2015-11-16 04:57:59 +00:00
|
|
|
[![Build Status](https://travis-ci.org/bluejekyll/trust-dns.svg?branch=master)](https://travis-ci.org/bluejekyll/trust-dns)
|
2016-02-21 22:50:19 +00:00
|
|
|
[![Coverage Status](https://coveralls.io/repos/github/bluejekyll/trust-dns/badge.svg?branch=master)](https://coveralls.io/github/bluejekyll/trust-dns?branch=master)
|
2015-11-16 04:57:59 +00:00
|
|
|
[![](http://meritbadge.herokuapp.com/trust-dns)](https://crates.io/crates/trust-dns)
|
2016-08-18 20:17:29 +00:00
|
|
|
[![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE-MIT)
|
|
|
|
[![License: Apache 2.0](https://img.shields.io/badge/license-Apache_2.0-blue.svg)](LICENSE-APACHE)
|
2016-02-21 22:47:35 +00:00
|
|
|
|
|
|
|
# trust-dns
|
|
|
|
|
2015-08-22 00:29:00 +00:00
|
|
|
A Rust based DNS client and server, built to be safe and secure from the
|
|
|
|
ground up.
|
2015-08-14 23:28:01 +00:00
|
|
|
|
2016-08-28 05:27:00 +00:00
|
|
|
[API documentation](https://docs.rs/trust-dns)
|
2016-05-21 04:57:55 +00:00
|
|
|
|
2015-08-14 23:28:01 +00:00
|
|
|
# Goals
|
|
|
|
|
|
|
|
- Build a safe and secure DNS server and client with modern features.
|
2015-10-17 22:33:13 +00:00
|
|
|
- No panics, all code is guarded
|
2015-08-22 00:29:00 +00:00
|
|
|
- Use only safe Rust, and avoid all panics with proper Error handling
|
|
|
|
- Use only stable Rust
|
2015-08-14 23:28:01 +00:00
|
|
|
- Protect against DDOS attacks (to a degree)
|
2015-10-17 22:33:13 +00:00
|
|
|
- Support options for Global Load Balancing functions
|
|
|
|
- Make it dead simple to operate
|
2015-08-14 23:28:01 +00:00
|
|
|
|
|
|
|
# Status:
|
|
|
|
|
2016-05-21 04:57:55 +00:00
|
|
|
## Client
|
|
|
|
|
2016-06-02 06:24:25 +00:00
|
|
|
Using the client is safe. The client is currently hardcoded to a 5 second,
|
2016-06-21 06:28:34 +00:00
|
|
|
timeout. I'll make this configurable if people ask for that, please file a
|
|
|
|
request for any features. Please send feedback! It currently does not cache
|
|
|
|
responses, if this is a feature you'd like earlier rather than later, post a
|
2016-05-21 04:57:55 +00:00
|
|
|
request. The validation of DNSSec is complete including NSEC. As of now NSEC3
|
2016-06-02 06:24:25 +00:00
|
|
|
is broken, and I may never plan to support it. I have some alternative ideas
|
|
|
|
for private data in the zone.
|
|
|
|
|
|
|
|
### Unique client side implementations
|
|
|
|
|
|
|
|
These are not unique to this client, but are high level functions that hide
|
|
|
|
the details in DNS from the caller
|
|
|
|
|
|
|
|
* secure_query - DNSSec validation
|
|
|
|
* create - atomic create of a record, with authenticated request
|
|
|
|
* append - verify existence of a record and append to it
|
|
|
|
* compare_and_swap - atomic (depends on server) compare and swap
|
|
|
|
* delete_by_rdata - delete a specific record
|
|
|
|
* delete_rrset - delete an entire record set
|
|
|
|
* delete_all - delete all records sets with a given name
|
2016-05-21 04:57:55 +00:00
|
|
|
|
|
|
|
## Server
|
2015-08-14 23:28:01 +00:00
|
|
|
|
2015-11-16 04:57:59 +00:00
|
|
|
The server code is complete, the daemon supports IPv4 and IPv6, UDP and TCP.
