Blame
Date:
Sat Aug 1 09:01:52 2020 UTC
Message:
move extended RCODE's out of the RCODE section those are only 0x00 through 0x0F make a section that shows extended RCODE's that are added to a EDNS0 tag.
001
2020-07-29
pjp
$Id: README,v 1.47 2020/07/29 05:34:50 pjp Exp $
002
2014-11-14
pjp
003
2014-11-14
pjp
1. README
004
2019-11-01
pjp
1.1 AUTHOR(S)
005
2014-11-14
pjp
2. WHY DELPHINUSDNS?
006
2014-11-14
pjp
3. INSTALL HINTS
007
2014-11-14
pjp
3.1 Linux
008
2014-11-14
pjp
3.2 FreeBSD
009
2014-11-14
pjp
3.3 OpenBSD
010
2014-11-14
pjp
3.4 NetBSD
011
2014-11-14
pjp
3.5 Mac OS X
012
2014-11-14
pjp
4. COMPATIBILITY
013
2014-11-14
pjp
5. EXAMPLES
014
2015-11-20
pjp
6. DNSSEC
015
2018-07-13
pjp
6.1 Signing your zone with dddctl sign
016
2017-01-02
pjp
6.2 re-signing with existing keys
017
2017-01-02
pjp
6.3 What to do with the .signed file
018
2017-01-02
pjp
6.4 How can I sub-delegate a zone with DNSSEC
019
2018-07-13
pjp
6.5 What algorithms are supported with dddctl sign
020
2018-07-13
pjp
6.6 What happened to dd-convert
021
2015-11-20
pjp
7. WHAT IT CAN'T DO
022
2014-11-14
pjp
023
2014-11-14
pjp
1. README
024
2014-11-14
pjp
---------
025
2014-11-14
pjp
026
2014-11-14
pjp
Delphinusdns is a small authoritative nameserver. It does not recurse nor
027
2020-07-29
pjp
search. Since version 1.5.0 it does forward (with TSIG security even).
028
2020-07-29
pjp
This program is written to a BSD Style License. BSD's tree(3) Red Black
029
2020-07-29
pjp
btree macros are used for the main in-memory database. A project
030
2020-04-28
pjp
website exists at https://delphinusdns.org. It may happen that in
031
2020-01-01
pjp
documentation other domains such as "centroid.eu" are used. These belong
032
2020-01-01
pjp
to the author and shouldn't cause confusion, with this notice.
033
2014-11-14
pjp
034
2019-11-01
pjp
1.1 AUTHOR
035
2019-11-01
pjp
----------
036
2019-11-01
pjp
037
2019-11-01
pjp
So far it's just me, Peter J. Philipp <petphi@delphinusdns.org>. I have
038
2019-11-01
pjp
had some patches from other people from the east and some people from the
039
2019-11-01
pjp
west. Sound advice came from people in #dns at irc.freenode.net.
040
2019-11-01
pjp
041
2019-11-01
pjp
042
2014-11-14
pjp
2. WHY DELPHINUSDNS?
043
2014-11-14
pjp
-------------------
044
2014-11-14
pjp
045
2018-07-13
pjp
DNS is simple. Yet, implementation of DNS servers is not so simple.
046
2018-07-13
pjp
DelphinusDNS is written for research into the DNS system so that perhaps one
047
2018-07-13
pjp
day the author has a better understanding of it. Delphinusdnsd is developed
048
2018-07-13
pjp
on OpenBSD, due to pledge(2) and other security mitigations, it is recommended
049
2018-07-13
pjp
that serious delphinusdnsd users also use OpenBSD. Ports to other OS's exist
050
2018-07-13
pjp
for those that cannot do without those platforms, but at the risk of more
051
2018-07-13
pjp
attack surface*. Delphinusdnsd chroots and privseps on all platforms, meaning
052
2018-07-13
pjp
that a direct root exploit is not possible.
053
2014-11-14
pjp
054
2018-07-13
pjp
Usually CVS HEAD is for OpenBSD and the other ports are not guaranteed to
055
2018-07-13
pjp
compile until shortly before release time, when testing occurs for these
056
2018-07-13
pjp
platforms.
057
2018-07-13
pjp
058
2014-11-14
pjp
Use the tool "dig" that comes with bind9 to debug Delphinusdns. If you like to
059
2014-11-14
pjp
program, then you can fork Delphinusdns and make your own creation, or you
060
2018-07-13
pjp
can send patches to the author who may implement them into the code. The
061
2018-07-13
pjp
current contact mail address is petphi@delphinusdns.org.
