Consulting djbware Publications

Unified IPv6 DNS Security


djbdnscurve6 is a fork of djbdns combining

The decrypting djbdnscurve6 stub resolver can be used as standard lib for other programs.

Heritage and Directions

While djbdns is the unsurpassed DNS content and cache server implementation written by Daniel Bernstein, it lacks IPv6 features. Using Felix von Leitner's IPv6 add-on, I have included Matthew Dempsky's DNSCurve patch utilizing Bernstein's approach to provided a full solution.

Unlike DNS over TLS (DNS/TLS) DNSCurve provides an application-level message encryption:

Components of djbdnscurve6

DNS applies a client/server architecture with three different components:

  1. The DNS stub resolver as part of the application/Operating system.
  2. The DNS Forwarder or Cache server (occassionaly called a Recurser) accessible on the same host or remotely; in particular at the edge of the Intranet -- typically accessing services from the Internet.
  3. Some DNS Autoritative Name Server -- or Content Server -- hosted inherent or outsourced to other companies.

djbdnscurve6 provides applications and a library to cope with all of those circumstances. In particular to separate the 'Intranet' from the 'Internet' regarding name resolution (split horizon).

The following modules can be used from djbdnscurve6:

Figure: DNS modules and libraries coming with djbdnscurve6

DNSCurve enabled DNS Cache server/full resolver

dnscache provides the DNS interface to your operating system and your applications under Unix. DNS name resolution should be reliable, fast, and confidential while working together with the DNS stub resolvers on your system.

Some features of dnscache:

DNSCurve enabled DNS authoritative content servers

Starting with version 3 of djbdnscurve6 DNSCurve encryption is also provided on the server side for

  1. tinydns,
  2. walldns and potentially
  3. rbldns

once the DNSCurve public/private key pair has been generated and the public key uz5 ... is provisioned to the upstream name server as 'trust anchor'.

DNS libraries and communication features

For a stub-resolver typically the fehQlibs DNS libraries (libdnsresolv) can be used; though djbdnscurve6's libdnscresolv is enabled for additional DNSCurve capabilities.

Common with Daniel Bernstein, the libdnscresolv is using a layered architecture to provide library routines for application programs thus as browsers, SMTP mail clients (such as qmail-remote) and others to be able to allow a qualified (and confidential) domain name resolution:

Other communication features apart from DNSCurve support:

DNSCurve enabled reverse (forwarding) proxies

If you use other DNS content servers, you can benefit from encrypted DNS messages using Harm van Tilborg, Jeroen Schreeder, and Lieuwe Jan Koning CurveDNS reverse proxy:

The reverse proxy generates authoritative replies for the clients. Also here, you need to generate a qualified Curve25519 public key and use this as AName for your Name Server, provide this for delegation, and publish it.

Sources & Downloads

Please be aware, that though trying to provide a common abstraction layer with djbdns, djbdnscurve6 is quite complex and attention should be given to each step.


Prior of installing djbdnscurve6 you need to meet the following requirements and verified to have them installed successfully:


Version & Download Description fehQlibs version Verification
djbdnscurve6-43 The six public major release of djbdnscurve6 (version 3) includes DNSCurve support for all DNS content server as well! And now with siphash for dnscache. Qualified generation and parsing of DKIM and TLSA records in TXT format with labels. fehQlibs-20 MD5: b5bd67967f4d2028bad2
Build: 20220731213000
djbdnscurve6-39 The tenth public minor release of djbdnscurve6 (version 2) comes now with partial EDNS0 query/response capability for dnscache together with better protection against DNS spoofing using Siphash. It provides better IPv4 compliance now and works well with gcc 11! fehQlibs-18 MD5: 6543ba7e76a76770ee69c98ffcc1ddc7
Build: 20211001094001
djbdnscurve6-38 The nineth public minor release of djbdnscurve6 comes now with enhanced EDNS0 capability. It provids better IPv4 compliance now and works well with gcc 11! fehQlibs-18 MD5: e5979a25e368324480e94fa637442fd6
Build: 20210803222338
djbdnscurve6-37+ The eights public minor release of djbdnscurve6 provides small enhancements and comes with native support for TLSA/DANE records in particular for tinydns. It is compliant with fehQlibs-16 DNS qualification extensions. New build! gcc-10.2 compliant! fehQlibs-16+ (new build!) MD5: 2d081ff47b91b7d5e535b30f9ef2f81e
Build: 20210221190552
djbdnscurve6-36c The seventh public release of djbdnscurve6 is a maintenance release to be compliant with fehQlibs-15's DNS qualification extensions and follows the enhanced DNS error return codes even here. fehQlibs-15 MD5: d959f1fecf480d3cba0512502cc928c4
Build: 20200731124637
djbdnscurve6-36b The six public release of djbdnscurve6 provides compatibility with fehQlibs-13 and is aligned with it s DNS lookup timeouts and following the enhanced DNS error return codes completely. fehQlibs-13d/ fehQlibs-10(b) MD5: b3051587c2100789b0a2800de6ed69dd
Build: 20200202151144
djbdnscurve6-35 The third public release of djbdnscurve6 providing IPv4/IPv6 dual-stack servers and working seamlessly with libsodium even for NaCl unsupported platforms like the RasPi. fehQlibs-10(b)/ fehQlibs-12x MD5: f1a0d63158e019104fd640578c23c971
Build: 20190609152734

The current versions's code is documented in doxygen.

