Discussion:
gdnsd DNSCurve update
Brandon Black
2010-06-17 01:15:02 UTC
Permalink
Just a status update on gdnsd's authoritative DNSCurve branch. I
won't repeat it all here, you can click over to the posting in the
gdnsd group:

http://groups.google.com/group/gdnsd/browse_thread/thread/82ca2bf987d15c28

Thanks,
-- Brandon
Jason 'XenoPhage' Frisvold
2010-06-17 20:46:11 UTC
Permalink
Post by Brandon Black
Just a status update on gdnsd's authoritative DNSCurve branch. I
won't repeat it all here, you can click over to the posting in the
http://groups.google.com/group/gdnsd/browse_thread/thread/82ca2bf987d15c28
Forgive my ignorance, but is gdnsd some sort of djb fork? Or is it a
completely different product with DNSCurve support? I'm interested in
DNSCurve, but I'm not aware of a djbdns implementation at this point..
Post by Brandon Black
Thanks,
-- Brandon
- --
- ---------------------------
Jason 'XenoPhage' Frisvold
***@godshell.com
- ---------------------------
"Any sufficiently advanced magic is indistinguishable from technology."
- - Niven's Inverse of Clarke's Third Law
Brandon Black
2010-06-17 22:19:29 UTC
Permalink
On Thu, Jun 17, 2010 at 3:46 PM, Jason 'XenoPhage' Frisvold
Forgive my ignorance, but is gdnsd some sort of djb fork?  Or is it a
completely different product with DNSCurve support?  I'm interested in
DNSCurve, but I'm not aware of a djbdns implementation at this point..
No, gdnsd is not not a djb fork. It's an original, separate codebase
licensed under the terms of the GPLv3. It's also *only* an
authoritative server (i.e. it does the role of djb's "tinydns", but
not "dnscache"). The project originated in early 2007 as something I
wrote on Logitech's time because the department I worked for needed it
(long story, and this email is already going to be longer than you
want to read), and we decided to GPL it at the time because that was
the norm in that department, and because Logitech didn't have any
broader interest in a DNS server as a commercial software product of
any kind.

I'm still a full-time employee of Logitech, but the department I
worked for then doesn't exist anymore, and regardless said department
had mostly lost any commercial interest in spending time on further
improvements to the codebase sometime back in 2008. Since then I've
been maintaining it publicly as a side project on my own.

It doesn't have a lot in common with djbdns in terms of implementation
details (e.g. it uses RCF1035 zonefiles, it uses pthreads, it uses the
GNU autotools for a build system, etc). On the other hand, I myself
am a long-time djb and djbdns fan, and I agree with a lot of his
perspective on the DNS, and this writings on the subject were
certainly influential during the development of gdnsd.

Like Dan and many others, I'm not a believer in DNSSEC, and I think
DNSCurve is a viable alternative route to solving some of the DNS's
security problems. As far as that goes, we need all the
interoperating implementations we can get if there's to be any hope of
DNSCurve getting any broader adoption. So far it looks like gdnsd
will probably be the first to release a production-quality native
implementation in an authoritative DNS server (at least, that I've
heard of), but I hope it's not the last.

On the recursive cache side of things we've got Matthew's patches to
djb's dnscache as well as George Barwood's GbDns server that I'm aware
of, and whatever OpenDNS is running in production (I haven't really
tried to look, but it may in fact be the patched dnscache for all I
know).

-- Brandon
Jason 'XenoPhage' Frisvold
2010-06-18 01:39:42 UTC
Permalink
Post by Brandon Black
No, gdnsd is not not a djb fork. It's an original, separate codebase
licensed under the terms of the GPLv3. It's also *only* an
authoritative server (i.e. it does the role of djb's "tinydns", but
not "dnscache"). The project originated in early 2007 as something I
wrote on Logitech's time because the department I worked for needed it
(long story, and this email is already going to be longer than you
want to read), and we decided to GPL it at the time because that was
the norm in that department, and because Logitech didn't have any
broader interest in a DNS server as a commercial software product of
any kind.
Ah.. ok.. I seem to remember seeing something about this a few months back.. Excellent..
Post by Brandon Black
Like Dan and many others, I'm not a believer in DNSSEC, and I think
DNSCurve is a viable alternative route to solving some of the DNS's
security problems. As far as that goes, we need all the
interoperating implementations we can get if there's to be any hope of
DNSCurve getting any broader adoption. So far it looks like gdnsd
will probably be the first to release a production-quality native
implementation in an authoritative DNS server (at least, that I've
heard of), but I hope it's not the last.
I am, myself, still quite skeptical of DNSSEC as well. At the very least, it seems like an awful lot of effort for such little payoff. Though, I will admit to being somewhat naive about both DNSSEC and DNSCurve. As much as I try, I still have not found the time to dig into either.
Post by Brandon Black
On the recursive cache side of things we've got Matthew's patches to
djb's dnscache as well as George Barwood's GbDns server that I'm aware
of, and whatever OpenDNS is running in production (I haven't really
tried to look, but it may in fact be the patched dnscache for all I
know).
I thought OpenDNS had already put DNSCurve into production?
Post by Brandon Black
-- Brandon
As an aside, are others getting bouncebacks from Amazon and Paypal when you post to this list?

