headers
Richard J. Sexton | 3 Dec 2010 08:41

General amusement (nothing to do with TBP DHP nameservice or dead Wikileaks.org)

>Sean Doran:
>"pay Vix to take the Berkeley B-Tree code and make BIND out of it based on Mockapetris' spec"
>
>Surely that rises to the level of a war crime?
--
Richard J. Sexton  rich4 <at> rd.vrx.net  +1 (206) 333-1798 skype: rsx11s
http://rs79.vrx.net http://mbz.org http://killi.net http://aquaria.net
Permalink | Reply | 1 comment |
headers
Sabahattin Gucukoglu | 13 Nov 2010 08:19

Very long delays, is it just djbdns?

Try this command from a nice, clean dnscache:
host -v 2001:470:1f09:103e::2354

It took me three tries on my fastest, most well-connected machine to get the NXDOMAIN response.  I haven't
got to the bottom of it yet, but if anybody has a clue, please do share!

Cheers,
Sabahattin
Permalink | Reply | 7 comments |
headers
David Hubbard | 2 Nov 2010 18:12

Wildcards not supported in & records?

Was trying to delegate the first of several /24's worth
of in-addr.arpa records to a customer's name servers,
some of which are present on said /24 and some not, so
I did the following (first three octets and the domain
name changed obviously):

&*.3.2.1.in-addr.arpa:1.2.3.4:ns1.customerdns.com:3600
&*.3.2.1.in-addr.arpa:3.4.5.32:ns2.customerdns.com:3600
&*.3.2.1.in-addr.arpa:3.4.5.31:ns1.customerdns.net:3600
&*.3.2.1.in-addr.arpa:1.2.3.254:ns2.customerdns.net:3600

Did not get successful ptr lookups after putting that in
place, just get an SOA response from our dns showing our
dns.  I changed the records to test just one IP:

&50.3.2.1.in-addr.arpa:1.2.3.4:ns1.customerdns.com:3600
&50.3.2.1.in-addr.arpa:3.4.5.32:ns2.customerdns.com:3600
&50.3.2.1.in-addr.arpa:3.4.5.31:ns1.customerdns.net:3600
&50.3.2.1.in-addr.arpa:1.2.3.254:ns2.customerdns.net:3600

Now it's happy.  Querying for 50.3.2.1.in-addr.arpa on
my tinydns gives back four NS authority records of the
customer's DNS servers.  If I do a straight root lookup
of that ptr I get proper traversal to customer's dns and
a correct response.

So, I can of course write a little script to generate
the thousand or so lines of records I'll need, but was
hoping I could get away with four like you can with A
records?
(Continue reading)

Permalink | Reply | 4 comments |
headers
Russell Sutherland | 2 Nov 2010 16:34
Picon
Picon
Favicon

IPv6 readiness and tinydns.

I am attempting to prepare our infrastructure here to be IPv6 ready.
Part of that is DNS. For several years we have used the fefe.de patch to
serve up AAAA records for several sub-domains. In the documentation it
states explicitly that:

    .... tinydns-edit won't accept IPv6 addresses for NS or MX records yet

So my short question is, can one use a patched version of tinydns to fulling
support an IPv6 environment?

<snip>
On 2008-01-12 Russ Nelson wrote:

   "When Google has an AAAA record, we can talk about adding IPv6 support."

I think we are ready to start talking:

   http://www.google.com/intl/en/ipv6/faq.html
</snip>

--

-- 
Russell Sutherand  I+TS
e: russell.sutherland <at> utoronto.ca
t: +1.416.978.0470
f: +1.416.978.6620
m: +1.416.803.0080
Permalink | Reply | 5 comments |
headers
Harm van Tilborg | 25 Oct 2010 15:48
Favicon

Re: Introducing CurveDNS a DNSCurve forwarding name server

Hi Maciej,

You are right. The idea was taken from djb's approach in djbdns --
together with daemontools' envuidgid tool.

I'm changing it in the next release, making it a bit harder to easily
specify the effective uid and gid -- since envuidgid cannot be used anymore.

I think `CURVEDNS_USER' will house the user CurveDNS is about to run
under when root privileges are not needed anymore.

--

-- 
Kind regards,
Harm van Tilborg

On 25-10-2010 02:48, Maciej Żenczykowski wrote:
> UID is a readonly variable under bash - cannot be modified or unset -
> please use something else.
Permalink | Reply | 3 comments |
headers
Chris Pugh | 25 Oct 2010 11:09

curvedns.net/org : For your interest, or not as the case may be

Greets,

   http://curvedns.net

   http://curvedns.org

I've taken the trouble to rescue the above two domains before the
search engine guys
take them;  the main idea being to use them as a focal point for
referencing anything
specifically related to DNSCurve.