|
2016-06-21 06:28:34 +00:00
|
|
|
There currently is no way to limit TCP and AXFR operations, so it is still not
|
|
|
|
recommended to put into production as TCP can be used to DOS the service.
|
|
|
|
Master file parsing is complete and supported. There is currently no forking
|
|
|
|
option, and the server is not yet threaded. There is still a lot of work to do
|
|
|
|
before a server can be trusted with this externally. Running it behind a firewall
|
|
|
|
on a private network would be safe.
|
|
|
|
|
|
|
|
Zone signing support is complete, to insert a key store a pem encoded rsa file
|
|
|
|
in the same directory as the initial zone file with the `.key` suffix. *Note*:
|
|
|
|
this must be only readable by the current user. If one is not present one will
|
|
|
|
be created and written to the correct location. This also acts as the initial
|
|
|
|
key for dynamic update SIG(0) validation. To get the public key, the `DNSKEY`
|
|
|
|
record for the zone can be queried. This is needed to provide to other
|
|
|
|
upstream servers to create the `DS` key. Dynamic DNS is also complete,
|
|
|
|
if enabled, a journal file will be stored next to the zone file with the
|
|
|
|
`jrnl` suffix. *Note*: if the key is changed or updated, it is currently the
|
|
|
|
operators responsibility to remove the only public key from the zone, this
|
|
|
|
allows for the `DNSKEY` to exist for some unspecified period of time during
|
|
|
|
key rotation. Rotating the key currently is not available online and requires
|
|
|
|
a restart of the server process.
|
2016-05-21 04:57:55 +00:00
|
|
|
|
2016-03-10 06:50:11 +00:00
|
|
|
## DNSSec status
|
|
|
|
|
|
|
|
Currently the root key is hardcoded into the system. This gives validation of
|
2016-06-21 06:28:34 +00:00
|
|
|
DNSKEY and DS records back to the root. NSEC is implemented, but not NSEC3.
|
|
|
|
Because caching is not yet enabled, it has been noticed that some DNS servers
|
|
|
|
appear to rate limit the connections, validating RRSIG records back to the root
|
|
|
|
can require a significant number of additional queries for those records.
|
2015-08-22 00:29:00 +00:00
|
|
|
|
2016-06-02 06:24:25 +00:00
|
|
|
Zones will be automatically resigned on any record updates via dynamic DNS.
|
|
|
|
|
2015-10-17 22:33:13 +00:00
|
|
|
## RFC's implemented
|
2015-09-17 21:13:01 +00:00
|
|
|
|
2015-11-16 04:57:59 +00:00
|
|
|
### Basic operations
|
2015-10-18 20:45:31 +00:00
|
|
|
- [RFC 1035](https://tools.ietf.org/html/rfc1035): Base DNS spec (partial, caching not yet supported)
|
|
|
|
- [RFC 3596](https://tools.ietf.org/html/rfc3596): IPv6
|
2015-11-16 04:57:59 +00:00
|
|
|
- [RFC 2782](https://tools.ietf.org/html/rfc2782): Service location
|
2015-12-15 07:49:01 +00:00
|
|
|
- [RFC 6891](https://tools.ietf.org/html/rfc6891): Extension Mechanisms for DNS
|
2015-11-16 04:57:59 +00:00
|
|
|
|
|
|
|
### Update operations
|
2015-10-18 20:45:31 +00:00
|
|
|
- [RFC 2136](https://tools.ietf.org/html/rfc2136): Dynamic Update
|
2015-10-17 22:33:13 +00:00
|
|
|
|
2016-03-10 06:50:11 +00:00
|
|
|
### Secure DNS operations
|
|
|
|
- [RFC 3007](https://tools.ietf.org/html/rfc3007): Secure Dynamic Update
|
|
|
|
- [RFC 4034](https://tools.ietf.org/html/rfc4034): DNSSEC Resource Records
|
|
|
|