- ---------------------------
Jason 'XenoPhage' Frisvold
***@godshell.com
- ---------------------------
"Any sufficiently advanced magic is indistinguishable from technology."
- - Niven's Inverse of Clarke's Third Law
Brandon Black
2010-06-18 04:21:17 UTC
Permalink
On Thu, Jun 17, 2010 at 8:39 PM, Jason 'XenoPhage' Frisvold
Post by Jason 'XenoPhage' Frisvold
I thought OpenDNS had already put DNSCurve into production?
They have. Perhaps my wording was unclear: I'm just not sure exactly
what code they're using for it in production. But it is running, and
it does interoperate with gdnsd.
Post by Jason 'XenoPhage' Frisvold
As an aside, are others getting bouncebacks from Amazon and Paypal when you post to this list?
Yes, like clockwork.

-- Brandon
Schwarz
2010-09-06 14:34:00 UTC
Permalink
Hello everyone,

i have a small problem to understand why tiny is answering with an
unwanted record,
and please, no flames about cnames. It's a customers record. That's life
;)

This is our zone ( domainname changed, but reachable for tests )

@tinydnstestzone.org::tinydnstestzone.org:::
&tinydnstestzone.org::ns4.nsentry.de::
.tinydnstestzone.org::ns3.nsentry.de::
C*.tinydnstestzone.org:tinydnstestzone.org::
+tinydnstestzone.org:212.162.12.1::
.ima.tinydnstestzone.org::ns3.nsentry.de::
Cima.tinydnstestzone.org:fiction.externaldomain.org::
Cwww.ima.tinydnstestzone.org:fiction.externaldomain.org::
C*.ima.tinydnstestzone.org:fiction.externaldomain.org::
&ima.tinydnstestzone.org::ns4.nsentry.de::
@ima.tinydnstestzone.org:212.162.12.2:mail1.ima.tinydnstestzone.org:::

in fact it's a main zone with a subdomain as additional zone
"ima.tinydnstestzone.org", which is the zone
we worry about.

pls excuse, that i don't use dnsq, i like the output of dig :)

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++
[root]# dig mx @ns3.nsentry.de ima.tinydnstestzone.org

; <<>> DiG 9.3.4 <<>> mx @ns3.nsentry.de ima.tinydnstestzone.org
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4794
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; QUESTION SECTION:
;ima.tinydnstestzone.org. IN MX

;; ANSWER SECTION:
ima.tinydnstestzone.org. 86400 IN CNAME
fiction.externaldomain.org.
ima.tinydnstestzone.org. 86400 IN MX 0
mail1.ima.tinydnstestzone.org.

;; AUTHORITY SECTION:
ima.tinydnstestzone.org. 259200 IN NS ns3.nsentry.de.
ima.tinydnstestzone.org. 259200 IN NS ns4.nsentry.de.

;; ADDITIONAL SECTION:
mail1.ima.tinydnstestzone.org. 86400 IN A 212.162.12.2
ns3.nsentry.de. 86400 IN A 212.162.15.6
ns4.nsentry.de. 86400 IN A 213.203.243.76

;; Query time: 2 msec
;; SERVER: 212.162.15.6#53(212.162.15.6)
;; WHEN: Mon Sep 6 15:11:01 2010
;; MSG SIZE rcvd: 194
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++

As you can see, additional to the wanted and logical answere:

ima.tinydnstestzone.org. 86400 IN MX 0
mail1.ima.tinydnstestzone.org.
mail1.ima.tinydnstestzone.org. 86400 IN A 212.162.12.2

there is this CNAME:

ima.tinydnstestzone.org. 86400 IN CNAME
fiction.externaldomain.org.


a)

The question is now, why is the CNAME in the answere?

IF it's the wildcard *. CNAME, it's shouldn't be answered because the IN
MX target is
fully defined as an IN A .

IMHO, the CNAME record is wrong and shouldn't be given out.


b) Is there a known patch for it ?



best regards,
M. Schwarz
Brandon Black
2010-09-07 12:42:03 UTC
Permalink
Casting aside whether or not how djbdns handles the situation is
technically a bug a or not, your data is illegal to begin with. Per
the RFCs, a CNAME cannot co-exist with any other RR at the same name.
A CNAME RR, for example, cannot exist at the same name as A, MX, or
any other RRs. This also automatically implies you can never have a
CNAME at the root level of a zone (because it cannot co-exist with the
necessary NS and SOA records).

Also: "." entries define a locally authoritative zone root (SOA, NS,
and the A record corresponding to the NS name), while "&" entries are
used to define nameservers for subzone delegations to other servers.
In both the ima subzone and the parent zone, you seem to be using "&"
to define the second nameserver name for an authoritative zone.

http://cr.yp.to/djbdns/tinydns-data.html

-- Brandon
David Nicol
2010-09-07 14:08:22 UTC
Permalink
Post by Brandon Black
Casting aside whether or not how djbdns handles the situation is
technically a bug a or not, your data is illegal to begin with.  Per
I'll posit that the bug is that tinydns failed to reject the OP's data
file without issuing an instructive error message or warning.

Paul Jarc
2010-09-07 13:25:27 UTC
Permalink
A CNAME can't coexist with other records for the same name. A CNAME
doesn't just stand in for an A record; it stands in for all records.


paul
Loading...