1. README 1.1 AUTHOR(S) 2. WHY DELPHINUSDNS? 3. INSTALL HINTS 3.1 Linux 3.2 FreeBSD 3.3 OpenBSD 3.4 NetBSD 3.5 Mac OS X 4. COMPATIBILITY 5. EXAMPLES 6. DNSSEC 6.1 Signing your zone with dddctl sign 6.2 re-signing with existing keys 6.3 What to do with the .signed file 6.4 How can I sub-delegate a zone with DNSSEC 6.5 What algorithms are supported with dddctl sign 6.6 What happened to dd-convert 7. WHAT IT CAN'T DO 1. README --------- Delphinusdns is a small authoritative nameserver. It does not recurse nor search. Since version 1.5.0 it does forward (with TSIG security even). This program is written to a BSD Style License. BSD's tree(3) Red Black btree macros are used for the main in-memory database. A project website exists at https://delphinusdns.org. It may happen that in documentation other domains such as "centroid.eu" are used. These belong to the author and shouldn't cause confusion, with this notice. 1.1 AUTHOR ---------- So far it's just me, Peter J. Philipp . I have had some patches from other people from the east and some people from the west. Sound advice came from people in #dns at irc.freenode.net. 2. WHY DELPHINUSDNS? ------------------- DNS is simple. Yet, implementation of DNS servers is not so simple. DelphinusDNS is written for research into the DNS system so that perhaps one day the author has a better understanding of it. Delphinusdnsd is developed on OpenBSD, due to pledge(2) and other security mitigations, it is recommended that serious delphinusdnsd users also use OpenBSD. Ports to other OS's exist for those that cannot do without those platforms, but at the risk of more attack surface*. Delphinusdnsd chroots and privseps on all platforms, meaning that a direct root exploit is not possible. Usually the master branch is for OpenBSD and the other ports are not guaranteed to compile until shortly before release time, when testing occurs for these platforms. Use the tool "dig" that comes with bind9 to debug Delphinusdns. If you like to program, then you can fork Delphinusdns and make your own creation, or you can send patches to the author who may implement them into the code. The current contact mail address is petphi@delphinusdns.org. * https://en.wikipedia.org/wiki/Attack_surface 3. INSTALL HINTS ---------------- To install, type ./configure on your platform. This will copy the proper Makefile to ./Makefile and dddctl and delphinusdnsd. Then you would type make, followed by su'ing and make install. Delphinusdnsd installs to /usr/local/sbin. By default installation the configuration file is not installed you need to do this manually. Also by default the config file is specified as /etc/delphinusdns/delphinusdns.conf this can be changed by adding the -f option to delphinusdnsd. A sample config file exists with the sources. example7.conf was a real life config once. 3.1 Linux --------- In Linux MINT you need to apt-get install build-essential. ## configure the platform $ ./configure ## this will install the development programs you'll need (as root) $ apt-get install make bison cvs gcc libssl-dev libbsd-dev ## add a privsep user with a chroot directory (option -m) (as root) $ useradd -m _ddd ## make the program $ make ## install the binary (as root) $ make install ## done, create a config file and start delphinusdnsd 3.2 FreeBSD ----------- ## configure the platform $ ./configure ## add a privsep user (_ddd) with a chroot directory (as root) $ vipw ## or $ pw user add _ddd -m ## make the program $ make ## install the binary (as root) $ make install ## done, create a config file and start delphinusdnsd 3.3 OpenBSD ----------- ## configure the platform $ ./configure ## add a privsep user (_ddd) with a chroot directory (as root) $ useradd -m _ddd ## or $ adduser ## make the program $ make ## install the binary (as root) $ make install ## done, create a config file and start delphinusdnsd 3.4 NetBSD ---------- The tests for this were done on NetBSD 8.1 ## create paths needed $ mkdir -p /usr/local/sbin /usr/local/man/man/man5 /usr/local/man/man/man8 /usr/local/man/man/html5/ /usr/local/man/man/html8 ## install libressl from pkgsrc $ cd /usr/pkgsrc/security/libressl && make install ## add libressl to ld.so search path $ export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/pkg/libressl/lib ## configure the platform $ ./configure ## add a privsep user with a chroot directory (as root) $ useradd -m _ddd ## make the program $ make ## install the binary (as root) $ make install ## done, create a config file and start delphinusdnsd 3.5 Mac OS X ------------ Mac OS X port has been dropped in version 1.1.0. If anyone wants to revive it they can send patches for the Makefile. 