Unified IPv6 DNS Security
djbdnscurve6 is a fork of djbdns combining
- IPv6 capabilites based on fehQlibs allowing the use of compactified IPv6 and LLU addresses,
- a CurveDNS secured query/response for dnscache based on NaCl with an adopted Methew Dempsky patch,
- including improvements for CNAME caching, and
- allowing a qualification of DNS Name Servers.
- rbldns supporting IPv6 addresses.
- tinydns using compactified IPv6 addresses within the tinydns-data data file while supporting generic TEXT (SPF) and TLSA records.
- Finally, installation is done according to the slashpackage convention.
The decrypting djbdnscurve6 stub resolver can be used as standard lib for other programs.
While DJBDNS is the unsurpassed DNS content and cache server implementation written by Daniel Bernstein, it lacks IPv6 features. Using Felix von Leitner's IPv6 add-on, I have included Matthew Dempsky's DNSCurve patch utilizing Bernstein's approach to provided a full solution.
In order to achieve DNS message encryption on the server side, you need to install Harm von Tilborg's CurveDNS server along-side with Daniel Bernstein's, Tanja Lange's, and Peter Schwabe's NaCl library also available as libsodium.
Architecture of djbdnscurve6
DNS applies a client/server architecture with three different components:
- The DNS stub resolver as part of the application/Operating system.
- The DNS Forwarder or Cache server accessible on the same host or remotely; in particular at the edge of the Intranet -- typically accessing services from the Internet.
- Some DNS Name Server -- or Content Server -- hosted inherent or outsourced to other companies.
djbdnscurve6 provides applications and a library to cope with all of those circumstances. In particular, to separate the 'Intranet' from the 'Internet' regarding name resolution (split horizon).
CurveDNS enabled DNS Cache server/full resolver
This is sketch of the dnscache solution:
- Common support for IPv4 and IPv6.
- Native EDNS0 handling for dnscache for query and response (thanks Peter Conrad).
- Support for IPv6 LLU addresses (sending and receiving).
- Reverse IPv6 Anycast capabilities (automatic binding to new IPv6 addresses and interfaces) - Software Defined Networking (SDN) enabled.
- Dual-stack operation: Serving IPv4 and IPv6 networks with the same DNS daemon instance.
- The current version works well based on libsodium in addition to NaCl on a RasPi.
CurveDNS enabled DNS content server
To benefit from encrypted DNS messages, the DNS content server has to be CurveDNS aware. Harm van Tilborg, Jeroen Schreeder, and Lieuwe Jan Koning provide a generic solution not depending on a particular Name Server implementation while providing a
For the forthcoming releases of djbdnscurve6, I plan to integrated this capability natively into tinydns as well.
Sources & Downloads
Please be aware, that though trying to provide an abstraction layer, djbdnscurve6 is quite complex and attention should be given to each step.
Prior of installing djbdnscurve6 you need to meet the following requirements and verified to have them installed successfully:
- Daemontools: Required for user separation and memory restrictions.
- NaCl Library: Required for cryptographic operations - or - libsodium.
- fehQlibs: Required; since djbdnscurve6 includes only application programs (+ stub resolver).
If you plan to setup an own CurveDNS Name Service use:
- CurveDNS (recommended)
You need to generate a qualified Curve25519 public key and use this as AName for your Name Server, provide this for delegation, and publish it.
|Version & Download||Description||fehQlibs version||Verification|
|djbdnscurve6-38||The nineth public minor release of djbdnscurve6 comes now with enhanced EDNS0 query/response capability. It provids better IPv4 compliance now and works well with gcc 11!||fehQlibs-18|| MD5: e5979a25e368324480e9
|djbdnscurve6-37+||The eights public minor release of djbdnscurve6 provides small enhancements and comes with native support for TLSA/DANE records in particular for tinydns. It is compliant with fehQlibs-16 DNS qualification extensions. New build! gcc-10.2 compliant!||fehQlibs-16+ (new build!)|| MD5: 2d081ff47b91b7d5e535b30f9ef2f81e
|djbdnscurve6-36c||The seventh public release of djbdnscurve6 is a maintanence release to be compliant with fehQlibs-15's DNS qualification extensions and follows the enhanced DNS error return codes even here.||fehQlibs-15|| MD5: d959f1fecf480d3cba0512502cc928c4
|djbdnscurve6-36b||The six public release of djbdnscurve6 provides compatibility with fehQlibs-13 and is aligned with it's DNS lookup timeouts and following the enhanced DNS error return codes completely.||fehQlibs-13d/ fehQlibs-10(b)|| MD5: b3051587c2100789b0a2800de6ed69dd
|djbdnscurve6-35||The third public release of djbdnscurve6 providing IPv4/IPv6 dual-stack servers and working seamlessly with libsodium even for NaCl unsupported platforms like the RasPi.||fehQlibs-10(b)/ fehQlibs-12x|| MD5: f1a0d63158e019104fd640578c23c971
The current versions's code is documented in doxygen.
While djbdnscurve6 includes a dnscache-log.pl script to convert IPv4 addresses to their usual decimal-dotted values, an enhanced version dnscache-log.pl is available to do the very same thing with IPv6 addresses. If you have installed CPAN's 'Net::IPv6Addr' module it even displays the IPv6 address in compactified format. This version is included into djbdnscurve6-37.
