Blame
Date:
Mon Jan 11 09:00:47 2021 UTC
Message:
a usleep makes it unnecessary slow, I guess it forces a context switch...
001
2014-11-14
pjp
1. README
002
2019-11-01
pjp
1.1 AUTHOR(S)
003
2014-11-14
pjp
2. WHY DELPHINUSDNS?
004
2014-11-14
pjp
3. INSTALL HINTS
005
2014-11-14
pjp
3.1 Linux
006
2014-11-14
pjp
3.2 FreeBSD
007
2014-11-14
pjp
3.3 OpenBSD
008
2014-11-14
pjp
3.4 NetBSD
009
2014-11-14
pjp
3.5 Mac OS X
010
2014-11-14
pjp
4. COMPATIBILITY
011
2014-11-14
pjp
5. EXAMPLES
012
2015-11-20
pjp
6. DNSSEC
013
2018-07-13
pjp
6.1 Signing your zone with dddctl sign
014
2017-01-02
pjp
6.2 re-signing with existing keys
015
2017-01-02
pjp
6.3 What to do with the .signed file
016
2017-01-02
pjp
6.4 How can I sub-delegate a zone with DNSSEC
017
2018-07-13
pjp
6.5 What algorithms are supported with dddctl sign
018
2018-07-13
pjp
6.6 What happened to dd-convert
019
2015-11-20
pjp
7. WHAT IT CAN'T DO
020
2014-11-14
pjp
021
2014-11-14
pjp
1. README
022
2014-11-14
pjp
---------
023
2014-11-14
pjp
024
2014-11-14
pjp
Delphinusdns is a small authoritative nameserver. It does not recurse nor
025
2020-07-29
pjp
search. Since version 1.5.0 it does forward (with TSIG security even).
026
2020-07-29
pjp
This program is written to a BSD Style License. BSD's tree(3) Red Black
027
2020-07-29
pjp
btree macros are used for the main in-memory database. A project
028
2020-04-28
pjp
website exists at https://delphinusdns.org. It may happen that in
029
2020-01-01
pjp
documentation other domains such as "centroid.eu" are used. These belong
030
2020-01-01
pjp
to the author and shouldn't cause confusion, with this notice.
031
2014-11-14
pjp
032
2019-11-01
pjp
1.1 AUTHOR
033
2019-11-01
pjp
----------
034
2019-11-01
pjp
035
2019-11-01
pjp
So far it's just me, Peter J. Philipp <petphi@delphinusdns.org>. I have
036
2019-11-01
pjp
had some patches from other people from the east and some people from the
037
2019-11-01
pjp
west. Sound advice came from people in #dns at irc.freenode.net.
038
2019-11-01
pjp
039
2019-11-01
pjp
040
2014-11-14
pjp
2. WHY DELPHINUSDNS?
041
2014-11-14
pjp
-------------------
042
2014-11-14
pjp
043
2018-07-13
pjp
DNS is simple. Yet, implementation of DNS servers is not so simple.
044
2018-07-13
pjp
DelphinusDNS is written for research into the DNS system so that perhaps one
045
2018-07-13
pjp
day the author has a better understanding of it. Delphinusdnsd is developed
046
2018-07-13
pjp
on OpenBSD, due to pledge(2) and other security mitigations, it is recommended
047
2018-07-13
pjp
that serious delphinusdnsd users also use OpenBSD. Ports to other OS's exist
048
2018-07-13
pjp
for those that cannot do without those platforms, but at the risk of more
049
2018-07-13
pjp
attack surface*. Delphinusdnsd chroots and privseps on all platforms, meaning
050
2018-07-13
pjp
that a direct root exploit is not possible.
051
2014-11-14
pjp
052
2021-01-05
pjp
Usually the master branch is for OpenBSD and the other ports are not
053
2021-01-05
pjp
guaranteed to compile until shortly before release time, when testing occurs
054
2021-01-05
pjp
for these platforms.
055
2018-07-13
pjp
056
2014-11-14
pjp
Use the tool "dig" that comes with bind9 to debug Delphinusdns. If you like to
057
2014-11-14
pjp
program, then you can fork Delphinusdns and make your own creation, or you
058
2018-07-13
pjp
can send patches to the author who may implement them into the code. The
059
2018-07-13
pjp
current contact mail address is petphi@delphinusdns.org.
060
2014-11-14
pjp
061
2018-07-13
pjp
* https://en.wikipedia.org/wiki/Attack_surface
062
2014-11-14
pjp
063
2014-11-14
pjp
3. INSTALL HINTS
064
2014-11-14
pjp
----------------
065
2014-11-14
pjp
066
2017-01-06
pjp
To install, type ./configure on your platform. This will copy the proper
067
2018-07-13
pjp
Makefile to ./Makefile and dddctl and delphinusdnsd. Then you would type
068
2017-01-06
pjp
make, followed by su'ing and make install. Delphinusdnsd installs to
069
2017-01-06
pjp
/usr/local/sbin.
070
2014-11-14
pjp
071
2014-11-14
pjp
By default installation the configuration file is not installed you need to
072
2014-11-14
pjp
do this manually. Also by default the config file is specified as
073
2019-09-20
pjp
/etc/delphinusdns/delphinusdns.conf this can be changed by adding the -f
074
2019-09-20
pjp
option to delphinusdnsd.
075
2014-11-14
pjp
076
2014-11-14
pjp
A sample config file exists with the sources. example7.conf was a real life
077
2014-11-14
pjp
config once.
078
2014-11-14
pjp
079
2014-11-14
pjp
3.1 Linux
080
2014-11-14
pjp
---------
081
2014-11-14
pjp
082
2014-11-14
pjp
In Linux MINT you need to apt-get install build-essential.
083
2014-11-14
pjp
084
2014-11-14
pjp
## configure the platform
085
2014-11-14
pjp
$ ./configure
086
2014-11-14
pjp
## this will install the development programs you'll need (as root)
087
2019-09-19
pjp
$ apt-get install make bison cvs gcc libssl-dev libbsd-dev
088
2014-11-14
pjp
## add a privsep user with a chroot directory (option -m) (as root)
089
2014-11-14
pjp
$ useradd -m _ddd
090
2014-11-14
pjp
## make the program
091
2014-11-14
pjp
$ make
092
2014-11-14
pjp
## install the binary (as root)
093
2014-11-14
pjp
$ make install
094
2014-11-14
pjp
## done, create a config file and start delphinusdnsd
095
2014-11-14
pjp
096
2014-11-14
pjp
097
2014-11-14
pjp
3.2 FreeBSD
098
2014-11-14
pjp
-----------
099
2014-11-14
pjp
100
2014-11-14
pjp
## configure the platform
101
2017-01-06
pjp
$ ./configure
102
2014-11-14
pjp
## add a privsep user (_ddd) with a chroot directory (as root)
103
2014-11-14
pjp
$ vipw
104
2014-11-14
pjp
## or
105
2019-12-09
pjp
$ pw user add _ddd -m
106
2014-11-14
pjp
## make the program
107
2014-11-14
pjp
$ make
108
2014-11-14
pjp
## install the binary (as root)
109
2014-11-14
pjp
$ make install
110
2014-11-14
pjp
## done, create a config file and start delphinusdnsd
111
2014-11-14
pjp
112
2014-11-14
pjp
113
2014-11-14
pjp
3.3 OpenBSD
114
2014-11-14
pjp
-----------
115
2014-11-14
pjp
116
2014-11-14
pjp
## configure the platform
117
2017-01-06
pjp
$ ./configure
118
2014-11-14
pjp
## add a privsep user (_ddd) with a chroot directory (as root)
119
2018-07-13
pjp
$ useradd -m _ddd
120
2014-11-14
pjp
## or
121
2014-11-14
pjp
$ adduser
122
2014-11-14
pjp
## make the program
123
2014-11-14
pjp
$ make
124
2014-11-14
pjp
## install the binary (as root)
125
2014-11-14
pjp
$ make install
126
2014-11-14
pjp
## done, create a config file and start delphinusdnsd
127
2014-11-14
pjp
128
2014-11-14
pjp
3.4 NetBSD
129
2014-11-14
pjp
----------
130
2014-11-14
pjp
131
2019-06-12
pjp
The tests for this were done on NetBSD 8.1
132
2014-11-14
pjp
133
2017-01-06
pjp
## create paths needed
134
2017-01-06
pjp
$ mkdir -p /usr/local/sbin /usr/local/man/man/man5 /usr/local/man/man/man8 /usr/local/man/man/html5/ /usr/local/man/man/html8
135
2019-06-12
pjp
## install libressl from pkgsrc
136
2019-06-12
pjp
$ cd /usr/pkgsrc/security/libressl && make install
137
2019-06-12
pjp
## add libressl to ld.so search path
138
2019-06-12
pjp
$ export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/pkg/libressl/lib
139
2014-11-14
pjp
## configure the platform
140
2017-01-06
pjp
$ ./configure
141
2014-11-14
pjp
## add a privsep user with a chroot directory (as root)
142
2014-11-14
pjp
$ useradd -m _ddd
143
2014-11-14
pjp
## make the program
144
2014-11-14
pjp
$ make
145
2014-11-14
pjp
## install the binary (as root)
146
2014-11-14
pjp
$ make install
147
2014-11-14
pjp
## done, create a config file and start delphinusdnsd
148
2014-11-14
pjp
149
2014-11-14
pjp
3.5 Mac OS X
150
2014-11-14
pjp
------------
151
2014-11-14
pjp
152
2017-01-03
pjp
Mac OS X port has been dropped in version 1.1.0. If anyone wants to revive
153
2017-01-03
pjp
it they can send patches for the Makefile.