By putting people with similar goals in touch with one another,  and
having specific
reference points for all efforts, may go some way to
offsetting/reversing the current
imbalance between DNSCurve and DNSEC.  Has to be worth a try, especially since
I am aware of several few people working on, intending to work on, or
in the process
of working on DNSCurve related material.  I along with a few others,
also have some
DNSCurve enabled servers/caches/forwarders imnplemented  working.

Accordingly, I am open to further suggestion and input from any
interested parties as
to appropriate usage of the above two domains.  What would you wish to
see there?
An editable wiki maybe, for example mediawiki, ikiwiki, or similar?
Domains split into
subdomains per project?  Any and all suggestions welcome.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Harm van Tilborg | 23 Oct 2010 20:14
Favicon

Introducing CurveDNS a DNSCurve forwarding name server

Hello people,

/Not really the appropriate list but I think not much people will
object, since it is quite related to djbdns./

We are happy to announce the first forwarding DNSCurve solution: CurveDNS.

With CurveDNS you are able to transform any authoritative name server in
a DNSCurve capable one. This is done by acting as a kind of proxy, i.e.
listening to DNS or DNSCurve queries and forwarding the non-protected
variants towards the real (existing) name server. The responses are then
send back to the client either protected (if the query was in DNSCurve)
or not.

In short, CurveDNS supports:
* Forwarding of regular (non-protected) DNS packets;
* Unboxing of DNSCurve queries and forwarding the regular DNS packets
* Boxing of regular DNS responses to DNSCurve responses;
* Both DNSCurve's streamlined- and TXT-format;
* Caching of shared secrets;
* Both UDP and TCP;
* Both IPv4 and IPv6.

This entire project is based on a master thesis named 'Shaping DNS
Security with Curves — A Comparative Security Analysis of DNSSEC and
DNSCurve', you can find this thesis at the CurveDNS website too.

Interested? More information, documentation, et cetera can be found at
the CurveDNS website:
http://curvedns.on2it.net/
(Continue reading)

Permalink | Reply | 9 comments |
headers
Sami Farin | 12 Oct 2010 20:42
Picon

djbdns/dnscache epoll patch, qmerge and dnscurve included


OK, my ISP decided to block ports 1-1023 without prior warning..
http://safari.iki.fi:8765/patches/djbdns/djbdns-1.05-epoll-20101011192500Z-mergequeries-dnscurve.diff
http://safari.iki.fi:8765/patches/djbdns/djbdns-1.05-epoll-20101011192500Z-mergequeries-dnscurve.diff.sig
That's why I have this kind of funny port numbers.

In this version, the qmerge feature is O(1) instead of O(MAXUDP), though.
qmerge is not enabled for dnscurve queries—I haven't thought yet would
it be easy to support.
A different approach was needed for qmerge support with epoll,
because for epoll_wait the fd's were not returned for merged queries.
If someone wants the O(1) version for non-epoll dnscache, it
should be easy to port.

BTW. what's currently the best option for dnscurve server?
Are there other than git://github.com/agl/dnscurve.git ?
Would there be need for dnscurve support for tinydns?
Or specifying (hard-coding) keys in dnscache root/servers files?
Or any other extra features in dnscache?

--

-- 
Do what you love because life is too short for anything else.
Permalink | Reply | 8 comments |
headers
Brian | 4 Oct 2010 20:46
Picon

Beating an Old Horse, but....

Hello,

Does anyone know of any existing branches / work being done for DNSCache
to support DNSSEC validation?

-brian
Permalink | Reply | 8 comments |
headers
John Levine | 26 Sep 2010 07:08

EDNS0 for djbdns?

Has anyone modified tinydns or dnscache to support EDNS0?  I know all
the reasons it is in principle a bad idea, but these days every other
DNS package supports it, and DNS packet sizes are getting bigger.  A
few months ago I modified one of my special purpose DNS servers (the
one that runs abuse.net) to handle it, and I have to say I've seen no
operational problems at all.

I doubt that it would be a huge amount of code, but I'd just as soon
not write it if somebody else has already done so.

R's,
John
Permalink | Reply | 0 comments |
headers
richard lucassen | 25 Sep 2010 12:33
Favicon

ipv6 walldns

Has anyone patched walldns to function with ipv6?

The only patches for ipv6 I can find are these from Felix von Leitner.
But these patches only provide AAAA and PTR records. Are there any
other ipv6 patches for djbdns?

R.

--

-- 
___________________________________________________________________
It is better to remain silent and be thought a fool, than to speak
aloud and remove all doubt.

+------------------------------------------------------------------+
| Richard Lucassen, Utrecht                                        |
| Public key and email address:                                    |
| http://www.lucassen.org/mail-pubkey.html                         |
+------------------------------------------------------------------+
Permalink | Reply | 1 comment |

Gmane