062
2014-11-14
pjp
063
2018-07-13
pjp
* https://en.wikipedia.org/wiki/Attack_surface
064
2014-11-14
pjp
065
2014-11-14
pjp
3. INSTALL HINTS
066
2014-11-14
pjp
----------------
067
2014-11-14
pjp
068
2017-01-06
pjp
To install, type ./configure on your platform. This will copy the proper
069
2018-07-13
pjp
Makefile to ./Makefile and dddctl and delphinusdnsd. Then you would type
070
2017-01-06
pjp
make, followed by su'ing and make install. Delphinusdnsd installs to
071
2017-01-06
pjp
/usr/local/sbin.
072
2014-11-14
pjp
073
2014-11-14
pjp
By default installation the configuration file is not installed you need to
074
2014-11-14
pjp
do this manually. Also by default the config file is specified as
075
2019-09-20
pjp
/etc/delphinusdns/delphinusdns.conf this can be changed by adding the -f
076
2019-09-20
pjp
option to delphinusdnsd.
077
2014-11-14
pjp
078
2014-11-14
pjp
A sample config file exists with the sources. example7.conf was a real life
079
2014-11-14
pjp
config once.
080
2014-11-14
pjp
081
2014-11-14
pjp
3.1 Linux
082
2014-11-14
pjp
---------
083
2014-11-14
pjp
084
2014-11-14
pjp
In Linux MINT you need to apt-get install build-essential.
085
2014-11-14
pjp
086
2014-11-14
pjp
## configure the platform
087
2014-11-14
pjp
$ ./configure
088
2014-11-14
pjp
## this will install the development programs you'll need (as root)
089
2019-09-19
pjp
$ apt-get install make bison cvs gcc libssl-dev libbsd-dev
090
2014-11-14
pjp
## add a privsep user with a chroot directory (option -m) (as root)
091
2014-11-14
pjp
$ useradd -m _ddd
092
2014-11-14
pjp
## make the program
093
2014-11-14
pjp
$ make
094
2014-11-14
pjp
## install the binary (as root)
095
2014-11-14
pjp
$ make install
096
2014-11-14
pjp
## done, create a config file and start delphinusdnsd
097
2014-11-14
pjp
098
2014-11-14
pjp
099
2014-11-14
pjp
3.2 FreeBSD
100
2014-11-14
pjp
-----------
101
2014-11-14
pjp
102
2014-11-14
pjp
## configure the platform
103
2017-01-06
pjp
$ ./configure
104
2014-11-14
pjp
## add a privsep user (_ddd) with a chroot directory (as root)
105
2014-11-14
pjp
$ vipw
106
2014-11-14
pjp
## or
107
2019-12-09
pjp
$ pw user add _ddd -m
108
2020-07-15
pjp
# install libressl from ports or pkg
109
2020-07-15
pjp
$ cd /usr/ports/security/libressl
110
2020-07-15
pjp
$ make install
111
2014-11-14
pjp
## make the program
112
2020-07-15
pjp
$ cd delphinusdnsd
113
2014-11-14
pjp
$ make
114
2014-11-14
pjp
## install the binary (as root)
115
2014-11-14
pjp
$ make install
116
2014-11-14
pjp
## done, create a config file and start delphinusdnsd
117
2014-11-14
pjp
118
2014-11-14
pjp
119
2014-11-14
pjp
3.3 OpenBSD
120
2014-11-14
pjp
-----------
121
2014-11-14
pjp
122
2014-11-14
pjp
## configure the platform
123
2017-01-06
pjp
$ ./configure
124
2014-11-14
pjp
## add a privsep user (_ddd) with a chroot directory (as root)
125
2018-07-13
pjp
$ useradd -m _ddd
126
2014-11-14
pjp
## or
127
2014-11-14
pjp
$ adduser
128
2014-11-14
pjp
## make the program
129
2014-11-14
pjp
$ make
130
2014-11-14
pjp
## install the binary (as root)
131
2014-11-14
pjp
$ make install
132
2014-11-14
pjp
## done, create a config file and start delphinusdnsd
133
2014-11-14
pjp
134
2014-11-14
pjp
3.4 NetBSD
135
2014-11-14
pjp
----------
136
2014-11-14
pjp
137
2019-06-12
pjp
The tests for this were done on NetBSD 8.1
138
2014-11-14
pjp
139
2017-01-06
pjp
## create paths needed
140
2017-01-06
pjp
$ mkdir -p /usr/local/sbin /usr/local/man/man/man5 /usr/local/man/man/man8 /usr/local/man/man/html5/ /usr/local/man/man/html8
141
2019-06-12
pjp
## install libressl from pkgsrc
142
2019-06-12
pjp
$ cd /usr/pkgsrc/security/libressl && make install
143
2019-06-12
pjp
## add libressl to ld.so search path
144
2019-06-12
pjp
$ export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/pkg/libressl/lib
145
2014-11-14
pjp
## configure the platform
146
2017-01-06
pjp
$ ./configure
147
2014-11-14
pjp
## add a privsep user with a chroot directory (as root)
148
2014-11-14
pjp
$ useradd -m _ddd
149
2014-11-14
pjp
## make the program
150
2014-11-14
pjp
$ make
151
2014-11-14
pjp
## install the binary (as root)
152
2014-11-14
pjp
$ make install
153
2014-11-14
pjp
## done, create a config file and start delphinusdnsd
154
2014-11-14
pjp
155
2014-11-14
pjp
3.5 Mac OS X
156
2014-11-14
pjp
------------
157
2014-11-14
pjp
158
2017-01-03
pjp
Mac OS X port has been dropped in version 1.1.0. If anyone wants to revive
159
2017-01-03
pjp
it they can send patches for the Makefile.
