DelphinusDNS Blog

(the latest about delphinusdnsd)

Previous Page

Delphinusdnsd listed at the DNS Institute

July 29th, 2020

While googling I came across the DNS Institute, a site that offers consultings regarding DNS. They listed delphinusdnsd as an authoritative server. Thank you for the exposure! Perhaps pretty soon they'll have to also list delphinusdnsd as a simple forwarder, as well. *smile*. I don't know exactly who is behind this website but I'm grateful they mentioned my work.


Mid-Summer 2020 work coming to an end

July 29th, 2020

Well I had a pretty good spurt this summer. Nice was that this summer wasn't all too warm. Here is a graphic that I got from the insights at github: Here is a list of things from the CHANGES file in the repo:

  • added a "cortex" process for IPC between the processes
  • added a forwarding mode (with cache)
  • changed the config file version from 9 back to 1
  • changed how a question gets parsed (build_question()), hopeing to get more security out of this
  • in dddctl query allow a class to be specified (-c)
  • added RP, HINFO and CAA RR support in all areas except dddctl query
  • added extra security measure to prevent DNS poisoning by AXFR
  • add a SOA constraint on rzone's to constrain SOA refresh/retry/expire values by default these are 60/60/60
  • terminology changes blacklist->blocklist, whitelist->passlist, anything_slave() to anything_ddd(), to keep with the times

I'm going to focus on other things for the month of August and will tidy up things in September for the October or November release (it all depends on when OpenBSD 6.8 gets released). Overall I'm satisfied with the way things are going this year.


CVSweb's last straw

July 28th, 2020

I have removed CVSweb CGI program from the website. The last straw that broke the camels back was that it stopped working displaying what's in the STABLE_1_4 branch that I committed for the upcoming 1.4.3 release that features backpatches for reliability and security. So this puts me in a weird position. I won't have CVSweb (the last feature that I needed it for, like said, broke) anymore and the CVS repo has it's days counted. The 1.5.0 release will likely be tagged on got/git, and branched so the changes will show up in the github and gotweb online repos. Everyone needs to see their history!


Tomorrows snapshot should disallow AXFR poisoning

July 26th, 2020

In this article by DJB he talks about AXFR Poisoning. When you have a replicant that gets a zone from another master, it was possible before this patch to poison extra RR's into the entire database. It's amazing how other DNS servers are similar to mine in this regard. I never had to worry much since I controlled replicant and master, but recently I started replicating for someone else and it opened my eyes to the security aspect of this. Thanks goes to Ricardo Santos for his part in making me think about these security scenarios.

Another thing that's fixed tonight is a hangup attack which would leave an RAXFR'ed zone unparseable killing the server. I believe this patch from this afternoon would fix this. I have thought around other scenarios where someone could hurt me too. One other one is when they manipulate SOA values to values that hurt the operation of a replicant. Such as the undefined value of 0 for a refresh. I'm gonna work on that tomorrow and it will be addressed next week. For now the zone poisoning and hangup problems have been dealt with and will be available in tomorrows snapshots.

Considering the ease of fixing these I may backpatch these into the 1.4 stable branch and roll another 1.4 release. I think that's fair but it will take a few days.


Added three RR's to authoritative mode

July 24th, 2020

I'm gonna call the two modes by their names "authoritative" or "forwarding". I added CAA, HINFO and RP RR's to the authoritative mode in commit 6f87dc2b46b3cbfb71320f535b34a0bb0734604c. For this I mostly picked another RR as a template and just changed the values. It turned out to work. I had to follow up to this commit with a commit to the sign_caa() function because the algorithm to sort canoncial rrsets seems to not be correct in some form or way. I'll be researching this hopefully in august or september (when I find time). Also notice I put https on the gotweb. I'm very sure it will replace the CVSweb in time, so you may as well learn it a little and get used to it if you used my cvsweb to check commits. One positive thing about gotweb/git is that it clumps several files together in one commit so you can see them all at once. A negative thing is that the cvs2gitdump utility doesn't know how to handle tags in branches and discards them so you can't see version 1.4.2 for example (also noticed on github). I do hope that the tag for 1.5.0 will appear in it though as it's tagging is on HEAD.

