Blame
Date:
Thu Nov 19 09:25:28 2020 UTC
Message:
update README before 1.5.0 release
001
2020-11-19
pjp
$Id: README,v 1.48 2020/11/19 09:25:28 pjp Exp $
002
2014-11-14
pjp
003
2014-11-14
pjp
1. README
004
2019-11-01
pjp
1.1 AUTHOR(S)
005
2014-11-14
pjp
2. WHY DELPHINUSDNS?
006
2014-11-14
pjp
3. INSTALL HINTS
007
2014-11-14
pjp
3.1 Linux
008
2014-11-14
pjp
3.2 FreeBSD
009
2014-11-14
pjp
3.3 OpenBSD
010
2014-11-14
pjp
3.4 NetBSD
011
2014-11-14
pjp
3.5 Mac OS X
012
2014-11-14
pjp
4. COMPATIBILITY
013
2014-11-14
pjp
5. EXAMPLES
014
2015-11-20
pjp
6. DNSSEC
015
2018-07-13
pjp
6.1 Signing your zone with dddctl sign
016
2017-01-02
pjp
6.2 re-signing with existing keys
017
2017-01-02
pjp
6.3 What to do with the .signed file
018
2017-01-02
pjp
6.4 How can I sub-delegate a zone with DNSSEC
019
2018-07-13
pjp
6.5 What algorithms are supported with dddctl sign
020
2018-07-13
pjp
6.6 What happened to dd-convert
021
2015-11-20
pjp
7. WHAT IT CAN'T DO
022
2014-11-14
pjp
023
2014-11-14
pjp
1. README
024
2014-11-14
pjp
---------
025
2014-11-14
pjp
026
2014-11-14
pjp
Delphinusdns is a small authoritative nameserver. It does not recurse nor
027
2020-07-29
pjp
search. Since version 1.5.0 it does forward (with TSIG security even).
028
2020-07-29
pjp
This program is written to a BSD Style License. BSD's tree(3) Red Black
029
2020-07-29
pjp
btree macros are used for the main in-memory database. A project
030
2020-04-28
pjp
website exists at https://delphinusdns.org. It may happen that in
031
2020-01-01
pjp
documentation other domains such as "centroid.eu" are used. These belong
032
2020-01-01
pjp
to the author and shouldn't cause confusion, with this notice.
033
2014-11-14
pjp
034
2019-11-01
pjp
1.1 AUTHOR
035
2019-11-01
pjp
----------
036
2019-11-01
pjp
037
2019-11-01
pjp
So far it's just me, Peter J. Philipp <petphi@delphinusdns.org>. I have
038
2019-11-01
pjp
had some patches from other people from the east and some people from the
039
2019-11-01
pjp
west. Sound advice came from people in #dns at irc.freenode.net.
040
2019-11-01
pjp
041
2019-11-01
pjp
042
2014-11-14
pjp
2. WHY DELPHINUSDNS?
043
2014-11-14
pjp
-------------------
044
2014-11-14
pjp
045
2018-07-13
pjp
DNS is simple. Yet, implementation of DNS servers is not so simple.
046
2018-07-13
pjp
DelphinusDNS is written for research into the DNS system so that perhaps one
047
2018-07-13
pjp
day the author has a better understanding of it. Delphinusdnsd is developed
048
2018-07-13
pjp
on OpenBSD, due to pledge(2) and other security mitigations, it is recommended
049
2018-07-13
pjp
that serious delphinusdnsd users also use OpenBSD. Ports to other OS's exist
050
2018-07-13
pjp
for those that cannot do without those platforms, but at the risk of more
051
2018-07-13
pjp
attack surface*. Delphinusdnsd chroots and privseps on all platforms, meaning
052
2018-07-13
pjp
that a direct root exploit is not possible.
053
2014-11-14
pjp
054
2018-07-13
pjp
Usually CVS HEAD is for OpenBSD and the other ports are not guaranteed to
055
2018-07-13
pjp
compile until shortly before release time, when testing occurs for these
056
2018-07-13
pjp
platforms.
057
2018-07-13
pjp
058
2014-11-14
pjp
Use the tool "dig" that comes with bind9 to debug Delphinusdns. If you like to
059
2014-11-14
pjp
program, then you can fork Delphinusdns and make your own creation, or you
060
2018-07-13
pjp
can send patches to the author who may implement them into the code. The
061
2018-07-13
pjp
current contact mail address is petphi@delphinusdns.org.
