Consulting djbware Publications

Unified IPv6 DNS Security

Scope

djbdnscurve6 is a fork of djbdns combining

The decrypting djbdnscurve6 stub resolver can be used as standard lib for other programs.

Heritage

While DJBDNS is the unsurpassed DNS content and cache server implementation written by Daniel Bernstein, it lacks IPv6 features. Using Felix von Leitner's IPv6 add-on, I have included Matthew Dempsky's DNSCurve patch utilizing Bernstein's approach to provided a full solution.

In order to achieve DNS message encryption on the server side, you need to install Harm von Tilborg's CurveDNS server along-side with Daniel Bernstein's, Tanja Lange's, and Peter Schwabe's NaCl library also available as libsodium.

Architecture of djbdnscurve6

DNS applies a client/server architecture with three different components:

  1. The DNS stub resolver as part of the application/Operating system.
  2. The DNS Forwarder or Cache server accessible on the same host or remotely; in particular at the edge of the Intranet -- typically accessing services from the Internet.
  3. Some DNS Name Server -- or Content Server -- hosted inherent or outsourced to other companies.

djbdnscurve6 provides applications and a library to cope with all of those circumstances. In particular, to separate the 'Intranet' from the 'Internet' regarding name resolution (split horizon).

CurveDNS enabled DNS Cache server/full resolver

This is sketch of the dnscache solution:

Figure 1: Concept and layout of dnscache; IP addresses are samples

Some features:

CurveDNS enabled DNS content server

To benefit from encrypted DNS messages, the DNS content server has to be CurveDNS aware. Harm van Tilborg, Jeroen Schreeder, and Lieuwe Jan Koning provide a generic solution not depending on a particular Name Server implementation while providing a

For the forthcoming releases of djbdnscurve6, I plan to integrated this capability natively into tinydns as well.

Sources & Downloads

Please be aware, that though trying to provide an abstraction layer, djbdnscurve6 is quite complex and attention should be given to each step.

Dependencies

Prior of installing djbdnscurve6 you need to meet the following requirements and verified to have them installed successfully:

Co-dependency

If you plan to setup an own CurveDNS Name Service use:

You need to generate a qualified Curve25519 public key and use this as AName for your Name Server, provide this for delegation, and publish it.

Download

Version & Download Description fehQlibs version Verification
djbdnscurve6-38 The nineth public minor release of djbdnscurve6 comes now with enhanced EDNS0 query/response capability. It provids better IPv4 compliance now and works well with gcc 11! fehQlibs-18 MD5: e5979a25e368324480e9
Build: 20210803222338
djbdnscurve6-37+ The eights public minor release of djbdnscurve6 provides small enhancements and comes with native support for TLSA/DANE records in particular for tinydns. It is compliant with fehQlibs-16 DNS qualification extensions. New build! gcc-10.2 compliant! fehQlibs-16+ (new build!) MD5: 2d081ff47b91b7d5e535b30f9ef2f81e
Build: 20210221190552
djbdnscurve6-36c The seventh public release of djbdnscurve6 is a maintanence release to be compliant with fehQlibs-15's DNS qualification extensions and follows the enhanced DNS error return codes even here. fehQlibs-15 MD5: d959f1fecf480d3cba0512502cc928c4
Build: 20200731124637
djbdnscurve6-36b The six public release of djbdnscurve6 provides compatibility with fehQlibs-13 and is aligned with it's DNS lookup timeouts and following the enhanced DNS error return codes completely. fehQlibs-13d/ fehQlibs-10(b) MD5: b3051587c2100789b0a2800de6ed69dd
Build: 20200202151144
djbdnscurve6-35 The third public release of djbdnscurve6 providing IPv4/IPv6 dual-stack servers and working seamlessly with libsodium even for NaCl unsupported platforms like the RasPi. fehQlibs-10(b)/ fehQlibs-12x MD5: f1a0d63158e019104fd640578c23c971
Build: 20190609152734

The current versions's code is documented in doxygen.