1 comment

Observed gotcha in the forwarding mode

July 24th, 2020

I put my dns server in forwarding mode on my router on interface cnmac1, this gave it the IP x.x.177.1, but the new code with forwarding seems to have a fallback. A device from interface vlan3 (x.x.199.0/24) could not access the IP x.x.177.1 and DNS ceased working. The workaround is to add vlan3 as an interface and change DHCP to give the DNS server a x.x.199.1 IP. This worked. But I remember thinking that this was not the behaviour before I switched to the raw sockets. Live and learn.


Another repo (gotweb)

July 22nd, 2020

I heard that got ( has a gotweb interface now. And I had to try it out with my git repo that I convert from CVS (the one that is being pushed to github). I think it looks great! I want to replace cvsweb that I currently use with something possibly more secure (on the web) and gotweb has me impressed. Much like this blog it's running on kcgi.

So the question then arises whether I will dump CVS entirely for got/git. I wouldn't go that far, do note that the tags that I put on the STABLE_1_4 branch do not appear in the git repo, which is a shame. I'm going to be watching got from the sidelines and watching what OpenBSD does in the next year perhaps. In the meanwhile I'm probably going to replace cvsweb with and make the cvsweb private only. Please excuse the non-https there was a problem with the acme-client or letsencrypt, at least it didn't update. I'll fix this in time after figuring out the error.


In 51 days this blog will be 1 year old

July 22nd, 2020

So far so good. We have 80 articles written by me on this site. That's roughly 7 to 8 articles per month. On September 11th is the anniversary and I plan on celebrating this by turning a feature of the blog software on that allows looking back on that day. There is still too little backlog though to have it make big impact but it may turn out to be fun!

1 comment

Applying for funding (with your help?)

July 18th, 2020

Dear Delphinusdns blog reader,

If you haven't heard of the it's a fund in Germany that supports open source. They pay up to 47K EUR to teams.

I am applying to the 9th round (between January and July, 2021) of this prototype fund, on August 1st, for the work of "DNS Updates" in delphinusdnsd. I did apply to the 5th round (2018) before also for delphinusdnsd improvements, but did not secure the grant. I was turned down in November of 2018, and similarily this year I'll find out in November likely if I'll be selected.

This will pretty much be for the entirety of the 1.6.0 release which will be sped up to be done by July, 2021.

So here's my reaching out. If you're german and living in Germany, know how to code in C, and want to help me with this for the work of DNS Updates (with DNSSEC signing) send me an email before August 1st. I'll apply with your name as a team member. Mind the dates I listed above (August 1st, November, January-July 2021) and commit to them. If it doesn't get through November there is no money, and no team. But if we do get selected in November, I need you to commit 6 hours per weekday between January-July 2021.

I think it would be fun! And don't worry, if you do get selected I won't expect you to work on this at the pace that I'm working. In fact I'll give you a related small work first to get to know the delphinusdnsd, before asking you to do heavy lifting. As long as we get the work done by June/July. Let me know if you qualify with an email.


Forwarding is done, what's next?

July 17th, 2020

I allocated the entire month of July for the forwarding work but it seems to be nearing completion. I got stalled on porting it to NetBSD and that will take a few weeks more, so I'm thinking I'll use the momentum I got the first half of this month to implement CAA RR's in the authoritative mode.

This is a lot of work these days because the delphinusdnsd ecosystem has spread over dddctl programs and needs to be checked in several places. I have the entire workweek next week to work on that. It will make a fine addition to the 1.5.0 release. I can't guarantee that I will do much work between August and the release time, I have a lot of job applications to do, as I'm below zero so to speak. But coding on delphinusdnsd keeps my spirits high. I have been applying to companies in the last few weeks but only sparingly.

On with it!

1 comment

Next Page


RSS Feed

Click here for RSS

On this day in

Other links

Have feedback?

By clicking on the header of an article you will be served a cookie. If you do not agree to this do not click on the header. Thanks!

Using a text-based webbrowser?

... such as lynx? Welcome back it's working again for the time being.

Older Blog Entries

Powered by BCHS