062
2014-11-14
pjp
063
2018-07-13
pjp
* https://en.wikipedia.org/wiki/Attack_surface
064
2014-11-14
pjp
065
2014-11-14
pjp
3. INSTALL HINTS
066
2014-11-14
pjp
----------------
067
2014-11-14
pjp
068
2017-01-06
pjp
To install, type ./configure on your platform. This will copy the proper
069
2018-07-13
pjp
Makefile to ./Makefile and dddctl and delphinusdnsd. Then you would type
070
2017-01-06
pjp
make, followed by su'ing and make install. Delphinusdnsd installs to
071
2017-01-06
pjp
/usr/local/sbin.
072
2014-11-14
pjp
073
2014-11-14
pjp
By default installation the configuration file is not installed you need to
074
2014-11-14
pjp
do this manually. Also by default the config file is specified as
075
2019-09-20
pjp
/etc/delphinusdns/delphinusdns.conf this can be changed by adding the -f
076
2019-09-20
pjp
option to delphinusdnsd.
077
2014-11-14
pjp
078
2014-11-14
pjp
A sample config file exists with the sources. example7.conf was a real life
079
2014-11-14
pjp
config once.
080
2014-11-14
pjp
081
2014-11-14
pjp
3.1 Linux
082
2014-11-14
pjp
---------
083
2014-11-14
pjp
084
2014-11-14
pjp
In Linux MINT you need to apt-get install build-essential.
085
2014-11-14
pjp
086
2014-11-14
pjp
## configure the platform
087
2014-11-14
pjp
$ ./configure
088
2014-11-14
pjp
## this will install the development programs you'll need (as root)
089
2019-09-19
pjp
$ apt-get install make bison cvs gcc libssl-dev libbsd-dev
090
2014-11-14
pjp
## add a privsep user with a chroot directory (option -m) (as root)
091
2014-11-14
pjp
$ useradd -m _ddd
092
2014-11-14
pjp
## make the program
093
2014-11-14
pjp
$ make
094
2014-11-14
pjp
## install the binary (as root)
095
2014-11-14
pjp
$ make install
096
2014-11-14
pjp
## done, create a config file and start delphinusdnsd
097
2014-11-14
pjp
098
2014-11-14
pjp
099
2014-11-14
pjp
3.2 FreeBSD
100
2014-11-14
pjp
-----------
101
2014-11-14
pjp
102
2014-11-14
pjp
## configure the platform
103
2017-01-06
pjp
$ ./configure
104
2014-11-14
pjp
## add a privsep user (_ddd) with a chroot directory (as root)
105
2014-11-14
pjp
$ vipw
106
2014-11-14
pjp
## or
107
2019-12-09
pjp
$ pw user add _ddd -m
108
2014-11-14
pjp
## make the program
109
2014-11-14
pjp
$ make
110
2014-11-14
pjp
## install the binary (as root)
111
2014-11-14
pjp
$ make install
112
2014-11-14
pjp
## done, create a config file and start delphinusdnsd
113
2014-11-14
pjp
114
2014-11-14
pjp
115
2014-11-14
pjp
3.3 OpenBSD
116
2014-11-14
pjp
-----------
117
2014-11-14
pjp
118
2014-11-14
pjp
## configure the platform
119
2017-01-06
pjp
$ ./configure
120
2014-11-14
pjp
## add a privsep user (_ddd) with a chroot directory (as root)
121
2018-07-13
pjp
$ useradd -m _ddd
122
2014-11-14
pjp
## or
123
2014-11-14
pjp
$ adduser
124
2014-11-14
pjp
## make the program
125
2014-11-14
pjp
$ make
126
2014-11-14
pjp
## install the binary (as root)
127
2014-11-14
pjp
$ make install
128
2014-11-14
pjp
## done, create a config file and start delphinusdnsd
129
2014-11-14
pjp
130
2014-11-14
pjp
3.4 NetBSD
131
2014-11-14
pjp
----------
132
2014-11-14
pjp
133
2019-06-12
pjp
The tests for this were done on NetBSD 8.1
134
2014-11-14
pjp
135
2017-01-06
pjp
## create paths needed
136
2017-01-06
pjp
$ mkdir -p /usr/local/sbin /usr/local/man/man/man5 /usr/local/man/man/man8 /usr/local/man/man/html5/ /usr/local/man/man/html8
137
2019-06-12
pjp
## install libressl from pkgsrc
138
2019-06-12
pjp
$ cd /usr/pkgsrc/security/libressl && make install
139
2019-06-12
pjp
## add libressl to ld.so search path
140
2019-06-12
pjp
$ export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/pkg/libressl/lib
141
2014-11-14
pjp
## configure the platform
142
2017-01-06
pjp
$ ./configure
143
2014-11-14
pjp
## add a privsep user with a chroot directory (as root)
144
2014-11-14
pjp
$ useradd -m _ddd
145
2014-11-14
pjp
## make the program
146
2014-11-14
pjp
$ make
147
2014-11-14
pjp
## install the binary (as root)
148
2014-11-14
pjp
$ make install
149
2014-11-14
pjp
## done, create a config file and start delphinusdnsd
150
2014-11-14
pjp
151
2014-11-14
pjp
3.5 Mac OS X
152
2014-11-14
pjp
------------
153
2014-11-14
pjp
154
2017-01-03
pjp
Mac OS X port has been dropped in version 1.1.0. If anyone wants to revive
155
2017-01-03
pjp
it they can send patches for the Makefile.
