Discussion:
djbdns/dnscache epoll patch, qmerge and dnscurve included
Sami Farin
2010-10-12 18:42:42 UTC
Permalink
OK, my ISP decided to block ports 1-1023 without prior warning..
http://safari.iki.fi:8765/patches/djbdns/djbdns-1.05-epoll-20101011192500Z-mergequeries-dnscurve.diff
http://safari.iki.fi:8765/patches/djbdns/djbdns-1.05-epoll-20101011192500Z-mergequeries-dnscurve.diff.sig
That's why I have this kind of funny port numbers.

In this version, the qmerge feature is O(1) instead of O(MAXUDP), though.
qmerge is not enabled for dnscurve queries—I haven't thought yet would
it be easy to support.
A different approach was needed for qmerge support with epoll,
because for epoll_wait the fd's were not returned for merged queries.
If someone wants the O(1) version for non-epoll dnscache, it
should be easy to port.

BTW. what's currently the best option for dnscurve server?
Are there other than git://github.com/agl/dnscurve.git ?
Would there be need for dnscurve support for tinydns?
Or specifying (hard-coding) keys in dnscache root/servers files?
Or any other extra features in dnscache?
--
Do what you love because life is too short for anything else.
Matthew Dempsky
2010-10-12 19:29:03 UTC
Permalink
Post by Sami Farin
Are there other than git://github.com/agl/dnscurve.git ?
You'll probably want to use my branch instead:
http://github.com/mdempsky/dnscurve

I haven't hacked on DNSCurve in a while either, but it's at least a
little more up-to-date than Adam's.
Harm van Tilborg
2010-10-12 19:38:06 UTC
Permalink
Hi Sami,
Post by Sami Farin
BTW. what's currently the best option for dnscurve server?
Are there other than git://github.com/agl/dnscurve.git ?
Would there be need for dnscurve support for tinydns?
Or specifying (hard-coding) keys in dnscache root/servers files?
Or any other extra features in dnscache?
We will be releasing a forwarding DNSCurve capable name server to the
public in the next week. It is able to forward both DNS and DNSCurve
queries (over UDP and TCP) towards one authoritative name server at
fairly high speed.

I have not done any work on implementing DNSCurve for dnscache. I do
however remember that Matthew Dempsky wrote some (beta) patches for
that. I'm sure he's on the list.

Implementing DNSCurve specifically for tinydns sounds like a cool
adventure. I do not know whether somebody has done anything on that? If
I have some time left, I might dive into that.

I do however have a patch for PowerDNS, making it able to speak DNSCurve
to authoritative name servers on the resolver side. I think I will be
publishing that together with the forwarding name server sometime later.
--
Kind regards,
Harm van Tilborg
Sami Farin
2010-10-12 20:33:22 UTC
Permalink
Post by Harm van Tilborg
Hi Sami,
Post by Sami Farin
BTW. what's currently the best option for dnscurve server?
Are there other than git://github.com/agl/dnscurve.git ?
Would there be need for dnscurve support for tinydns?
Or specifying (hard-coding) keys in dnscache root/servers files?
Or any other extra features in dnscache?
We will be releasing a forwarding DNSCurve capable name server to the
Hi Harm,

Good news, will you announce about that on this list?
Post by Harm van Tilborg
public in the next week. It is able to forward both DNS and DNSCurve
queries (over UDP and TCP) towards one authoritative name server at
fairly high speed.
So it is a DNS proxy server, not a content server?
Like dnscache?
What do you mean by "towards one authoritative name server"?

Or is it like Matthew's forwarder?
Post by Harm van Tilborg
I have not done any work on implementing DNSCurve for dnscache. I do
however remember that Matthew Dempsky wrote some (beta) patches for
that. I'm sure he's on the list.
As stated in the subject, the patch mentioned in my first email
includes the Matthew Dempsky's dnscurve patch and Jeff King's qmerge
patch.
Post by Harm van Tilborg
Implementing DNSCurve specifically for tinydns sounds like a cool
adventure. I do not know whether somebody has done anything on that? If
I have some time left, I might dive into that.
I googled a bit, did not find anything conclusive.
Post by Harm van Tilborg
I do however have a patch for PowerDNS, making it able to speak DNSCurve
to authoritative name servers on the resolver side. I think I will be
publishing that together with the forwarding name server sometime later.
Great. And thank you, Matthew, for telling the link to newer version of
dnscurve forwarder.

