DuckCorp Projects: Issueshttps://projects.duckcorp.org/https://projects.duckcorp.org/favicon.ico?16699090422023-08-17T08:45:40ZDuckCorp Projects
Redmine DuckCorp Infrastructure - Enhancement #787 (New): Add carddav/caldav SRV records on dc.ohttps://projects.duckcorp.org/issues/7872023-08-17T08:45:40ZMarc Dequènesduck@duckcorp.org
<p><a class="external" href="https://blog.fidelramos.net/software/nextcloud-caldav-carddav-dns">https://blog.fidelramos.net/software/nextcloud-caldav-carddav-dns</a></p> DuckCorp Infrastructure - Bug #720 (In Progress): Bind9 KASP Migration Problemshttps://projects.duckcorp.org/issues/7202021-02-20T08:51:12ZMarc Dequènesduck@duckcorp.org
<p>This is the migration from the preliminary DNSSEC implementation called `dnssec-keymgr` to the integrated KASP scheduler with `dnssec-policy`.</p>
We encountered a few bugs or limitations (the later being expected improvements from the old system that are still dearly lacking):
<ul>
<li><a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=958934" class="external">old apparmor profile in the way</a></li>
<li><del><a href="https://gitlab.isc.org/isc-projects/bind9/" class="external">does not properly import keys and states from old system</a></del>/issues/2404- fixed in 9.16.11</li>
<li><del><a href="https://gitlab.isc.org/isc-projects/bind9/" class="external">Migrating to dnssec-policy, DS is set to rumoured</a></del>/issues/2544- could not be reproduced upstream (just for reference)</li>
<li><del><a href="https://gitlab.isc.org/isc-projects/bind9/" class="external">rndc dnssec -rollover takes a <strong>very</strong> long time to be taken into account; not good for emergency rollover</a></del>/issues/2488 planned for 9.16.4 or 9.16.5-</li>
<li><a href="https://gitlab.isc.org/isc-projects/bind9/-/issues/1126" class="external">implement check if the DS record has been published</a> (should be in 9.16.19)</li>
<li><del>automatic purge of old keys</del> <em>purge-keys</em> added in 9.16.13</li>
<li><del><a href="https://gitlab.isc.org/isc-projects/bind9/" class="external">NSEC3 RRs not maintained properly; we are not affected but that's bad</a></del>/issues/2498- fixed in 9.16.12</li>
<li><a href="https://gitlab.isc.org/isc-projects/bind9/-/issues/1890" title="RFC 7344" class="external">new KSK submission hook; could be useful until registrars properly support CDS/CDNSKEY</a></li>
</ul>
Features we really need:
<ul>
<li><del>publishing of CDS/CDNSKEY</del> handled by KASP</li>
<li><del>automate using published CDS/CDNSKEY in parent zones we manage</del> created support with a crontab in the bind9 role</li>
<li>notify Bind when the DS is published/withdrawn: I guess we would need to make a script since it's probably gonna take some time before it's added upstream</li>
<li>automate using published CDS/CDNSKEY in parent zones we do not manage: currently Gandi, either with the old XMLRPC API or maybe change registrar</li>
<li>rewrite the rollover notification script for KASP (needed until all is automated and to check all is fine)</li>
</ul> DuckCorp Infrastructure - Enhancement #602 (In Progress): Deploy Content Security Policy (CSP) an...https://projects.duckcorp.org/issues/6022017-09-30T07:02:53ZMarc Dequènesduck@duckcorp.org
<p>We should have a look at this: <a class="external" href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP</a></p>
<p>Full specification: <a class="external" href="https://www.w3.org/TR/CSP/">https://www.w3.org/TR/CSP/</a></p> DuckCorp Infrastructure - Documentation #457 (New): Document Machine<->Services Associationshttps://projects.duckcorp.org/issues/4572015-07-08T19:06:52ZMarc Dequènesduck@duckcorp.org
<p>Pilou suggested using a table to know which machine performs which service (and optionally which services are lost when a machine is down).</p>
As it could bring a lot of lines for the many services, I suggest using categories an subcategories, like:
<ul>
<li>Mail
<ul>
<li>MTA</li>
<li>Mailing-Lists</li>
<li>MailSync (Fetchmail)</li>
<li>MailRetrieval (IMAP/POP/Webmail)</li>
<li>MailFiltering (antivirus/antispam)</li>
<li>MailManipulation (SIEVE/Procmail?)</li>
</ul></li>
</ul>
<p>When the need for details arrise, the cell could have the role name. For example, Orfeo would have for <em>MTA</em> the role <em>MX1, while Toushirou would have _MX2</em>, and so on. It could be interesting to find a way to have both a view of roles and of software names to implement them.</p>
<p>The service list in the user wiki can be used as a source to build this documentation.</p>
<p>It should also specify if the service is under a Configuration Management system.</p> DuckCorp Infrastructure - Enhancement #292 (Blocked): DNSSEC authoritative nameservers and valida...https://projects.duckcorp.org/issues/2922012-02-13T22:19:10ZMarc Dequènesduck@duckcorp.org
<p>According to RFC4035 3.1.6 (The AD and CD Bits in an Authoritative Response), it is normal behavior an authoritative nameserver returns AA without AD flag. In bind9 there is no way to either consider authoritative zones data to be authentic « without further validation », or redo validation (which would be silly while serving the zone outside).</p>
Considered solutions:
<ul>
<li>on DNS servers: try to use a bind9 view for localhost request, which would not share any zone but act as a recursive validating resolver if possible, or use unbound as validating resolver (in resolv.conf only)</li>
<li>on other servers: use unbound as validating resolver</li>
</ul> CyborgHood - Enhancement #201 (New): Auth/Tokens/Locator Bothttps://projects.duckcorp.org/issues/2012011-03-04T00:51:28ZMarc Dequènesduck@duckcorp.org
This bot has multiple usages:
<ul>
<li>be a trusted referee to check bots identity</li>
<li>act as a common trusted party to exchange Tokens (rights)</li>
<li>act as a name service to locate a ressource</li>
<li>anything else related to inter-bot security…</li>
</ul> LdapShadows - Enhancement #146 (New): allow providing method to compute a better item handlehttps://projects.duckcorp.org/issues/1462010-09-06T20:38:00ZMarc Dequènesduck@duckcorp.orgLdapShadows - Enhancement #145 (New): allow providing method to compute object namehttps://projects.duckcorp.org/issues/1452010-09-06T12:07:10ZMarc Dequènesduck@duckcorp.org
<p>It would be more flexible than a single attribute name, or even a list, and we can still provide helpers for common cases.</p> LdapShadows - Enhancement #143 (In Progress): create administration shadow for OpenLDAP 'cn=confi...https://projects.duckcorp.org/issues/1432010-09-06T08:25:51ZMarc Dequènesduck@duckcorp.org
<p>It would help much handle the new slapd.d configuration system.</p> LdapShadows - Documentation #35 (New): Document API for external appshttps://projects.duckcorp.org/issues/352010-04-05T18:23:51ZMarc Dequènesduck@duckcorp.orgLdapShadows - Enhancement #33 (New): Design and Rework the external APIhttps://projects.duckcorp.org/issues/332010-04-05T18:16:15ZMarc Dequènesduck@duckcorp.org
<p>Work with the CyborgHood project to design an usuable and well-abstracted API for their use, ti should be a good start.</p> CyborgHood - Enhancement #32 (In Progress): Adapt Postman to use Librarian and MapMaker Botshttps://projects.duckcorp.org/issues/322010-04-05T18:11:55ZMarc Dequènesduck@duckcorp.org
<p>Support UNIX socket middleware backend only.</p> LdapShadows - Enhancement #26 (New): Better express where an item can be createdhttps://projects.duckcorp.org/issues/262010-04-05T17:09:21ZMarc Dequènesduck@duckcorp.orgLdapShadows - Enhancement #25 (New): Allow global relations to share them among objects ???https://projects.duckcorp.org/issues/252010-04-05T17:07:09ZMarc Dequènesduck@duckcorp.org
<p>Not sure about this feature.</p> MyCyma - Enhancement #8 (New): Création d'une nouvelle page d'affichagehttps://projects.duckcorp.org/issues/82009-02-15T16:47:58ZJean-Marc Bonicoli
<p>Serait-il possible de générer une deuxième page d'affichage ?<br />Par exemple "dix productions d'une même série".<br />Il est possible de travailler à partir de la série "variations" qui comporte dès à présent plus de dix œuvres enregistrées dans la base.</p>