156
2014-11-14
pjp
157
2014-11-14
pjp
158
2014-11-14
pjp
4. COMPATIBILITY
159
2014-11-14
pjp
----------------
160
2014-11-14
pjp
161
2017-06-26
pjp
------------------+--------------------+---------------------+
162
2018-07-13
pjp
Operating System | makes and compiles | responds to queries |
163
2017-06-26
pjp
------------------+--------------------+---------------------+
164
2020-11-19
pjp
FreeBSD 12.2 | yes | yes |
165
2017-06-26
pjp
------------------+--------------------+---------------------+
166
2020-11-19
pjp
NetBSD 9.1 | yes | yes |
167
2017-06-26
pjp
------------------+--------------------+---------------------+
168
2020-11-19
pjp
OpenBSD 6.8 | yes | yes |
169
2017-06-26
pjp
------------------+--------------------+---------------------+
170
2018-07-13
pjp
Linux* | yes | yes |
171
2017-06-26
pjp
------------------+--------------------+---------------------+
172
2014-11-14
pjp
173
2018-07-13
pjp
* Devuan and OpenSuse were tested for version 1.3.0
174
2018-07-13
pjp
** Mac OS X support has been dropped in version 1.1.0
175
2014-11-14
pjp
176
2014-11-14
pjp
5. EXAMPLES
177
2014-11-14
pjp
-----------
178
2014-11-14
pjp
179
2018-07-13
pjp
in the directory "examples" are a few examples from working configs. The
180
2018-07-13
pjp
author uses example8.conf often to test functionality and compatibility
181
2018-07-13
pjp
on any platform.
182
2014-11-14
pjp
183
2015-11-20
pjp
6. DNSSEC
184
2015-11-20
pjp
---------
185
2014-11-14
pjp
186
2015-12-12
pjp
DNSSEC is added hostmaster commitment. You will have to re-sign your zone at
187
2015-12-19
pjp
periodic intervals. This can be automated though.
188
2014-11-14
pjp
189
2018-07-13
pjp
6.1 Signing your zone with dddctl sign
190
2018-07-13
pjp
--------------------------------------
191
2014-11-14
pjp
192
2015-12-12
pjp
The very first time you'll want to create ZSK and KSK keys. They are the
193
2015-12-12
pjp
zone signing and key signing keys respectively. Every DNSSEC zone has at
194
2018-07-13
pjp
least one of these. To create these with dddctl sign I use -Z and -K
195
2015-12-12
pjp
options. Here is an example:
196
2014-11-14
pjp
197
2018-07-13
pjp
dddctl sign -Z -K -i centroid.eu -n centroid.eu -o centroid.eu.signed
198
2014-11-14
pjp
199
2015-12-12
pjp
What this does is it creates the keys and signs the zone 'centroid.eu' with
200
2015-12-12
pjp
the zonename centroid.eu. No trailing dots are needed. The output will be
201
2015-12-12
pjp
called centroid.eu.signed and the keys will be created and look like this:
202
2014-11-14
pjp
203
2015-12-12
pjp
alpha$ ls K*
204
2015-12-12
pjp
Kcentroid.eu.+008+04815.key Kcentroid.eu.+008+40405.key
205
2015-12-12
pjp
Kcentroid.eu.+008+04815.private Kcentroid.eu.+008+40405.private
206
2015-11-20
pjp
207
2017-01-02
pjp
This is a compatible output format of dnssec-keygen utility from BIND and
208
2017-01-02
pjp
format is simple:
209
2015-12-12
pjp
210
2015-12-12
pjp
K for key, centroid.eu. for the zone name, +008 for the algorithm used in
211
2015-12-12
pjp
this case it's rsasha256 and lastly a unique identifier for the key.