- [RFC 4035](https://tools.ietf.org/html/rfc4035): Protocol Modifications for DNSSEC
|
|
|
|
- [RFC 4509](https://tools.ietf.org/html/rfc4509): SHA-256 in DNSSEC Delegation Signer
|
|
|
|
- [RFC 5702](https://tools.ietf.org/html/rfc5702): SHA-2 Algorithms with RSA in DNSKEY and RRSIG for DNSSEC
|
|
|
|
- [RFC 6840](https://tools.ietf.org/html/rfc6840): Clarifications and Implementation Notes for DNSSEC
|
|
|
|
- [RFC 6944](https://tools.ietf.org/html/rfc6944): DNSKEY Algorithm Implementation Status
|
|
|
|
|
2015-10-17 22:33:13 +00:00
|
|
|
## RFC's in progress or not yet implemented
|
|
|
|
|
2015-11-16 04:57:59 +00:00
|
|
|
### Basic operations
|
|
|
|
- [RFC 2308](https://tools.ietf.org/html/rfc2308): Negative Caching of DNS Queries
|
|
|
|
- [RFC 2317](https://tools.ietf.org/html/rfc2317): Classless IN-ADDR.ARPA delegation
|
|
|
|
|
|
|
|
### Update operations
|
2015-10-18 20:45:31 +00:00
|
|
|
- [RFC 1995](https://tools.ietf.org/html/rfc1995): Incremental Zone Transfer
|
|
|
|
- [RFC 1996](https://tools.ietf.org/html/rfc1996): Notify slaves of update
|
2015-11-16 04:57:59 +00:00
|
|
|
- [Update Leases](https://tools.ietf.org/html/draft-sekar-dns-ul-01): Dynamic DNS Update Leases
|
|
|
|
- [Long-Lived Queries](http://tools.ietf.org/html/draft-sekar-dns-llq-01): Notify with bells
|
|
|
|
|
|
|
|
### Secure DNS operations
|
|
|
|
- [RFC 5155](https://tools.ietf.org/html/rfc5155): DNSSEC Hashed Authenticated Denial of Existence
|
2015-12-15 07:49:01 +00:00
|
|
|
- [RFC 6975](https://tools.ietf.org/html/rfc6975): Signaling Cryptographic Algorithm Understanding
|
2015-10-18 20:45:31 +00:00
|
|
|
- [DNSCrypt](https://dnscrypt.org): Trusted DNS queries
|
2015-12-15 07:49:01 +00:00
|
|
|
- [S/MIME](https://tools.ietf.org/html/draft-ietf-dane-smime-09): Domain Names For S/MIME
|
2015-10-17 22:33:13 +00:00
|
|
|
|
|
|
|
# Usage
|
|
|
|
|
2015-10-18 20:45:31 +00:00
|
|
|
This assumes that you have [Rust](https://www.rust-lang.org) stable installed. These
|
|
|
|
presume that the trust-dns repos have already been synced to the local system:
|
2015-10-18 20:51:12 +00:00
|
|
|
|
|
|
|
$ git clone https://github.com/bluejekyll/trust-dns.git
|
|
|
|
$ cd trust-dns
|
2015-10-18 20:45:31 +00:00
|
|
|
|
2015-11-18 08:10:49 +00:00
|
|
|
## Prerequisites
|
|
|
|
|
2016-08-27 04:51:06 +00:00
|
|
|
- openssl development libraries
|
2016-07-25 13:06:39 +00:00
|
|
|
- sqlite3 development libraries
|
2015-11-18 08:10:49 +00:00
|
|
|
|
2016-08-27 04:51:06 +00:00
|
|
|
### Mac OS X: using homebrew
|
2016-07-25 13:06:39 +00:00
|
|
|
|
2016-08-27 04:51:06 +00:00
|
|
|
```
|
|
|
|
$ brew install openssl
|
|
|
|
$ brew install sqlite
|
|
|
|
$ export OPENSSL_INCLUDE_DIR=`brew --prefix openssl`/include
|
|
|
|
$ export OPENSSL_LIB_DIR=`brew --prefix openssl`/lib
|
|
|
|
```
|
|
|
|
|
|
|
|
### Debian-based (includes Ubuntu & Raspbian): using apt-get
|
|
|
|
|
|
|
|
```
|
|
|
|
$ apt-get install openssl
|
|
|
|
$ apt-get install libssl-dev
|
|
|
|
$ apt-get install libsqlite3-dev
|
|
|
|
```
|
2015-11-18 08:10:49 +00:00
|
|
|
|
2015-10-18 20:45:31 +00:00
|
|
|
## Testing
|
|
|
|
|
|
|
|
- Unit tests
|
|
|
|
|
|
|
|
These are good for running on local systems. They will create sockets for
|
|
|
|
local tests, but will not attempt to access remote systems.
