2015-11-16 04:57:59 +00:00
|
|
|
[](https://travis-ci.org/bluejekyll/trust-dns)
|
2016-02-21 22:50:19 +00:00
|
|
|
[](https://coveralls.io/github/bluejekyll/trust-dns?branch=master)
|
2015-11-16 04:57:59 +00:00
|
|
|
[](https://crates.io/crates/trust-dns)
|
2016-02-21 22:47:35 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
# trust-dns
|
|
|
|
|
|
2015-08-22 00:29:00 +00:00
|
|
|
A Rust based DNS client and server, built to be safe and secure from the
|
|
|
|
|
ground up.
|
2015-08-14 23:28:01 +00:00
|
|
|
|
2016-05-21 04:57:55 +00:00
|
|
|
[API documentation](http://trust-dns.org/target/doc/trust_dns/index.html)
|
|
|
|
|
|
2015-08-14 23:28:01 +00:00
|
|
|
# Goals
|
|
|
|
|
|
|
|
|
|
- Build a safe and secure DNS server and client with modern features.
|
2015-10-17 22:33:13 +00:00
|
|
|
- No panics, all code is guarded
|
2015-08-22 00:29:00 +00:00
|
|
|
- Use only safe Rust, and avoid all panics with proper Error handling
|
|
|
|
|
- Use only stable Rust
|
2015-08-14 23:28:01 +00:00
|
|
|
- Protect against DDOS attacks (to a degree)
|
2015-10-17 22:33:13 +00:00
|
|
|
- Support options for Global Load Balancing functions
|
|
|
|
|
- Make it dead simple to operate
|
2015-08-14 23:28:01 +00:00
|
|
|
|
|
|
|
|
# Status:
|
|
|
|
|
|
2016-05-21 04:57:55 +00:00
|
|
|
## Client
|
|
|
|
|
|
2016-03-10 06:50:11 +00:00
|
|
|
Using the client should be safe. The client is currently hardcoded to a 5 second,
|
2016-05-21 04:57:55 +00:00
|
|
|
timeout. I'll make this configurable if people ask for that, please file a
|
|
|
|
|
request for any features. Please send feedback! It currently does not cache
|
|
|
|
|
responses, if this is a feature you'd like earlier rather than later, post a
|
|
|
|
|
request. The validation of DNSSec is complete including NSEC. As of now NSEC3
|
|
|
|
|
is broken, and it's not clear at this point that it will be supported.
|
|
|
|
|
|
|
|
|
|
## Server
|
2015-08-14 23:28:01 +00:00
|
|
|
|
2015-11-16 04:57:59 +00:00
|
|
|
The server code is complete, the daemon supports IPv4 and IPv6, UDP and TCP.
|
|
|
|
|
There currently is no way to limit TCP and AXFR operations, so it is still not
|
|
|
|
|
recommended to put into production as TCP can be used to DOS the service.
|
|
|
|
|
Master file parsing is complete and supported. There is currently no forking
|
2016-03-10 06:50:11 +00:00
|
|
|
option, and the server is not yet threaded. There is still a lot of work to do
|
|
|
|
|
before a server can be trusted with this externally. Running it behind a firewall
|
|
|
|
|
on a private network would be safe.
|
|
|
|
|
|
2016-05-21 04:57:55 +00:00
|
|
|
Zone signing support is a work in progress, there is currently no way to
|
|
|
|
|
associate keys to zones. Dynamic DNS is also complete, but currently there is
|
|
|
|
|
no storage or syncing with other servers, so it's not recommended to use this
|
|
|
|
|
feature yet, and is disabled by default on zones.
|
|
|
|
|
|
2016-03-10 06:50:11 +00:00
|
|
|
## DNSSec status
|
|
|
|
|
|
|
|
|
|
Currently the root key is hardcoded into the system. This gives validation of
|
2016-05-21 04:57:55 +00:00
|
|
|
DNSKEY and DS records back to the root. NSEC is implemented, but not NSEC3.
|
2016-03-10 06:50:11 +00:00
|
|
|
Because caching is not yet enabled, it has been noticed that some DNS servers
|
|
|
|
|
appear to rate limit the connections, validating RRSIG records back to the root
|
|
|
|
|
can require a significant number of additional queries for those records.
|
2015-08-22 00:29:00 +00:00
|
|
|
|
2015-10-17 22:33:13 +00:00
|
|
|
## RFC's implemented
|
2015-09-17 21:13:01 +00:00
|
|
|
|
2015-11-16 04:57:59 +00:00
|
|
|
### Basic operations
|
2015-10-18 20:45:31 +00:00
|
|
|
- [RFC 1035](https://tools.ietf.org/html/rfc1035): Base DNS spec (partial, caching not yet supported)
|
|
|
|
|
- [RFC 3596](https://tools.ietf.org/html/rfc3596): IPv6
|
2015-11-16 04:57:59 +00:00
|
|
|
- [RFC 2782](https://tools.ietf.org/html/rfc2782): Service location
|
2015-12-15 07:49:01 +00:00
|
|
|
- [RFC 6891](https://tools.ietf.org/html/rfc6891): Extension Mechanisms for DNS
|
2015-11-16 04:57:59 +00:00
|
|
|
|
|
|
|
|
### Update operations
|
2015-10-18 20:45:31 +00:00
|
|
|
- [RFC 2136](https://tools.ietf.org/html/rfc2136): Dynamic Update
|
2015-10-17 22:33:13 +00:00
|
|
|
|
2016-03-10 06:50:11 +00:00
|
|
|
### Secure DNS operations
|
|
|
|
|
- [RFC 3007](https://tools.ietf.org/html/rfc3007): Secure Dynamic Update
|
|
|
|
|
- [RFC 4034](https://tools.ietf.org/html/rfc4034): DNSSEC Resource Records
|
|
|
|
|
- [RFC 4035](https://tools.ietf.org/html/rfc4035): Protocol Modifications for DNSSEC
|
|
|
|
|
- [RFC 4509](https://tools.ietf.org/html/rfc4509): SHA-256 in DNSSEC Delegation Signer
|
|
|
|
|
- [RFC 5702](https://tools.ietf.org/html/rfc5702): SHA-2 Algorithms with RSA in DNSKEY and RRSIG for DNSSEC
|
|
|
|
|
- [RFC 6840](https://tools.ietf.org/html/rfc6840): Clarifications and Implementation Notes for DNSSEC
|
|
|
|
|
- [RFC 6944](https://tools.ietf.org/html/rfc6944): DNSKEY Algorithm Implementation Status
|
|
|
|
|
|
2015-10-17 22:33:13 +00:00
|
|
|
## RFC's in progress or not yet implemented
|
|
|
|
|
|
2015-11-16 04:57:59 +00:00
|
|
|
### Basic operations
|
|
|
|
|
- [RFC 2308](https://tools.ietf.org/html/rfc2308): Negative Caching of DNS Queries
|
|
|
|
|
- [RFC 2317](https://tools.ietf.org/html/rfc2317): Classless IN-ADDR.ARPA delegation
|
|
|
|
|
|
|
|
|
|
### Update operations
|
2015-10-18 20:45:31 +00:00
|
|
|
- [RFC 1995](https://tools.ietf.org/html/rfc1995): Incremental Zone Transfer
|
|
|
|
|
- [RFC 1996](https://tools.ietf.org/html/rfc1996): Notify slaves of update
|
2015-11-16 04:57:59 +00:00
|
|
|
- [Update Leases](https://tools.ietf.org/html/draft-sekar-dns-ul-01): Dynamic DNS Update Leases
|
|
|
|
|
- [Long-Lived Queries](http://tools.ietf.org/html/draft-sekar-dns-llq-01): Notify with bells
|
|
|
|
|
|
|
|
|
|
### Secure DNS operations
|
|
|
|
|
- [RFC 5155](https://tools.ietf.org/html/rfc5155): DNSSEC Hashed Authenticated Denial of Existence
|
2015-12-15 07:49:01 +00:00
|
|
|
- [RFC 6975](https://tools.ietf.org/html/rfc6975): Signaling Cryptographic Algorithm Understanding
|
2015-10-18 20:45:31 +00:00
|
|
|
- [DNSCrypt](https://dnscrypt.org): Trusted DNS queries
|
2015-12-15 07:49:01 +00:00
|
|
|
- [S/MIME](https://tools.ietf.org/html/draft-ietf-dane-smime-09): Domain Names For S/MIME
|
2015-10-17 22:33:13 +00:00
|
|
|
|
|
|
|
|
# Usage
|
|
|
|
|
|
2015-10-18 20:45:31 +00:00
|
|
|
This assumes that you have [Rust](https://www.rust-lang.org) stable installed. These
|
|
|
|
|
presume that the trust-dns repos have already been synced to the local system:
|
2015-10-18 20:51:12 +00:00
|
|
|
|
|
|
|
|
$ git clone https://github.com/bluejekyll/trust-dns.git
|
|
|
|
|
$ cd trust-dns
|
2015-10-18 20:45:31 +00:00
|
|
|
|
2015-11-18 08:10:49 +00:00
|
|
|
## Prerequisites
|
|
|
|
|
|
|
|
|
|
- openssl development libraries are necessary
|
|
|
|
|
|
|
|
|
|
Mac OS X: using homebrew
|
|
|
|
|
|
|
|
|
|
$ brew install openssl
|
|
|
|
|
$ brew link --force openssl
|
|
|
|
|
|
2015-10-18 20:45:31 +00:00
|
|
|
## Testing
|
|
|
|
|
|
|
|
|
|
- Unit tests
|
|
|
|
|
|
|
|
|
|
These are good for running on local systems. They will create sockets for
|
|
|
|
|
local tests, but will not attempt to access remote systems.
|
2015-10-18 20:51:12 +00:00
|
|
|
|
|
|
|
|
$ cargo test
|
2015-10-18 20:45:31 +00:00
|
|
|
|
|
|
|
|
- Functional tests
|
|
|
|
|
|
|
|
|
|
These will try to use some local system tools for compatibility testing,
|
|
|
|
|
and also make some remote requests to verify compatibility with other DNS
|
|
|
|
|
systems. These can not currently be run on Travis for example.
|
2015-10-18 20:51:12 +00:00
|
|
|
|
|
|
|
|
$ cargo test --features=ftest
|
2015-10-18 20:45:31 +00:00
|
|
|
|
|
|
|
|
- Benchmarks
|
|
|
|
|
|
|
|
|
|
Waiting on benchmarks to stabilize in mainline Rust.
|
|
|
|
|
|
|
|
|
|
## Building
|
|
|
|
|
|
|
|
|
|
- Production build
|
2015-10-18 20:51:12 +00:00
|
|
|
|
|
|
|
|
$ cargo build --release
|
2015-10-18 20:45:31 +00:00
|
|
|
|
|
|
|
|
## Running
|
|
|
|
|
|
|
|
|
|
Warning: Trust-DNS is still under development, running in production is not
|
|
|
|
|
recommended. The server is currently only single-threaded, it is non-blocking
|
|
|
|
|
so this should allow it to work with most internal loads.
|
|
|
|
|
|
|
|
|
|
- Verify the version
|
2015-10-18 20:51:12 +00:00
|
|
|
|
|
|
|
|
$ target/release/named --version
|
2015-10-18 20:45:31 +00:00
|
|
|
|
|
|
|
|
- Get help
|
2015-10-18 20:51:12 +00:00
|
|
|
|
|
|
|
|
$ target/release/named --help
|
2015-08-14 23:28:01 +00:00
|
|
|
|
|
|
|
|
# FAQ
|
|
|
|
|
|
2015-10-18 20:51:12 +00:00
|
|
|
- Why are you building another DNS server?
|
2015-08-14 23:28:01 +00:00
|
|
|
|
2015-11-16 04:57:59 +00:00
|
|
|
Because of all the security advisories out there for BIND.
|
2015-08-14 23:28:01 +00:00
|
|
|
Using Rust semantics it should be possible to develop a high performance and
|
|
|
|
|
safe DNS Server that is more resilient to attacks.
|
2016-01-11 07:45:43 +00:00
|
|
|
|
|
|
|
|
## License
|
|
|
|
|
|
|
|
|
|
Licensed under either of
|
|
|
|
|
|
|
|
|
|
* Apache License, Version 2.0, ([LICENSE-APACHE](LICENSE-APACHE) or http://www.apache.org/licenses/LICENSE-2.0)
|
|
|
|
|
* MIT license ([LICENSE-MIT](LICENSE-MIT) or http://opensource.org/licenses/MIT)
|
|
|
|
|
|
|
|
|
|
at your option.
|
|
|
|
|
|
|
|
|
|
### Contribution
|
|
|
|
|
|
|
|
|
|
Unless you explicitly state otherwise, any contribution intentionally
|
|
|
|
|
submitted for inclusion in the work by you, as defined in the Apache-2.0
|
|
|
|
|
license, shall be dual licensed as above, without any additional terms or
|
|
|
|
|
conditions.
|