160
2014-11-14
pjp
161
2014-11-14
pjp
162
2014-11-14
pjp
4. COMPATIBILITY
163
2014-11-14
pjp
----------------
164
2014-11-14
pjp
165
2017-06-26
pjp
------------------+--------------------+---------------------+
166
2018-07-13
pjp
Operating System | makes and compiles | responds to queries |
167
2017-06-26
pjp
------------------+--------------------+---------------------+
168
2020-07-15
pjp
FreeBSD 11.4 | yes | yes |
169
2017-06-26
pjp
------------------+--------------------+---------------------+
170
2020-07-21
pjp
NetBSD 9.0 | yes | yes |
171
2017-06-26
pjp
------------------+--------------------+---------------------+
172
2020-07-15
pjp
OpenBSD 6.7 | yes | yes |
173
2017-06-26
pjp
------------------+--------------------+---------------------+
174
2018-07-13
pjp
Linux* | yes | yes |
175
2017-06-26
pjp
------------------+--------------------+---------------------+
176
2014-11-14
pjp
177
2018-07-13
pjp
* Devuan and OpenSuse were tested for version 1.3.0
178
2018-07-13
pjp
** Mac OS X support has been dropped in version 1.1.0
179
2014-11-14
pjp
180
2014-11-14
pjp
5. EXAMPLES
181
2014-11-14
pjp
-----------
182
2014-11-14
pjp
183
2018-07-13
pjp
in the directory "examples" are a few examples from working configs. The
184
2018-07-13
pjp
author uses example8.conf often to test functionality and compatibility
185
2018-07-13
pjp
on any platform.
186
2014-11-14
pjp
187
2015-11-20
pjp
6. DNSSEC
188
2015-11-20
pjp
---------
189
2014-11-14
pjp
190
2015-12-12
pjp
DNSSEC is added hostmaster commitment. You will have to re-sign your zone at
191
2015-12-19
pjp
periodic intervals. This can be automated though.
192
2014-11-14
pjp
193
2018-07-13
pjp
6.1 Signing your zone with dddctl sign
194
2018-07-13
pjp
--------------------------------------
195
2014-11-14
pjp
196
2015-12-12
pjp
The very first time you'll want to create ZSK and KSK keys. They are the
197
2015-12-12
pjp
zone signing and key signing keys respectively. Every DNSSEC zone has at
198
2018-07-13
pjp
least one of these. To create these with dddctl sign I use -Z and -K
199
2015-12-12
pjp
options. Here is an example:
200
2014-11-14
pjp
201
2018-07-13
pjp
dddctl sign -Z -K -i centroid.eu -n centroid.eu -o centroid.eu.signed
202
2014-11-14
pjp
203
2015-12-12
pjp
What this does is it creates the keys and signs the zone 'centroid.eu' with
204
2015-12-12
pjp
the zonename centroid.eu. No trailing dots are needed. The output will be
205
2015-12-12
pjp
called centroid.eu.signed and the keys will be created and look like this:
206
2014-11-14
pjp
207
2015-12-12
pjp
alpha$ ls K*
208
2015-12-12
pjp
Kcentroid.eu.+008+04815.key Kcentroid.eu.+008+40405.key
209
2015-12-12
pjp
Kcentroid.eu.+008+04815.private Kcentroid.eu.+008+40405.private
210
2015-11-20
pjp
211
2017-01-02
pjp
This is a compatible output format of dnssec-keygen utility from BIND and
212
2017-01-02
pjp
format is simple:
213
2015-12-12
pjp
214
2015-12-12
pjp
K for key, centroid.eu. for the zone name, +008 for the algorithm used in
215
2015-12-12
pjp
this case it's rsasha256 and lastly a unique identifier for the key.
