It's wonderful that it's not too hot, I was able to code a little for two hours today. I made a patch to implement (without testing) ED25519 algorithm (15) for signing. However my main workstation is sleeping and I'm not home so I can't commit it just yet. I might just test it first before committing as well. Much thanks to LibreSSL project for making this API available!. While I was there I removed algorithm 7 (RSA-SHA1-NSEC3), so what this means is that if you use dddctl to sign with algorithm 7 you will have to change the algorithm at 1.8 release time. What I'm doing is switching off alg 13 from my test zone some time this weekend and then give algorithm 15 to it. Hope it works without much fiddling around.0 comments
I have done so twice already in the past at a project called prototypefund.de. I applied there in 2018 for the fifth round of funding (delphinusdnsd 1.3), once in 2020 for the 9th round of funding (delphinusdnsd 1.5/1.6). And now again for the 14th round of funding. Both times I had applied I got turned down. I'm gonna try one more time, also because it is my last year alone in 2024 to be working on version 1.9 delphinusdnsd. What I would plan for this release, if I get funding I'd work towards (signed) DNS Updates.
So August 1st is the first day to apply for the funding and put forth my idea. If I get funding, it may propell delphinusdnsd into version 2.x with me. If not I may call it quits after december 2024.
Delphinusdnsd started under another name in 2005 and has been open source from day one. Back then it was at sourceforge, inbetween I took it to my own CVSweb, and then latest I use github.com to share this creation. I'm very proud of this server software, and it helped me through some odd times in life (writing it). It is a genuine german project having been written in Frankfurt (2005) and Schweinfurt (after 2007). What do you think? Does the world need another authoritative nameserver? Does the world need a german DNS server? Does Germany need a project where DNS talent resides? Things that make you go hmm. So far in europe there is only four Projects that I can think of right now that do DNS. PowerDNS and NLNetlabs in the Netherlands, Knot DNS in the Czech Republic and Yadifa which was written at EUrid (possibly in spain). I've always filled a niche with delphinusdnsd it is unlike any other DNS server software I've seen. I trust its design a great deal. Anyhow... more on this later.0 comments
On april 28th I gave the green light for -current again. That was nearly 20 days ago. I've been running delphinusdnsd since the 29th of April without restart:
_ddd 96881 0.0 4.8 58768 49252 ?? Spc 29Apr23 0:36.12 \ delphinusdnsd -f /var/delphinusdnsd/etc/delphinusdns.conf \ -s /var/run/delphinusdnsd.sockI have done changes perhaps three times since that start. What I'm noticing is that there is perhaps a memory leak that I introduced with changing the databases. I'll have to look into that in the future.
I haven't touched the code in a few weeks so I'm gonna take up on that soon again. Last I was working on a patch to get statistics working, but it was error prone and I need to improve it. After that I'm gonna start working on new algorithm in dddctl with Ed25519 perhaps.0 comments
The EU's Cyber Resilience Act is said to harm open source developers. Like me. What are we dealing with here and why can't I vote someone who makes these acts legal out of office? I can, but who do I vote for? Will I make an impact with my vote? I've been writing open source for a very long time. Since the 90's at least. Some of the stuff though is not offered anymore and you can't find it. I've sticked to delphinusdnsd working on it like a second job during my time at Enhancedvoip.net. In the mornings I'd write on delphinusdnsd and in the afternoon's I'd do my job for 6 hours a day. More was not allowed by the doctors, and it matched the Eastern American time zone working from 2PM until 8PM. Some time later I worked full time on delphinusdnsd while looking for work. I applied for government grants via the prototype fund during this time as well. I did not get that money but they always wished me good luck for the future (thanks!). Now, currently I'm writing sparingly, delphinusdnsd has become a serious hobby. But where exactly does it stand? Can I share the code even? I'm a hobby programmer. This should be answered and clarified, and there needs to be unbiased discussion what Open Source really is to the voting population.0 comments
Normally I don't say this here, but since I used pod.delphinusdns.org in an example, I'd just like to say I've retired the server as a nameserver and will likely turn it off permanently (delete the instance) come friday or saturday. The replacement is a new arm64 vps called superpod.delphinusdns.org. It is almost as fast but has twice the memory which made it appealing to me.0 comments
I just committed some code to fix the issue I reported on April 23rd. I don't see the symptoms anymore now. If you do decide to go with delphinusdnsd-current please keep an eye on the database for corruption.0 comments
I tested this out today and there is some problems with AXFR's still. What I had done was a forest-wide update (4 zones) a few days ago and then did one update to the delphinusdns.org zone and noticed centroid.eu lost it's DNSSEC zonedata. This is the symptom. I'll be looking for the cause soon. One working newer but old version was from april 1st. (84c26f8). Use that if you have to have stability. When I find time next week I'll look into this.0 comments
For a friend who wants to run delphinusdnsd on FreeBSD I tested this out in 10 minutes. FreeBSD compiles delphinusdnsd with some warnings but it links. Also checking whether tcp and udp work (with the drill program) worked.0 comments
So I just put the commits for mimmutable(2) into delphinusdnsd. This means that you MUST be at version 7.3 or on -current (snapshots). In order to run it on version below 7.3 you have to edit the code and #if 0 (deaden) the mimmutable() code. The benefits outdo the drawbacks here. It's a great security addition.0 comments
Please, if you run below 1.7.3 it's time to upgrade. 1.7.3 and master branch have the fix as of today. A few weeks ago my amsterdam vps did an AXFR. What was weird about this AXFR that it was blank, but it went through. This caused my nameserver to die. I can't rule out that someone mitm'ed the transfer. It was highly odd. So last night I had the idea and this morning and afternoon I implemented custom code to see if my hypothesis was right. It was correct, the replicants axfr did not check whether the answer even had any TSIG's in it. In a mitm the TSIG's could have been removed and new or replaced records could have been put in, it would have passed it. Now then, the fix is that we require a TSIG to be seen if we use TSIG authentication. Also if there is trailing data after the TSIG this constitutes as an error. On the master branch the fix has signature e5a3d3828452127df428a47c77f8b3a8a4722451 and on the STABLE_1_7 branch it has signature a798b07e20065050c6178ae69f0fdd3e3899d199. Feel free to use either one. Though the master branch has some new code, it hasn't seen much production use yet. So, the sureshot use should be 1.7.3 release.
I found the vulnerability, but was I the first one ever? The mind boggles.0 comments
On this day in
By clicking on the header of an article you will be served a cookie. If you do not agree to this do not click on the header. Thanks!
Using a text-based webbrowser?
... such as lynx? Welcome back it's working again for the time being.
Older Blog Entries