4. COMPATIBILITY ---------------- ------------------+--------------------+---------------------+ Operating System | makes and compiles | responds to queries | ------------------+--------------------+---------------------+ FreeBSD 12.2 | yes | yes | ------------------+--------------------+---------------------+ NetBSD 9.1 | yes | yes | ------------------+--------------------+---------------------+ OpenBSD 6.8 | yes | yes | ------------------+--------------------+---------------------+ Linux* | yes | yes | ------------------+--------------------+---------------------+ * Devuan and OpenSuse were tested for version 1.3.0 ** Mac OS X support has been dropped in version 1.1.0 5. EXAMPLES ----------- in the directory "examples" are a few examples from working configs. The author uses example8.conf often to test functionality and compatibility on any platform. 6. DNSSEC --------- DNSSEC is added hostmaster commitment. You will have to re-sign your zone at periodic intervals. This can be automated though. 6.1 Signing your zone with dddctl sign -------------------------------------- The very first time you'll want to create ZSK and KSK keys. They are the zone signing and key signing keys respectively. Every DNSSEC zone has at least one of these. To create these with dddctl sign I use -Z and -K options. Here is an example: dddctl sign -Z -K -i centroid.eu -n centroid.eu -o centroid.eu.signed What this does is it creates the keys and signs the zone 'centroid.eu' with the zonename centroid.eu. No trailing dots are needed. The output will be called centroid.eu.signed and the keys will be created and look like this: alpha$ ls K* Kcentroid.eu.+008+04815.key Kcentroid.eu.+008+40405.key Kcentroid.eu.+008+04815.private Kcentroid.eu.+008+40405.private This is a compatible output format of dnssec-keygen utility from BIND and format is simple: K for key, centroid.eu. for the zone name, +008 for the algorithm used in this case it's rsasha256 and lastly a unique identifier for the key. Keep these keys in a private place and only pull them out when you are going to re-sign the zone, as shown in #6.2. The K* files should say inside which is the ZSK and which is the KSK. 6.2 re-signing with existing keys --------------------------------- In order to do the monthly re-signing you must know which key is the ZSK and which is the KSK. The K*.key files will tell you which is the ZSK and which is the KSK. dddctl sign -z Kcentroid.eu.+008+04815 -k Kcentroid.eu.+008+40405 \ -i centroid.eu -n centroid.eu -o centroid.eu.signed Note, this will overwrite any centroid.eu.signed file. 6.3 What to do with the .signed file ------------------------------------ Install the .signed file as your zone. I personally use include's in my configfile so that this is managed easy. Then restart delphinusdnsd after setting the 'dnssec' option. Your zone should talk DNSSEC, after you upload the KSK to your registrar. They'll likely want the DNSKEY and in some cases grab it themselves over the insecure channel. My registrar joker.com did this. Other than that dddctl sign creates a dsset-centroid.eu. file which has the uploadable DS keys in it. It's up to you to upload DS or DNSKEY (which can derive DS keys) to your registrar and from there to your parent zone. 6.4 How can I sub-delegate a zone with DNSSEC --------------------------------------------- This was recently fixed. When delegating to a signed zone be sure to copy back the DS file (dsset-zone. file), it is in RFC1034/BIND format so you'll have to convert it to delphinusdnsd format most likely. You then sign over this and publish the delegation (restart delphinusdnsd). That should be all. Here is an example zone entry for ip6.centroid.eu: ip6.centroid.eu,ds,86400,35905,13,2,"CB0EC7995E5223BC823A0AF96180613C7B24295F47E066E690EE448626995044" 6.5 What algorithms are supported with dddctl sign -------------------------------------------------- Currently only 4 algorithms are supported. There is RSASHA1-NSEC3-SHA1 which has algorithm 7, there is RSASHA256 which has algorithm 8, and there is RSASHA512 which has algorithm 10. Finally the ECDSAP256SHA256 algorithm (alg 13) (is now default), is supported. 6.6 What happened to dd-convert ------------------------------- The BIND-reliant dd-convert.rb has been replaced with a native C program called dddctl.c. It is what's being used now. 7. WHAT IT CAN'T DO ------------------- * DNSSEC algorithm rollover. Maybe for version 1.5.0 or higher. Please pick a good strong algorithm, it may take years until this is fixed.