154
2014-11-14
pjp
155
2014-11-14
pjp
156
2014-11-14
pjp
4. COMPATIBILITY
157
2014-11-14
pjp
----------------
158
2014-11-14
pjp
159
2017-06-26
pjp
------------------+--------------------+---------------------+
160
2018-07-13
pjp
Operating System | makes and compiles | responds to queries |
161
2017-06-26
pjp
------------------+--------------------+---------------------+
162
2020-11-19
pjp
FreeBSD 12.2 | yes | yes |
163
2017-06-26
pjp
------------------+--------------------+---------------------+
164
2020-11-19
pjp
NetBSD 9.1 | yes | yes |
165
2017-06-26
pjp
------------------+--------------------+---------------------+
166
2020-11-19
pjp
OpenBSD 6.8 | yes | yes |
167
2017-06-26
pjp
------------------+--------------------+---------------------+
168
2018-07-13
pjp
Linux* | yes | yes |
169
2017-06-26
pjp
------------------+--------------------+---------------------+
170
2014-11-14
pjp
171
2018-07-13
pjp
* Devuan and OpenSuse were tested for version 1.3.0
172
2018-07-13
pjp
** Mac OS X support has been dropped in version 1.1.0
173
2014-11-14
pjp
174
2014-11-14
pjp
5. EXAMPLES
175
2014-11-14
pjp
-----------
176
2014-11-14
pjp
177
2018-07-13
pjp
in the directory "examples" are a few examples from working configs. The
178
2018-07-13
pjp
author uses example8.conf often to test functionality and compatibility
179
2018-07-13
pjp
on any platform.
180
2014-11-14
pjp
181
2015-11-20
pjp
6. DNSSEC
182
2015-11-20
pjp
---------
183
2014-11-14
pjp
184
2015-12-12
pjp
DNSSEC is added hostmaster commitment. You will have to re-sign your zone at
185
2015-12-19
pjp
periodic intervals. This can be automated though.
186
2014-11-14
pjp
187
2018-07-13
pjp
6.1 Signing your zone with dddctl sign
188
2018-07-13
pjp
--------------------------------------
189
2014-11-14
pjp
190
2015-12-12
pjp
The very first time you'll want to create ZSK and KSK keys. They are the
191
2015-12-12
pjp
zone signing and key signing keys respectively. Every DNSSEC zone has at
192
2018-07-13
pjp
least one of these. To create these with dddctl sign I use -Z and -K
193
2015-12-12
pjp
options. Here is an example:
194
2014-11-14
pjp
195
2018-07-13
pjp
dddctl sign -Z -K -i centroid.eu -n centroid.eu -o centroid.eu.signed
196
2014-11-14
pjp
197
2015-12-12
pjp
What this does is it creates the keys and signs the zone 'centroid.eu' with
198
2015-12-12
pjp
the zonename centroid.eu. No trailing dots are needed. The output will be
199
2015-12-12
pjp
called centroid.eu.signed and the keys will be created and look like this:
200
2014-11-14
pjp
201
2015-12-12
pjp
alpha$ ls K*
202
2015-12-12
pjp
Kcentroid.eu.+008+04815.key Kcentroid.eu.+008+40405.key
203
2015-12-12
pjp
Kcentroid.eu.+008+04815.private Kcentroid.eu.+008+40405.private
204
2015-11-20
pjp
205
2017-01-02
pjp
This is a compatible output format of dnssec-keygen utility from BIND and
206
2017-01-02
pjp
format is simple:
207
2015-12-12
pjp
208
2015-12-12
pjp
K for key, centroid.eu. for the zone name, +008 for the algorithm used in
209
2015-12-12
pjp
this case it's rsasha256 and lastly a unique identifier for the key.