|
2015-10-18 20:51:12 +00:00
|
|
|
|
2016-08-27 04:51:06 +00:00
|
|
|
```
|
|
|
|
$ cargo test
|
|
|
|
```
|
2015-10-18 20:45:31 +00:00
|
|
|
|
|
|
|
- Functional tests
|
|
|
|
|
|
|
|
These will try to use some local system tools for compatibility testing,
|
|
|
|
and also make some remote requests to verify compatibility with other DNS
|
|
|
|
systems. These can not currently be run on Travis for example.
|
2015-10-18 20:51:12 +00:00
|
|
|
|
2016-08-27 04:51:06 +00:00
|
|
|
```
|
|
|
|
$ cargo test -- --ignored
|
|
|
|
```
|
2015-10-18 20:45:31 +00:00
|
|
|
|
|
|
|
- Benchmarks
|
|
|
|
|
|
|
|
Waiting on benchmarks to stabilize in mainline Rust.
|
|
|
|
|
|
|
|
## Building
|
|
|
|
|
|
|
|
- Production build
|
2015-10-18 20:51:12 +00:00
|
|
|
|
2016-08-27 04:51:06 +00:00
|
|
|
```
|
|
|
|
$ cargo build --release
|
|
|
|
```
|
2015-10-18 20:45:31 +00:00
|
|
|
|
|
|
|
## Running
|
|
|
|
|
|
|
|
Warning: Trust-DNS is still under development, running in production is not
|
|
|
|
recommended. The server is currently only single-threaded, it is non-blocking
|
|
|
|
so this should allow it to work with most internal loads.
|
|
|
|
|
|
|
|
- Verify the version
|
2015-10-18 20:51:12 +00:00
|
|
|
|
2016-08-27 04:51:06 +00:00
|
|
|
```
|
|
|
|
$ target/release/named --version
|
|
|
|
```
|
2015-10-18 20:45:31 +00:00
|
|
|
|
|
|
|
- Get help
|
2015-10-18 20:51:12 +00:00
|
|
|
|
2016-08-27 04:51:06 +00:00
|
|
|
```
|
|
|
|
$ target/release/named --help
|
|
|
|
```
|
2015-08-14 23:28:01 +00:00
|
|
|
|
|
|
|
# FAQ
|
|
|
|
|
2015-10-18 20:51:12 +00:00
|
|
|
- Why are you building another DNS server?
|
2015-08-14 23:28:01 +00:00
|
|
|
|
2015-11-16 04:57:59 +00:00
|
|
|
Because of all the security advisories out there for BIND.
|
2015-08-14 23:28:01 +00:00
|
|
|
Using Rust semantics it should be possible to develop a high performance and
|
|
|
|
safe DNS Server that is more resilient to attacks.
|
2016-01-11 07:45:43 +00:00
|
|
|
|
|
|
|
## License
|
|
|
|
|
|
|
|
Licensed under either of
|
|
|
|
|
|
|
|
* Apache License, Version 2.0, ([LICENSE-APACHE](LICENSE-APACHE) or http://www.apache.org/licenses/LICENSE-2.0)
|
|
|
|
* MIT license ([LICENSE-MIT](LICENSE-MIT) or http://opensource.org/licenses/MIT)
|
|
|
|
|
|
|
|
at your option.
|
|
|
|
|
|
|
|
### Contribution
|
|
|
|
|
|
|
|
Unless you explicitly state otherwise, any contribution intentionally
|
|
|
|
submitted for inclusion in the work by you, as defined in the Apache-2.0
|
|
|
|
license, shall be dual licensed as above, without any additional terms or
|
|
|
|
conditions.
|