Installation and Setup
- Un-tar the djbnscurve6-XY under /package and verify the creation of ./net/djbdnscurve6-XY (it is a slashpackage registered software).
- Edit the conf- files to your needs; in particular conf-nacl needs customisation.
- For setting up the individual services, follow DJB's instructions available via djbdns.
- There are some skeleton installation routines available called conf-tinydns ... for convenience only.
For some more details read the attached INSTALL document coming with the SW.
Since you have installed a previous version of djbdnscurve6 you should follow this path:
- After un-taring the new version, do a package/compile in the generated directory.
- Go to ./compile and call ./install.
- Proceed with package/man in the main directory and finally with
Instead of vanilla NaCL, alternative implementations can be used, as long as they provide the same cryptobox APIs. Here is the recipie:
- Adjust conf-nacl to point to the path of the header files and the libraries.
- djbdnscurve6 expects the name of the included library to be nacl in its Makefile. You can either change -lnacl to e.g. -lsodium for the 'load' target in the Makefile or simply link the respective 'alien' library to the name 'libnacl'.
djbdnscurve6 services like tinydns and dnscache depend some Daemontools modules to provide the chroot environment and memory usage. In case those requirements are met, the servers run smoothlessly even under SystemD even including JournalD.
Defects & Release Management
- Error: Implementation does not conform to reqs, e.g. something is missing.
- Bug: Coding mistake in source file(s).
- Flaw: Wrong/missing description in man-file or any attached documentation.
- RfC: Request for Change: Feature request.
|[20190227#1]||Bug/Error||dnscache does not log IP of rejected client connections for UDP/TCP||fixed in v34||[20190510#1]||Bug||tinydns-data missing IPv4|v6 addresses for MX records upon generation||fixed in v35|
|[20190516#1]||Bug||dnsip may segfault at lookup||fixed in v35|
|[20190530#1]||Bug||walldns, rbldns, and dnstrace may segfault due to wrong casting in dd6||fixed in v35|
|[20190608#1]||Bug||Wrong composition of inverse IPv6 name (dns_nd.c)||fixed in v35|
|[20190608#2]||Bug/Error||dnsfilter generates no output||fixed in v35|
produces high polling load in case the DNS server is not responding
(introduced in v36 while only partially adopting the enhanced DNS error return codes)
|fixed in v36a|
|[20191213#1]||Bug||dnsip does not return resolved IPv6 addresses on output||fixed in v36b|
|[20201225#1]||Bug||tinydns returns a IPv6-mapped IPv4 address for NS queries in the additional section.||fixed in v37|
|[20210801#1]||Error||Binding to IPv4 or IPv6 for UDP or TCP is solely based on IP address of remote site. EDNS0 support reworked.||fixed in v38|
Versions & releases plans
- djbdnscurve6 (version 1) without CurveDNS support might be published on demand.
- djbdnscurve6 (version 2) providing CurveDNS support for
dnscache is the current major version (starting with v33).
The next minor release shall fully integrate EDNS0 support in dnscache.
A TCP enhanced tinydns content server would also be not bad at all. Preforking? TLS support?
- djbdnscurve6 (version 3) is scheduled to support CurveDNS natively for tinydns.
- djbdnscurve6 (version 4) shall be multicast enabled.
Tickets, Change Requests, communication
An EZMLM mailing list working together with djbdnscurve6 keeps you updated with current developments, bug fixes, and features discussed. This list also can be used to file
- Defects (bug reports) and
- Change Requests (enhancements).
To inscribe use: djbdnscurve6 mailing list
As usual, I can't guarantee a certain response level; but reasonable issues will be answered.
Though djbdnscurve6 tries to be compatible with former versions, it is different in many ways from djbdns and you need to get accustomed to it. Thus, please read the following documents regarding the servers:
|AXFR DNS zone transfer server; requires tcpserver or sslsever|
|DNS cache server and iterative resolver (supporting UDP, TCP, and EDNS0)|
|rbldns||rbldns-conf||Relay Black (and white) List server for IPv4 and IPv6|
|UDP based DNS content server|
|walldns||walldns-conf||UDP based reverse DNS wall server|
The DNS lookup clients and diagnostic tools are kept API-compliant w.r.t. djbdns 1.05; thus we have:
|Recursive lookup clients||Diagnostic tools|
Other Points of Interest
- DJB's djbdns site [CurveDNS enabled (txt)]
- dq by Jan Mojzis
- djbdns-1.06 (obsolete ?)
- DNSCurve: Usable security for DNS (included) [CurveDNS enabled]
- DNSCurve.io [CurveDNS enabled]
- IANIX [CurveDNS enabled]
- dnscache Log File Format (included)
- dnscache tweaking (more or less included)
- TinyDNS Format (not relevant here)
- MaraDNS (perhaps)
- Peter Conrad's tinydnssec [CurveDNS enabled]
- IPvFuture (?)
- Henning Brauer's Live With djbdns (mostly applicable)
- tinydns w/o Daemontools (if you need it)
- my djbdns Jumbo Patch
- djbdns patches