DelphinusDNS Blog
(the latest about delphinusdnsd)||
|
Previous Page
April 27th, 2020
Tomorrows snapshot should have the fix. It affected signing with dddctl only.
It wasn't easy to find the location of code, but eventually I found it.
0 comments
April 23rd, 2020
I have just committed this new feature, tcp-on-any-only, from commitlog:
Add the tcp-on-any-only flag to options. This replies with a TC (truncate) on
any non-tcp request, causing determined clients to retry in TCP mode. It is
long overdue to have this option, and the fix was very simple to do.
Basically I'm throwing more TC's in the UDP way of resolving. It will force
some to retry with TCP.
1 comment
April 8th, 2020
Everyone uses DNS when they use the Internet, so I have been using DNS since
1994. But I used DNS on Open Source Operating Systems since Autumn 1995
(where I installed Linux while being in College).
At work starting in Autumn 1997 I was confronted working my first DNS server.
It was BIND4 I believe. This prompted me to get my first DNS book which I
still have today "DNS and BIND - Paul Albitz and Cricket Liu". A very helpful
book, but at edition 3 it is outdated today.
The first DNS server i wrote was wildcarddnsd the predecessor of delphinusdnsd
(in name only, same codebase). I started this in 2005, the
first 15 years
have passed.
In 2015 I first experimented with DNSSEC. The concept is super simple if you
understand simple cryptography, but to me it was a learning curve. And this
is my history (in short form) of using and implementing DNS.
0 comments
April 7th, 2020
I have been talking a bit with DNS folks and they said it's probably best
to go insecure and then secure again if an algorithm needs to be rolled.
Sucks I know. There is recursive dns software that can't follow an alg
rollover. So I'm planning on taking my zones insecure so that I can give
them a new algorithm. When that will be I don't know yet.
0 comments
April 2nd, 2020
I just put this on the news.html:
Development is ongoing. You should know that a delphinusdnsd before
the month of April (that includes 1.4.1) cannot do a double-signature
key rollover, even if the master is PowerDNS or similar, due to a bug
with RRSIG's that was fixed on April 1st. If you don't plan on doing
a key rollover until next year then go ahead with 1.4.1 otherwise use
a snapshot.
I thought it was worthy of stressing this.
0 comments
April 2nd, 2020
As you may know I attempted this yesterday and the code wasn't ready. So
now it's
in Progress. The test zone is called "dtschland.eu" which is a test
zone of mine that I got on a reduced deal with joker.com years ago. I got
this domain for 10 years at the time. It's paying off now. I'm trying to
roll the ZSK from alg 10 to alg 13 as well. So this should be interesting.
1 comment
April 1st, 2020
The centroid.eu nameservers are the servers hosting DNS for delphinusdns.org.
I have taken them to todays snapshot on rhombus and trapezoid. What my
intention is is to check the double signature dnskey rotation method. I'll
likely be using dtschland.eu domain name which is my test zone. If you're
looking for progress you may want to follow its history on dnsviz.net which
has now a history again. So you'll be seeing progress. I don't think I'm
going to start today, but I might.
3 comments
March 10th, 2020
I just tried out if Microsoft DNS Server is compatible with delphinusdnsd and
it seems it is. While there I unearthed and fixed a segfault condition when
someone doesn't specify a tsigkey in an rzone entry. Here is a sample rzone
entry that I used against the MS DNS Server.
rzone "petphi.centroid.eu" {
;tsigkey "NOKEY";
masterport 53;
master 192.168.197.254;
zonename "petphi.centroid.eu.";
filename "/etc/delphinusdns/replicant/petphi.centroid.eu.repl";
}
Notice that in delphinusdnsd version 1.4.x, the tsigkey is a MUST or you'll
get a segfault. After 1.5.x it will be optional. I don't want to backpatch
this, so please keep this in mind.
The Microsoft DNS server serves a small Active Directory zone and all default
values are supported with delphinusdnsd. This surprised me and I love it!
0 comments
March 10th, 2020
Here is a signing script I constructed over the last few months.
#!/bin/sh
DOMAIN="centroid.eu"
TODAY=`date +"%Y%m%d01"`
SERIAL=`dddctl query -Q127.0.0.1 soa $DOMAIN | grep -v '^;;' | awk -F, \
'{print $6}'`
SIGN_ARG1="-x $SERIAL -k K${DOMAIN}.+008+48082 -z K${DOMAIN}.+008+57861 \
-i $DOMAIN -n $DOMAIN -o ${DOMAIN}.signed"
SIGN_ARG2="-X -k K${DOMAIN}.+008+48082 -z K${DOMAIN}.+008+57861 \
-i ${DOMAIN} -n ${DOMAIN} -o ${DOMAIN}.signed"
echo signing for $DOMAIN ...
if [ $SERIAL -ge $TODAY ]; then
SERIAL=`expr $SERIAL + 1`
dddctl sign ${SIGN_ARG1}
else
dddctl sign ${SIGN_ARG2}
fi
echo checking result for domain $DOMAIN ...
dddctl configtest ${DOMAIN}.signed
if [ $? -ne 0 -o -z ${DOMAIN}.signed ]; then
echo something is wrong with configtest, exit.. 1>&2
exit 1
fi
dddctl bindfile ${DOMAIN} ${DOMAIN}.signed > ${DOMAIN}.bindfile
if [ $? -ne 0 ]; then
echo something is wrong with bindfile, exit.. 1>&2
exit 1
fi
ldns-verify-zone ${DOMAIN}.bindfile
if [ $? -ne 0 ]; then
echo something is wrong with ldns-verify-zone, exit.. 1>&2
exit 1
fi
echo cleaning up
rm -f ${DOMAIN}.bindfile
echo copying zonefiles to /etc/delphinusdns/
cp ${DOMAIN}* /etc/delphinusdns/
echo now all you need to do is a dddctl configtest and reload
exit 0
I ran this one once and it unearthed a bug with notifies on a timezone. I'll
try to address that bug today. Enjoy the script!
2 comments
March 6th, 2020
In 1.4.1 the regress hierarchy may be broken. I never checked this before
release time. In fact I know it is because starting a zone without SOA and
NS records will exit the daemon, afaik. I just corrected this in case anyone
is using this (the regress only works on OpenBSD), while taking out mention
of solarscale.de which as an old domain name of mine that isn't in my
possession anymore.
0 comments
Next Page
|
Search
RSS Feed
 Click here for RSS
On this day in
Other links
Have feedback?
By clicking on the header of an article you will be
served a cookie. If you do not agree to this do not
click on the header. Thanks!
Using a text-based webbrowser?
... such as lynx? Welcome back it's working again for the time being.
Older Blog Entries
September, 2020
August, 2020
July, 2020
June, 2020
May, 2020
April, 2020
March, 2020
February, 2020
January, 2020
December, 2019
November, 2019
October, 2019
September, 2019
Powered by BCHS
|