DelphinusDNS Blog

(the latest about delphinusdnsd)

Previous Page

Fixed bug that was introduced April 11, 2020

April 27th, 2020

Tomorrows snapshot should have the fix. It affected signing with dddctl only. It wasn't easy to find the location of code, but eventually I found it.


Tomorrows snapshot will have new feature

April 23rd, 2020

I have just committed this new feature, tcp-on-any-only, from commitlog:

Add the tcp-on-any-only flag to options.  This replies with a TC (truncate) on
any non-tcp request, causing determined clients to retry in TCP mode.  It is
long overdue to have this option, and the fix was very simple to do.
Basically I'm throwing more TC's in the UDP way of resolving. It will force some to retry with TCP.

1 comment

DNS, my history (in short form)

April 8th, 2020

Everyone uses DNS when they use the Internet, so I have been using DNS since 1994. But I used DNS on Open Source Operating Systems since Autumn 1995 (where I installed Linux while being in College).

At work starting in Autumn 1997 I was confronted working my first DNS server. It was BIND4 I believe. This prompted me to get my first DNS book which I still have today "DNS and BIND - Paul Albitz and Cricket Liu". A very helpful book, but at edition 3 it is outdated today.

The first DNS server i wrote was wildcarddnsd the predecessor of delphinusdnsd (in name only, same codebase). I started this in 2005, the first 15 years have passed.

In 2015 I first experimented with DNSSEC. The concept is super simple if you understand simple cryptography, but to me it was a learning curve. And this is my history (in short form) of using and implementing DNS.


Regarding the rollover tests

April 7th, 2020

I have been talking a bit with DNS folks and they said it's probably best to go insecure and then secure again if an algorithm needs to be rolled. Sucks I know. There is recursive dns software that can't follow an alg rollover. So I'm planning on taking my zones insecure so that I can give them a new algorithm. When that will be I don't know yet.


Important News that shouldn't be missed

April 2nd, 2020

I just put this on the news.html:

Development is ongoing. You should know that a delphinusdnsd before 
the month of April (that includes 1.4.1) cannot do a double-signature 
key rollover, even if the master is PowerDNS or similar, due to a bug 
with RRSIG's that was fixed on April 1st. If you don't plan on doing 
a key rollover until next year then go ahead with 1.4.1 otherwise use 
a snapshot.
I thought it was worthy of stressing this.


Double-Signature Rollover Test

April 2nd, 2020

As you may know I attempted this yesterday and the code wasn't ready. So now it's in Progress. The test zone is called "" which is a test zone of mine that I got on a reduced deal with years ago. I got this domain for 10 years at the time. It's paying off now. I'm trying to roll the ZSK from alg 10 to alg 13 as well. So this should be interesting.

1 comment

Upgraded delphinusdnsd on the nameservers

April 1st, 2020

The nameservers are the servers hosting DNS for I have taken them to todays snapshot on rhombus and trapezoid. What my intention is is to check the double signature dnskey rotation method. I'll likely be using domain name which is my test zone. If you're looking for progress you may want to follow its history on which has now a history again. So you'll be seeing progress. I don't think I'm going to start today, but I might.


Delphinusdnsd replicant for Microsoft DNS server with AD

March 10th, 2020

I just tried out if Microsoft DNS Server is compatible with delphinusdnsd and it seems it is. While there I unearthed and fixed a segfault condition when someone doesn't specify a tsigkey in an rzone entry. Here is a sample rzone entry that I used against the MS DNS Server.

rzone "" {
        ;tsigkey "NOKEY";
        masterport 53;
        zonename "";
        filename "/etc/delphinusdns/replicant/";
Notice that in delphinusdnsd version 1.4.x, the tsigkey is a MUST or you'll get a segfault. After 1.5.x it will be optional. I don't want to backpatch this, so please keep this in mind.

The Microsoft DNS server serves a small Active Directory zone and all default values are supported with delphinusdnsd. This surprised me and I love it!


A signing script

March 10th, 2020

Here is a signing script I constructed over the last few months.


TODAY=`date +"%Y%m%d01"`
SERIAL=`dddctl query -Q127.0.0.1 soa $DOMAIN | grep -v '^;;' | awk -F, \
'{print $6}'`
SIGN_ARG1="-x $SERIAL -k K${DOMAIN}.+008+48082 -z K${DOMAIN}.+008+57861  \
-i $DOMAIN  -n $DOMAIN -o ${DOMAIN}.signed"
SIGN_ARG2="-X -k K${DOMAIN}.+008+48082 -z K${DOMAIN}.+008+57861  \
-i ${DOMAIN}  -n ${DOMAIN} -o ${DOMAIN}.signed"

echo signing for $DOMAIN ...

if [ $SERIAL -ge $TODAY ]; then
	SERIAL=`expr $SERIAL + 1`
	dddctl sign ${SIGN_ARG1}
	dddctl sign ${SIGN_ARG2}
echo checking result for domain $DOMAIN ...

dddctl configtest ${DOMAIN}.signed
if [ $? -ne 0 -o -z ${DOMAIN}.signed ]; then
	echo something is wrong with configtest, exit.. 1>&2
	exit 1

dddctl bindfile ${DOMAIN} ${DOMAIN}.signed > ${DOMAIN}.bindfile
if [ $? -ne 0 ]; then
	echo something is wrong with bindfile, exit.. 1>&2
	exit 1

ldns-verify-zone ${DOMAIN}.bindfile
if [ $? -ne 0 ]; then
	echo something is wrong with ldns-verify-zone, exit.. 1>&2
	exit 1

echo cleaning up
rm -f ${DOMAIN}.bindfile

echo copying zonefiles to /etc/delphinusdns/
cp ${DOMAIN}* /etc/delphinusdns/

echo now all you need to do is a dddctl configtest and reload

exit 0
I ran this one once and it unearthed a bug with notifies on a timezone. I'll try to address that bug today. Enjoy the script!


Regress files fixed

March 6th, 2020

In 1.4.1 the regress hierarchy may be broken. I never checked this before release time. In fact I know it is because starting a zone without SOA and NS records will exit the daemon, afaik. I just corrected this in case anyone is using this (the regress only works on OpenBSD), while taking out mention of which as an old domain name of mine that isn't in my possession anymore.


Next Page


RSS Feed

Click here for RSS

On this day in

Other links

Have feedback?

By clicking on the header of an article you will be served a cookie. If you do not agree to this do not click on the header. Thanks!

Using a text-based webbrowser?

... such as lynx? Welcome back it's working again for the time being.

Older Blog Entries

Powered by BCHS