random technical thoughts from the Nominet technical team

Dnsruby 1.1 released

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 4 out of 5)
Loading ... Loading ...
Posted by alexd on Dec 31st, 2007

I’ve just released version 1.1 of Dnsruby.

This release adds DNSSEC support. More precisely, this version implements a non-validating stub resolver : the DO bit (in the EDNS header) is set to indicate that DNSSEC is understood. However, the checking is expected to be performed on the remote resolver - therefore, this should be a trusted resolver on a secure link.

If an untrusted resolver or an insecure link is used, then Dnsruby can still be used to verify responses for zones for which the client application knows a trusted key. A cache of trusted keys is maintained by Dnsruby, with new keys (from signed DNSKEY or DS RRSets) added to the cache. However, it is up to the client application to ensure that appropriate queries have been issued to follow the chain of trust from the known trusted key to the key required to verify particular records in the zone. For more details, see the DNSSEC file in the Dnsruby distribution.

Of course, once we have a signed root, then Dnsruby should be changed to automatically follow the chain of trust from the root down to the zone of interest. At that point, I’ll also need to work out a better API that conveys more sensible information about the resolution. The current system of “success/failure” doesn’t handle the many different types of “failure” that can occur in a DNSSEC world.

7 Responses

  1. hk Says:
    April 24th, 2008 at 1:43 am

    Very cool. I’m thinking of implementing a small authorative-only DNS server in ruby - it looks, at first, like dnsruby would be a good candidate for adaptation.

    I don’t suppose you can think of any reason, just off the top of your head, why that might be a very bad idea?

    At first glance looks like I could just start hacking Hosts.rb to read from a yaml file or something.

    Thanks - and any example code you might be sitting on would be much appreciated! : )

  2. Alex Says:
    April 24th, 2008 at 9:25 am

    If I were to be writing an authoritative nameserver with dnsruby, I’d be thinking about the following points :

    a) Ruby’s atrocious support for concurrency. I’d definitely be using EventMachine to handle all the network/timer side of things.
    b) You’d need to add support for reading zone files into dnsruby. Dnsruby already understands all RR types, but it doesn’t get the concept of a zone.

    Dnsruby was developed as a client library. All the hooks are in Dnsruby for things like (A/I)XFR, secure dynamic updates, and so on, but you would need to write the server logic to go with it.

    Good luck!

  3. hk Says:
    April 24th, 2008 at 5:33 pm

    Thanks very much for the reply. I’d definitely use EM like you suggest - crazy to do it any other way!

    The zone implementation should be pretty easy? All I need to do is tell dnsruby to serve requests only for A, B and C domains, then match up the information with record types dnsruby understands. I’ll feed dnsruby the information from a database

    Well, who knows, maybe I won’t end up using it - just wanted to see if you had any thoughts on it / knew of any prior implementations, etc. Not really looking forward to writing my own request parser but will if I really have to.

    Anyway - thanks a lot for your insight.

  4. Alex Says:
    April 25th, 2008 at 7:10 am

    You shouldn’t need to “write your own request parser”. Dnsruby will parse all incoming queries, and construct all outgoing responses without any extra work.

    You just have to write the code to figure out what the right reponse to a particular query is.

  5. sho Says:
    July 20th, 2008 at 3:28 pm

    Re. the above comments about using dnsruby as a basic authoritative-only server, can you provide some guidance as to where in the code or setup one would begin hooking in that kind of lookup?

    I would like to get some kind of simple ruby dns server running, authoritative-only, for development purposes as it can interact nicely with existing ruby infrastructure and i have no need for high volume. If I could have dnsruby sit on a machine (using EM - awesome!) and receive dns requests, and I could put some hook code in there somewhere to look it up in a DB or YAML file or whatever, it sounds like I could do that, but I just can’t find where to begin.

    In your previous comments you mentioned having to implement zones but I don’t think that would be too hard - couldn’t I just split up the request, match it to a list of “domains I control” provided by me, then either provide the IP (again referring to a list I provide) or error out? I wouldn’t care about being able to send well-formed zone transfers, etc. All I care about is being able to get a string representing the domain requested, then returning an IP. That is no problem. The problem is providing the interface : )

    Any hints/pointers to helpful docs?

  6. alexd Says:
    July 21st, 2008 at 2:22 pm

    Hi Sho -

    I wrote some notes on this here :

    http://blog.nominet.org.uk/tech/2008/07/21/using-dnsruby-for-an-authoritative-nameserver/

    I hope you find them useful.

    As for helpful docs : I’d look at RFC1034/1035, and the Dnsruby documentation.

    HTH

  7. sho Says:
    August 22nd, 2008 at 3:40 am

    hey alex - sorry, didn’t check for a long time.

    Really appreciate the writeup. I’ll be studying it carefully : )

    Thanks again - really good of you. Almost makes up for you bloody english getting more medals than us … :-)

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Recent Posts

Highest Rated

Categories

Archives

Meta: