DelphinusDNS Blog

(the latest about delphinusdnsd)

Previous Page


May 3rd, 2023

Normally I don't say this here, but since I used in an example, I'd just like to say I've retired the server as a nameserver and will likely turn it off permanently (delete the instance) come friday or saturday. The replacement is a new arm64 vps called It is almost as fast but has twice the memory which made it appealing to me.


I believe I fixed it now

April 28th, 2023

I just committed some code to fix the issue I reported on April 23rd. I don't see the symptoms anymore now. If you do decide to go with delphinusdnsd-current please keep an eye on the database for corruption.


Master branch delphinusdnsd (-current) is currently broken

April 23rd, 2023

I tested this out today and there is some problems with AXFR's still. What I had done was a forest-wide update (4 zones) a few days ago and then did one update to the zone and noticed lost it's DNSSEC zonedata. This is the symptom. I'll be looking for the cause soon. One working newer but old version was from april 1st. (84c26f8). Use that if you have to have stability. When I find time next week I'll look into this.


FYI - FreeBSD 13.1 can run delphinusdnsd-current

April 19th, 2023

For a friend who wants to run delphinusdnsd on FreeBSD I tested this out in 10 minutes. FreeBSD compiles delphinusdnsd with some warnings but it links. Also checking whether tcp and udp work (with the drill program) worked.


There is no going back, OpenBSD has advanced

April 18th, 2023

So I just put the commits for mimmutable(2) into delphinusdnsd. This means that you MUST be at version 7.3 or on -current (snapshots). In order to run it on version below 7.3 you have to edit the code and #if 0 (deaden) the mimmutable() code. The benefits outdo the drawbacks here. It's a great security addition.


A possible MITM attack caused me to find a vulnerability with AXFR's

April 14th, 2023

Please, if you run below 1.7.3 it's time to upgrade. 1.7.3 and master branch have the fix as of today. A few weeks ago my amsterdam vps did an AXFR. What was weird about this AXFR that it was blank, but it went through. This caused my nameserver to die. I can't rule out that someone mitm'ed the transfer. It was highly odd. So last night I had the idea and this morning and afternoon I implemented custom code to see if my hypothesis was right. It was correct, the replicants axfr did not check whether the answer even had any TSIG's in it. In a mitm the TSIG's could have been removed and new or replaced records could have been put in, it would have passed it. Now then, the fix is that we require a TSIG to be seen if we use TSIG authentication. Also if there is trailing data after the TSIG this constitutes as an error. On the master branch the fix has signature e5a3d3828452127df428a47c77f8b3a8a4722451 and on the STABLE_1_7 branch it has signature a798b07e20065050c6178ae69f0fdd3e3899d199. Feel free to use either one. Though the master branch has some new code, it hasn't seen much production use yet. So, the sureshot use should be 1.7.3 release.

I found the vulnerability, but was I the first one ever? The mind boggles.


Please test the new master branch code

April 12th, 2023

The new code achieves an AXFR without needing to restart the replicant. It's probably too early to run it in production, though I'm gonna do it on one nameserver probably. If you have problems with this new code go back to revision 84c26f8ad169706f2633cd573367c13e3de23b4e that's from first of april. This one works well and I have it in production. So please test it out first then consider putting it in production.


Caution (new code) don't run in production

April 10th, 2023

Until I give the word please don't run the newest delphinusdnsd from the github master branch. It will fail if you have more than one zone. With that I'm going to do some more coding, happy easter monday!


The online DNS blogs I read

April 9th, 2023

Happy Easter. Just sitting here reading a bit through Sometimes they have good stories. The stories that I like particularily at this time are:

  1. Analysis of 7.5 trillion dns queries...
  2. DNS4EU plans to onboard 100 million users...
  3. 350 million domain names on earth (of which I have four)...
The circleid blog is more about the business aspect of DNS in particular registrations, which isn't exactly what I do at But there is the DNS Sexy blog aggregator that I often read. It hasn't updated in 40 odd days right now but there is other informative links from there to (say) the PowerDNS technical blog. This interests me a whole lot. Other than that wikipedia is one of my favourite sources of DNS specifics and of course rfc-editor. On top of that I have a bunch of books on DNS but I haven't bought much books since 2019. I do like hanging out on #dns IRC channels but they are mostly idling these days.


New TODO for 2023

April 8th, 2023

LibreSSL 3.7.2 was released today adding Ed25519 support. This means that I can start adding alg 15 to delphinusdnsd/dddctl. I can also start removing some older algorithm like alg 7 which is not recommended anymore according to RFC 8624 section 3.1. Thanks to all the teams at LibreSSL for this wonderful release!


Next Page


RSS Feed

Click here for RSS

On this day in

Other links

Have feedback?

By clicking on the header of an article you will be served a cookie. If you do not agree to this do not click on the header. Thanks!

Using a text-based webbrowser?

... such as lynx? Welcome back it's working again for the time being.

Older Blog Entries

Powered by BCHS