Unified IPv6 DNS Security
djbdnscurve6 is a fork of djbdns combining
- IPv6 capabilites based on fehQlibs allowing the use of compactified IPv6 and LLU addresses,
- a CurveDNS secured query/response for dnscache based on NaCl with an adopted Methew Dempsky patch,
- including improvements for CNAME caching, and
- allowing a qualification of DNS Name Servers.
- rbldns supporting IPv6 addresses.
- tinydns using compactified IPv6 addresses within the tinydns-data data file.
- Finally, installation is done according to the slashpackage convention.
The decrypting djbdnscurve6 stub resolver can be used as standard lib for other programs.
While DJBDNS is the unsurpassed DNS content and cache server implementation written by Daniel Bernstein, it lacks IPv6 features. Using Felix von Leitner's IPv6 add-on, I have included Matthew Dempsky's DNSCurve patch utilizing Bernstein's approach to provided a full solution.
In order to achieve DNS message encryption on the server side, you need to install Harm von Tilborg's CurveDNS server along-side with Daniel Bernstein's, Tanja Lange's, and Peter Schwabe's NaCl library.
Architecture of djbdnscurve6
DNS uses a client/server architecture with three different components:
- The DNS stub resolver as part of the application/Operating system.
- The DNS Forwarder or Cache server accessible on the same host or remotely; in particular at the edge of the Intranet -- typically accessing services from the Internet.
- Some DNS Name Server -- or Content Server -- hosted inherent or outsourced to other companies.
djbdnscurve6 provides applications and a library to cope with all of those circumstances. In particular, to separate the 'Intranet' from the 'Internet' regarding name resolution (split horizon).
CurveDNS enabled DNS Cache server/full resolver
This is sketch of the dnscache solution:
- Common support for IPv4 and IPv6.
- EDNS0 enabled (thanks Peter Conrad).
- Support for IPv6 LLU addresses (sending and receiving).
- Reverse IPv6 Anycast capabilities (automatic binding to new IPv6 addresses and interfaces) - Software Defined Networking (SDN) enabled.
CurveDNS enabled DNS content server
To benefit from encrypted DNS messages, the DNS content server has to be CurveDNS aware. Harm van Tilborg, Jeroen Schreeder, and Lieuwe Jan Koning provide a generic solution not depending on a particular Name Server implementation while providing a
For the forthcoming releases of djbdnscurve6, I plan to integrated this capability natively into tinydns as well.
Sources & Downloads
Please be aware, that though trying to provide an abstraction layer, djbdnscurve6 is quite complex and attention should be given to each step.
Prior of installing djbdnscurve6 you need to meet the following requirements and verified to have them installed successfully:
- Daemontools: Required for user separation and memory restrictions.
- NaCl Library: Required for cryptographic operations.
- fehQlibs: Required; since djbdnscurve6 includes only application programs (+ stub resolver).
If you plan to setup an own CurveDNS Name Service use:
- CurveDNS (recommended)
You need to generate a qualified Curve25519 public key and use this as AName for your Name Server, provide this for delegation, and publish it.
|Version & Download||Description||Verification||Code|
|djbdnscurve6-33||The first public release of djbdnscurve6|| MD5: a8bfad9278f6c88d18b29c2c09818683
Installation and Setup
- Un-tar the djbnscurve6-XY under /package and verify the creation of ./net/djbdnscurve6-XY (it is a slashpackage registered software).
- Edit the conf- files to your needs; in particular conf-nacl needs customisation.
- For setting up the individual services, follow DJB's instructions available via djbdns.
- There are some skeleton installation routines available called conf-tinydns ... for convenience only.
For some more details read the attached INSTALL document coming with the SW.
Though djbdnscurve6 tries to be compatible with former versions, it is different in many ways from djbdns and you need to get accustomed to it. Thus, please read the following documents:
|axfrdns||axfrdns-conf||AXFR DNS zone transfer server; requires tcpserver or sslsever|
|axfr-get||AXFR DNS zone transfer client; requires tcpclient or sslclient|
|DNS cache server and iterative resolver (supporting UDP, TCP, and EDNS0)|
|rbldns||rbldns-conf||Relay Black (and white) List server|
|UDP based DNS content server|
|walldns||walldns-conf||UDP based reverse DNS wall server|
Other Points of Interest
- dq by Jan Mojzis
- djbdns-1.06 (obsolete ?)
- DNSCurve: Usable security for DNS (included)
- dnscache Log File Format (included)
- dnscache tweaking (more or less included)
- TinyDNS Format (not relevant here)
- MaraDNS (perhaps)
- Peter Conrad's tinydnssec
- IPvFuture (?)
- Henning Brauer's Live With djbdns (mostly applicable)
- tinydns w/o Daemontools (if you need it)