216
2015-12-12
pjp
217
2015-12-12
pjp
Keep these keys in a private place and only pull them out when you are going
218
2017-01-02
pjp
to re-sign the zone, as shown in #6.2. The K* files should say inside which
219
2017-01-02
pjp
is the ZSK and which is the KSK.
220
2015-12-12
pjp
221
2017-01-02
pjp
6.2 re-signing with existing keys
222
2015-12-12
pjp
---------------------------------
223
2015-12-12
pjp
224
2015-12-12
pjp
In order to do the monthly re-signing you must know which key is the ZSK and
225
2017-01-23
pjp
which is the KSK. The K*.key files will tell you which is the ZSK and which
226
2017-01-23
pjp
is the KSK.
227
2015-12-12
pjp
228
2018-07-13
pjp
dddctl sign -z Kcentroid.eu.+008+04815 -k Kcentroid.eu.+008+40405 \
229
2017-01-02
pjp
-i centroid.eu -n centroid.eu -o centroid.eu.signed
230
2015-12-12
pjp
231
2015-12-12
pjp
Note, this will overwrite any centroid.eu.signed file.
232
2015-12-12
pjp
233
2015-12-12
pjp
234
2017-01-02
pjp
6.3 What to do with the .signed file
235
2015-12-12
pjp
------------------------------------
236
2015-12-12
pjp
237
2015-12-12
pjp
Install the .signed file as your zone. I personally use include's in my
238
2015-12-12
pjp
configfile so that this is managed easy. Then restart delphinusdnsd after
239
2015-12-12
pjp
setting the 'dnssec' option. Your zone should talk DNSSEC, after you upload
240
2015-12-12
pjp
the KSK to your registrar. They'll likely want the DNSKEY and in some cases
241
2015-12-12
pjp
grab it themselves over the insecure channel. My registrar joker.com did
242
2018-07-13
pjp
this. Other than that dddctl sign creates a dsset-centroid.eu. file which
243
2017-01-02
pjp
has the uploadable DS keys in it.
244
2017-01-02
pjp
245
2015-12-12
pjp
It's up to you to upload DS or DNSKEY (which can derive DS keys) to your
246
2015-12-12
pjp
registrar and from there to your parent zone.
247
2015-12-12
pjp
248
2015-12-12
pjp
249
2017-01-02
pjp
6.4 How can I sub-delegate a zone with DNSSEC
250
2015-12-12
pjp
---------------------------------------------
251
2015-12-12
pjp
252
2019-11-18
pjp
This was recently fixed. When delegating to a signed zone be sure to copy
253
2019-11-18
pjp
back the DS file (dsset-zone. file), it is in RFC1034/BIND format so you'll
254
2019-11-18
pjp
have to convert it to delphinusdnsd format most likely. You then sign over
255
2019-11-18
pjp
this and publish the delegation (restart delphinusdnsd). That should be all.
256
2019-11-19
pjp
Here is an example zone entry for ip6.centroid.eu:
257
2015-12-12
pjp
258
2019-11-19
pjp
ip6.centroid.eu,ds,86400,35905,13,2,"CB0EC7995E5223BC823A0AF96180613C7B24295F47E066E690EE448626995044"
259
2015-12-12
pjp
260
2019-11-19
pjp
261
2018-07-13
pjp
6.5 What algorithms are supported with dddctl sign
262
2018-07-13
pjp
--------------------------------------------------
263
2017-01-02
pjp
264
2019-11-01
pjp
Currently only 4 algorithms are supported. There is RSASHA1-NSEC3-SHA1
265
2020-03-04
pjp
which has algorithm 7, there is RSASHA256 which has algorithm 8,
266
2019-11-01
pjp
and there is RSASHA512 which has algorithm 10. Finally the ECDSAP256SHA256
267
2020-03-04
pjp
algorithm (alg 13) (is now default), is supported.
268
2017-01-02
pjp
269
2018-07-13
pjp
6.6 What happened to dd-convert
270
2018-07-13
pjp
-------------------------------
271
2018-07-13
pjp
272
2017-01-02
pjp
The BIND-reliant dd-convert.rb has been replaced with a native C program called
273
2019-11-01
pjp
dddctl.c. It is what's being used now.
274
2017-01-02
pjp
275
2017-01-02
pjp
276
2015-01-01
pjp
7. WHAT IT CAN'T DO
277
2015-01-01
pjp
-------------------
278
2015-01-01
pjp
279
2019-11-19
pjp
* DNSSEC algorithm rollover. Maybe for version 1.5.0 or higher. Please pick
280
2019-11-19
pjp
a good strong algorithm, it may take years until this is fixed.
repomaster@centroid.eu