While djbdnscurve6 includes a script to convert IPv4 addresses to their usual decimal-dotted values, an enhanced version is available to do the very same thing with IPv6 addresses. If you have installed CPAN's 'Net::IPv6Addr' module it even displays the IPv6 address in compactified format. This version is included since djbdnscurve6-37.

Installation, Setup & Configuration


For some more details read the attached INSTALL document coming with the SW.


Additional information about customization and entering DNS resource data are now available:

The recommendations given by Daniel J. Bernstein for setting up the individual services for djbdns are mostly still valid though.


Since you have installed a previous version of djbdnscurve6 you should follow this path:

  1. After un-taring the new version, do a package/compile in the generated directory.
  2. Go to ./compile and call ./install.
  3. Proceed with package/man in the main directory and finally with
  4. package/upgrade.

Libsodium support

Instead of vanilla NaCl, alternative implementations can be used, as long as they provide the same cryptobox APIs. NaCl installs well on 'bare metal' servers (having access to the CPU capabilities directly) but is not really applicable for virtualized environments. Here is the recipe to accostum the installation:

  1. Adjust conf-nacl to point to the path of the header files and the libraries.
  2. Coming with version 41, a tailored Makefile Makefile.libsodium is available in the ./src directory. Simply copy this as Makefile here. This takes care of the differently named libraries; either -lnacl or -lsodium.

systemd compatibility

djbdnscurve6 services like tinydns and dnscache depend some daemontools modules to provide the chroot environment and memory usage. In case those requirements are met, the servers run smoothlessly even under systemd even including journald.

Defects & Release Management

Naming conventions

Known and solved defects

ReferenceType DescriptionState
[20190227#1]Bug/Error dnscache does not log IP of rejected client connections for UDP/TCP fixed in v34
[20190510#1]Bug tinydns-data missing IPv4|v6 addresses for MX records upon generation fixed in v35
[20190516#1]Bug dnsip may segfault at lookup fixed in v35
[20190530#1]Bug walldns, rbldns, and dnstrace may segfault due to wrong casting in dd6 fixed in v35
[20190608#1]Bug Wrong composition of inverse IPv6 name (dns_nd.c) fixed in v35
[20190608#2]Bug/Error dnsfilter generates no output fixed in v35
[20191129#1]Bug dnscache produces high polling load in case the DNS server is not responding
(introduced in v36 while only partially adopting the enhanced DNS error return codes)
fixed in v36a
[20191213#1]Bug dnsip does not return resolved IPv6 addresses on output fixed in v36b
[20201225#1]Bug tinydns returns a IPv6-mapped IPv4 address for NS queries in the additional section. fixed in v37
[20210801#1]Error Binding to IPv4 or IPv6 for UDP or TCP is solely based on IP address of remote site. EDNS0 support reworked. fixed in v38
[20211107#1]Bug dnscache answers a 'dnsname ::1' with 'ip4-loopback'; paste'n'copy error ;-) Fixed in v39
[20220113#1]Error dnscache may fail to return IP address (A/AAAA) for deeply nested CNAMEs. Removed Jonathan de Boyne Pollard's CNAME extension. Fixed in v41
[20220127#1]Flaw dnscache did not include siphash due to a wrong fork. Included in v42

Versions & releases plans

Tickets, Change Requests, communication

An EZMLM mailing list working together with djbdnscurve6 keeps you updated with current developments, bug fixes, and features discussed. This list also can be used to file

To inscribe use: djbdnscurve6 mailing list

As usual, I can't guarantee a certain response level; but reasonable issues will be answered.

Module Documentation

Though djbdnscurve6 tries to be compatible with former versions, it is different in many ways from djbdns and you need to get accustomed to it. Thus, please read the following documents regarding the servers:

Application Miscellaneous Description
axfrdns axfrdns-conf
AXFR DNS zone transfer server; requires tcpserver or sslsever
dnscache dnscache-conf
DNS cache server and iterative resolver (supporting UDP, TCP, and EDNS0)
rbldns rbldns-conf Relay Black (and white) List server for IPv4 and IPv6
tinydns tinydns-conf
DNSCurve enabled UDP based DNS content server
walldns walldns-conf
DNSCurve enabled UDP based reverse DNS wall server

The DNS lookup clients and diagnostic tools are kept API-compliant w.r.t. djbdns 1.05; thus we have:

Recursive lookup clients Diagnostic tools
dnsip dnsq
dnsmx dnsqr
dnsname dnstrace
dnstxt dnsfilter

Other Points of Interest