While djbdnscurve6 includes a dnscache-log.pl script to convert IPv4 addresses to their usual decimal-dotted values, an enhanced version dnscache-log.pl is available to do the very same thing with IPv6 addresses. If you have installed CPAN's 'Net::IPv6Addr' module it even displays the IPv6 address in compactified format. This version is included into djbdnscurve6-37.

Installation and Setup

For some more details read the attached INSTALL document coming with the SW.

Updating

Since you have installed a previous version of djbdnscurve6 you should follow this path:

  1. After un-taring the new version, do a package/compile in the generated directory.
  2. Go to ./compile and call ./install.
  3. Proceed with package/man in the main directory and finally with
  4. package/upgrade.

Libsodium support

Instead of vanilla NaCL, alternative implementations can be used, as long as they provide the same cryptobox APIs. Here is the recipie:

  1. Adjust conf-nacl to point to the path of the header files and the libraries.
  2. djbdnscurve6 expects the name of the included library to be nacl in its Makefile. You can either change -lnacl to e.g. -lsodium for the 'load' target in the Makefile or simply link the respective 'alien' library to the name 'libnacl'.

SystemD installation

djbdnscurve6 services like tinydns and dnscache depend some Daemontools modules to provide the chroot environment and memory usage. In case those requirements are met, the servers run smoothlessly even under SystemD even including JournalD.

Defects & Release Management

Naming conventions
ReferenceType DescriptionState
[20190227#1]Bug/Error dnscache does not log IP of rejected client connections for UDP/TCP fixed in v34
[20190510#1]Bug tinydns-data missing IPv4|v6 addresses for MX records upon generation fixed in v35
[20190516#1]Bug dnsip may segfault at lookup fixed in v35
[20190530#1]Bug walldns, rbldns, and dnstrace may segfault due to wrong casting in dd6 fixed in v35
[20190608#1]Bug Wrong composition of inverse IPv6 name (dns_nd.c) fixed in v35
[20190608#2]Bug/Error dnsfilter generates no output fixed in v35
[20191129#1]Bug dnscache produces high polling load in case the DNS server is not responding
(introduced in v36 while only partially adopting the enhanced DNS error return codes)
fixed in v36a
[20191213#1]Bug dnsip does not return resolved IPv6 addresses on output fixed in v36b
[20201225#1]Bug tinydns returns a IPv6-mapped IPv4 address for NS queries in the additional section. fixed in v37
[20210801#1]Error Binding to IPv4 or IPv6 for UDP or TCP is solely based on IP address of remote site. EDNS0 support reworked. fixed in v38
Versions & releases plans
Tickets, Change Requests, communication

An EZMLM mailing list working together with djbdnscurve6 keeps you updated with current developments, bug fixes, and features discussed. This list also can be used to file

To inscribe use: djbdnscurve6 mailing list

As usual, I can't guarantee a certain response level; but reasonable issues will be answered.

Module Documentation

Though djbdnscurve6 tries to be compatible with former versions, it is different in many ways from djbdns and you need to get accustomed to it. Thus, please read the following documents regarding the servers:

Application Miscellaneous Description
axfrdns axfrdns-conf
axfr-get
AXFR DNS zone transfer server; requires tcpserver or sslsever
dnscache dnscache-conf
dnscache-log
DNS cache server and iterative resolver (supporting UDP, TCP, and EDNS0)
rbldns rbldns-conf Relay Black (and white) List server for IPv4 and IPv6
tinydns tinydns-conf
tinydns-data
tinydns-edit
tinydns-get
tinydns-log
UDP based DNS content server
walldns walldns-conf UDP based reverse DNS wall server

The DNS lookup clients and diagnostic tools are kept API-compliant w.r.t. djbdns 1.05; thus we have:

Recursive lookup clients Diagnostic tools
dnsip dnsq
dnsmx dnsqr
dnsname dnstrace
dnstxt dnsfilter

Other Points of Interest