212
2015-12-12
pjp
213
2015-12-12
pjp
Keep these keys in a private place and only pull them out when you are going
214
2017-01-02
pjp
to re-sign the zone, as shown in #6.2. The K* files should say inside which
215
2017-01-02
pjp
is the ZSK and which is the KSK.
216
2015-12-12
pjp
217
2017-01-02
pjp
6.2 re-signing with existing keys
218
2015-12-12
pjp
---------------------------------
219
2015-12-12
pjp
220
2015-12-12
pjp
In order to do the monthly re-signing you must know which key is the ZSK and
221
2017-01-23
pjp
which is the KSK. The K*.key files will tell you which is the ZSK and which
222
2017-01-23
pjp
is the KSK.
223
2015-12-12
pjp
224
2018-07-13
pjp
dddctl sign -z Kcentroid.eu.+008+04815 -k Kcentroid.eu.+008+40405 \
225
2017-01-02
pjp
-i centroid.eu -n centroid.eu -o centroid.eu.signed
226
2015-12-12
pjp
227
2015-12-12
pjp
Note, this will overwrite any centroid.eu.signed file.
228
2015-12-12
pjp
229
2015-12-12
pjp
230
2017-01-02
pjp
6.3 What to do with the .signed file
231
2015-12-12
pjp
------------------------------------
232
2015-12-12
pjp
233
2015-12-12
pjp
Install the .signed file as your zone. I personally use include's in my
234
2015-12-12
pjp
configfile so that this is managed easy. Then restart delphinusdnsd after
235
2015-12-12
pjp
setting the 'dnssec' option. Your zone should talk DNSSEC, after you upload
236
2015-12-12
pjp
the KSK to your registrar. They'll likely want the DNSKEY and in some cases
237
2015-12-12
pjp
grab it themselves over the insecure channel. My registrar joker.com did
238
2018-07-13
pjp
this. Other than that dddctl sign creates a dsset-centroid.eu. file which
239
2017-01-02
pjp
has the uploadable DS keys in it.
240
2017-01-02
pjp
241
2015-12-12
pjp
It's up to you to upload DS or DNSKEY (which can derive DS keys) to your
242
2015-12-12
pjp
registrar and from there to your parent zone.
243
2015-12-12
pjp
244
2015-12-12
pjp
245
2017-01-02
pjp
6.4 How can I sub-delegate a zone with DNSSEC
246
2015-12-12
pjp
---------------------------------------------
247
2015-12-12
pjp
248
2019-11-18
pjp
This was recently fixed. When delegating to a signed zone be sure to copy
249
2019-11-18
pjp
back the DS file (dsset-zone. file), it is in RFC1034/BIND format so you'll
250
2019-11-18
pjp
have to convert it to delphinusdnsd format most likely. You then sign over
251
2019-11-18
pjp
this and publish the delegation (restart delphinusdnsd). That should be all.
252
2019-11-19
pjp
Here is an example zone entry for ip6.centroid.eu:
253
2015-12-12
pjp
254
2019-11-19
pjp
ip6.centroid.eu,ds,86400,35905,13,2,"CB0EC7995E5223BC823A0AF96180613C7B24295F47E066E690EE448626995044"
255
2015-12-12
pjp
256
2019-11-19
pjp
257
2018-07-13
pjp
6.5 What algorithms are supported with dddctl sign
258
2018-07-13
pjp
--------------------------------------------------
259
2017-01-02
pjp
260
2019-11-01
pjp
Currently only 4 algorithms are supported. There is RSASHA1-NSEC3-SHA1
261
2020-03-04
pjp
which has algorithm 7, there is RSASHA256 which has algorithm 8,
262
2019-11-01
pjp
and there is RSASHA512 which has algorithm 10. Finally the ECDSAP256SHA256
263
2020-03-04
pjp
algorithm (alg 13) (is now default), is supported.
264
2017-01-02
pjp
265
2018-07-13
pjp
6.6 What happened to dd-convert
266
2018-07-13
pjp
-------------------------------
267
2018-07-13
pjp
268
2017-01-02
pjp
The BIND-reliant dd-convert.rb has been replaced with a native C program called
269
2019-11-01
pjp
dddctl.c. It is what's being used now.
270
2017-01-02
pjp
271
2017-01-02
pjp
272
2015-01-01
pjp
7. WHAT IT CAN'T DO
273
2015-01-01
pjp
-------------------
274
2015-01-01
pjp
275
2019-11-19
pjp
* DNSSEC algorithm rollover. Maybe for version 1.5.0 or higher. Please pick
276
2019-11-19
pjp
a good strong algorithm, it may take years until this is fixed.
repomaster@centroid.eu