210
2015-12-12
pjp
211
2015-12-12
pjp
Keep these keys in a private place and only pull them out when you are going
212
2017-01-02
pjp
to re-sign the zone, as shown in #6.2. The K* files should say inside which
213
2017-01-02
pjp
is the ZSK and which is the KSK.
214
2015-12-12
pjp
215
2017-01-02
pjp
6.2 re-signing with existing keys
216
2015-12-12
pjp
---------------------------------
217
2015-12-12
pjp
218
2015-12-12
pjp
In order to do the monthly re-signing you must know which key is the ZSK and
219
2017-01-23
pjp
which is the KSK. The K*.key files will tell you which is the ZSK and which
220
2017-01-23
pjp
is the KSK.
221
2015-12-12
pjp
222
2018-07-13
pjp
dddctl sign -z Kcentroid.eu.+008+04815 -k Kcentroid.eu.+008+40405 \
223
2017-01-02
pjp
-i centroid.eu -n centroid.eu -o centroid.eu.signed
224
2015-12-12
pjp
225
2015-12-12
pjp
Note, this will overwrite any centroid.eu.signed file.
226
2015-12-12
pjp
227
2015-12-12
pjp
228
2017-01-02
pjp
6.3 What to do with the .signed file
229
2015-12-12
pjp
------------------------------------
230
2015-12-12
pjp
231
2015-12-12
pjp
Install the .signed file as your zone. I personally use include's in my
232
2015-12-12
pjp
configfile so that this is managed easy. Then restart delphinusdnsd after
233
2015-12-12
pjp
setting the 'dnssec' option. Your zone should talk DNSSEC, after you upload
234
2015-12-12
pjp
the KSK to your registrar. They'll likely want the DNSKEY and in some cases
235
2015-12-12
pjp
grab it themselves over the insecure channel. My registrar joker.com did
236
2018-07-13
pjp
this. Other than that dddctl sign creates a dsset-centroid.eu. file which
237
2017-01-02
pjp
has the uploadable DS keys in it.
238
2017-01-02
pjp
239
2015-12-12
pjp
It's up to you to upload DS or DNSKEY (which can derive DS keys) to your
240
2015-12-12
pjp
registrar and from there to your parent zone.
241
2015-12-12
pjp
242
2015-12-12
pjp
243
2017-01-02
pjp
6.4 How can I sub-delegate a zone with DNSSEC
244
2015-12-12
pjp
---------------------------------------------
245
2015-12-12
pjp
246
2019-11-18
pjp
This was recently fixed. When delegating to a signed zone be sure to copy
247
2019-11-18
pjp
back the DS file (dsset-zone. file), it is in RFC1034/BIND format so you'll
248
2019-11-18
pjp
have to convert it to delphinusdnsd format most likely. You then sign over
249
2019-11-18
pjp
this and publish the delegation (restart delphinusdnsd). That should be all.
250
2019-11-19
pjp
Here is an example zone entry for ip6.centroid.eu:
251
2015-12-12
pjp
252
2019-11-19
pjp
ip6.centroid.eu,ds,86400,35905,13,2,"CB0EC7995E5223BC823A0AF96180613C7B24295F47E066E690EE448626995044"
253
2015-12-12
pjp
254
2019-11-19
pjp
255
2018-07-13
pjp
6.5 What algorithms are supported with dddctl sign
256
2018-07-13
pjp
--------------------------------------------------
257
2017-01-02
pjp
258
2019-11-01
pjp
Currently only 4 algorithms are supported. There is RSASHA1-NSEC3-SHA1
259
2020-03-04
pjp
which has algorithm 7, there is RSASHA256 which has algorithm 8,
260
2019-11-01
pjp
and there is RSASHA512 which has algorithm 10. Finally the ECDSAP256SHA256
261
2020-03-04
pjp
algorithm (alg 13) (is now default), is supported.
262
2017-01-02
pjp
263
2018-07-13
pjp
6.6 What happened to dd-convert
264
2018-07-13
pjp
-------------------------------
265
2018-07-13
pjp
266
2017-01-02
pjp
The BIND-reliant dd-convert.rb has been replaced with a native C program called
267
2019-11-01
pjp
dddctl.c. It is what's being used now.
268
2017-01-02
pjp
269
2017-01-02
pjp
270
2015-01-01
pjp
7. WHAT IT CAN'T DO
271
2015-01-01
pjp
-------------------
272
2015-01-01
pjp
273
2019-11-19
pjp
* DNSSEC algorithm rollover. Maybe for version 1.5.0 or higher. Please pick
274
2019-11-19
pjp
a good strong algorithm, it may take years until this is fixed.
repomaster@centroid.eu