--
Harm van Tilborg
2010-10-12 20:46:45 UTC
Permalink
Hi Sami,
Post by Sami Farin
Good news, will you announce about that on this list?
Yep, I will.
Post by Sami Farin
So it is a DNS proxy server, not a content server?
Like dnscache?
What do you mean by "towards one authoritative name server"?
Or is it like Matthew's forwarder?
It works indeed like Matthew's forwarder. It is actually based on it. So
if you want your authoritative name server (running tinydns, PowerDNS,
Microsoft DNS server, MaraDNS, or whatsoever, even BIND) to become
DNSCurve capable, you just have to plug in this forwarding name server
and publish NS records containing respective DNSCurve public keys.
Post by Sami Farin
As stated in the subject, the patch mentioned in my first email
includes the Matthew Dempsky's dnscurve patch and Jeff King's qmerge
patch.
When I sent the mail and checked the patch afterwards, I remembered some
of the code ;].
Post by Sami Farin
I googled a bit, did not find anything conclusive.
We'll see :]...
--
Kind regards,
Harm van Tilborg
Sami Farin
2010-10-13 21:06:57 UTC
Permalink
qmerge feature with dnscurve was easy to make work right.

diff --git a/CHANGES.safari b/CHANGES.safari
index 2751577..1bcd3e2 100644
--- a/CHANGES.safari
+++ b/CHANGES.safari
@@ -59,3 +59,6 @@ First version
disable, "rm -f dnscache; make dnscache" .
- use static allocation for `records' in query.c.

+20101013
+ - dns_transmit.c: support qmerge for dnscurve queries.
+
diff --git a/dns_transmit.c b/dns_transmit.c
index 56f2dce..d73f1d5 100644
--- a/dns_transmit.c
+++ b/dns_transmit.c
@@ -205,15 +205,25 @@ void dns_enable_merge(void (*f)(const char *, const char *, const char *))
merge_logger = f;
}

+static inline const char* get_domain(struct dns_transmit *d)
+{
+ if (d->keys)
+ return d->name;
+ else
+ return d->query + 14;
+}
+
static uint64 merge_hash(struct dns_transmit *x)
{
uint64 tmp64;
uint32 tmp32;
uint16 qtype;
+ const char *nameptr;

byte_copy(&tmp32, 4, x->servers + 4 * x->curserver);
qtype = x->qtype[0] << 8 | x->qtype[1];
- tmp64 = jhash(x->query + 14, dns_domain_length(x->query + 14), list_seed);
+ nameptr = get_domain(x);
+ tmp64 = jhash(nameptr, dns_domain_length(nameptr), list_seed);
tmp64 <<= 32;
tmp64 |= jhash_3words(tmp32, qtype, (tmp64 >> 32), list_seed2);
return tmp64;
@@ -227,13 +237,12 @@ static int merge_equal(struct dns_transmit *a, struct dns_transmit *b)
if (a == b) return 1;
if (!a->query || !b->query) return 0;
if (a->key != b->key) return 0;
- if (a->query == b->query) return 1;
ip2 = b->servers + 4 * b->curserver;
ip1 = a->servers + 4 * a->curserver;

return byte_equal(ip1, 4, ip2) &&
byte_equal(a->qtype, 2, b->qtype) &&
- dns_domain_equal(a->query + 14, b->query + 14);
+ dns_domain_equal(get_domain(a), get_domain(b));
}

struct list_head merges_active_table[MERGE_HASH_SIZE];
@@ -446,7 +455,7 @@ static int thisudp(struct dns_transmit *d)
if (try_merge(d)) {
merges++;
if (merge_logger)
- merge_logger(ip, d->qtype, d->query + 14);
+ merge_logger(ip, d->qtype, get_domain(d));
return 0;
}


--
Sami Farin
2010-10-19 08:30:32 UTC
Permalink
Seems I haven't mentioned what license the patch is released under,
but now that it includes GPL code (list and rbtree), the patch is
GPL v2, too.

Remember to check out latest versions
djbdns-1.05-epoll-latest.diff
CHANGES-epoll.txt

--

Brandon Black
2010-10-14 00:02:40 UTC
Permalink
Post by Sami Farin
BTW. what's currently the best option for dnscurve server?
Are there other than git://github.com/agl/dnscurve.git ?
Would there be need for dnscurve support for tinydns?
http://gdnsd.googlecode.com - the dev version here has native
authoritative DNSCurve support in C, with client key caching, FYI. I
haven't had a chance to work on it in a while, but even the dev
version is fairly stable (plugin API aside).

-- Brandon
Mark Johnson
2010-10-19 04:05:06 UTC
Permalink
Post by Sami Farin
OK, my ISP decided to block ports 1-1023 without prior warning..
http://safari.iki.fi:8765/patches/djbdns/djbdns-1.05-epoll-20101011192500Z-mergequeries-dnscurve.diff
http://safari.iki.fi:8765/patches/djbdns/djbdns-1.05-epoll-20101011192500Z-mergequeries-dnscurve.diff.sig
That's why I have this kind of funny port numbers.
I take it from the GPL license text in the diff that your patch is GPL v2?
Loading...