = $matching;
+        $record->{data} = $data;
    }

    return $record;
@@ -155,6 +169,19 @@ sub reformat_data($$) {
            $data->{caa_property} || $data->{caa_tag},
            $data->{data}
        );
+    } elsif($type eq 'SSHFP') {
+        return sprintf('%d %d %s',
+            $data->{sshfp_algorithm},
+            $data->{sshfp_type},
+            $data->{data},
+        );
+    } elsif($type eq 'TLSA') {
+        return sprintf('%d %d %d %s',
+            $data->{tlsa_usage},
+            $data->{tlsa_selector},
+            $data->{tlsa_matching},
+            $data->{data},
+        );
    }

    return $data->{data};
@@ -178,31 +205,36 @@ sub check_and_update_record($$$$$) {
            # Update the record
            $record->{ttl} = $in->[0]->{defaults}->{ttl}->{$zone};
            _debug("Update ", $url, $record, to_json($record));
-            my $res = $ua->put(
-                $url,
-                "Content-Type" => "application/json",
-                "Content" => to_json({ records => [ $record ] }),
-            );
-            warn "Failed to update $url: " . $res->status_line unless $res->is_success;
+            unless ($DRY_RUN) {
+                my $res = $ua->put(
+                    $url,
+                    "Content-Type" => "application/json",
+                    "Content" => to_json({ records => [ $record ] }),
+                );
+                warn "Failed to update $url: " . $res->status_line unless $res->is_success;
+            }
        }
    } else {
        # Create new record
        my $new = format_record($zone, $type, $host, $value);
        _notice("Created new record: %s %s %s", $host, $type, $value);
        _debug($new);
-        my $res = $ua->post(
-            $url,
-            "Content-Type" => "application/json",
-            Content => to_json({
-                records => [ $new ]
-            })
-        );
-        warn "Failed to create $url: " . $res->status_line . "\n" . $res->content unless $res->is_success;
+        unless ($DRY_RUN) {
+            my $res = $ua->post(
+                $url,
+                "Content-Type" => "application/json",
+                Content => to_json({
+                    records => [ $new ]
+                })
+            );
+            warn "Failed to create $url: " . $res->status_line . "\n" . $res->content unless $res->is_success;
+        }
    }
 }

 sub delete_record($$) {
    my ($zone, $record) = @_;
+    return if $DRY_RUN;

    my $url = $in->[0]->{defaults}->{api} . "/$zone/records/$record->{host}/$record->{type}?host=$record->{host}&data=$record->{data}";
    my $res = $ua->delete($url);
Author	SHA1	Message	Date
Matthew Slowe	fc2031eb7c	Support TLSA records Closes: #4	2021-06-19 15:49:54 +01:00
Matthew Slowe	17ff01d066	Handle SSHFP records Closes #2	2021-06-19 15:42:11 +01:00
Matthew Slowe	7a3e5e472a	fix readme	2021-06-16 17:03:15 +01:00
Matthew Slowe	95f0148af9	Implement dry-run	2021-06-16 17:01:01 +01:00
Matthew Slowe	405903f0f5	Basic readme	2021-06-16 17:00:53 +01:00