2015-11-16 04:57:59 +00:00
|
|
|
# trust-dns
|
|
|
|
[![Build Status](https://travis-ci.org/bluejekyll/trust-dns.svg?branch=master)](https://travis-ci.org/bluejekyll/trust-dns)
|
|
|
|
[![Coverage Status](https://coveralls.io/repos/bluejekyll/trust-dns/badge.svg?branch=master&service=github)](https://coveralls.io/github/bluejekyll/trust-dns?branch=master)
|
|
|
|
[![](http://meritbadge.herokuapp.com/trust-dns)](https://crates.io/crates/trust-dns)
|
2015-08-22 00:29:00 +00:00
|
|
|
A Rust based DNS client and server, built to be safe and secure from the
|
|
|
|
ground up.
|
2015-08-14 23:28:01 +00:00
|
|
|
|
|
|
|
# Goals
|
|
|
|
|
|
|
|
- Build a safe and secure DNS server and client with modern features.
|
2015-10-17 22:33:13 +00:00
|
|
|
- No panics, all code is guarded
|
2015-08-22 00:29:00 +00:00
|
|
|
- Use only safe Rust, and avoid all panics with proper Error handling
|
|
|
|
- Use only stable Rust
|
2015-08-14 23:28:01 +00:00
|
|
|
- Protect against DDOS attacks (to a degree)
|
2015-10-17 22:33:13 +00:00
|
|
|
- Support options for Global Load Balancing functions
|
|
|
|
- Make it dead simple to operate
|
2015-08-14 23:28:01 +00:00
|
|
|
|
|
|
|
# Status:
|
|
|
|
|
2015-10-17 22:33:13 +00:00
|
|
|
WARNING!!! Under active development!
|
2015-08-22 00:29:00 +00:00
|
|
|
|
2015-10-17 22:33:13 +00:00
|
|
|
The client now supports timeouts (thanks mio!). Currently hardcoded to 5 seconds,
|
|
|
|
I'll make this configurable if people ask for that, but this allows me to move on.
|
2015-08-14 23:28:01 +00:00
|
|
|
|
2015-11-16 04:57:59 +00:00
|
|
|
The server code is complete, the daemon supports IPv4 and IPv6, UDP and TCP.
|
|
|
|
There currently is no way to limit TCP and AXFR operations, so it is still not
|
|
|
|
recommended to put into production as TCP can be used to DOS the service.
|
|
|
|
Master file parsing is complete and supported. There is currently no forking
|
|
|
|
option, and the server is not yet threaded.
|
2015-08-22 00:29:00 +00:00
|
|
|
|
2015-10-17 22:33:13 +00:00
|
|
|
## RFC's implemented
|
2015-09-17 21:13:01 +00:00
|
|
|
|
2015-11-16 04:57:59 +00:00
|
|
|
### Basic operations
|
2015-10-18 20:45:31 +00:00
|
|
|
- [RFC 1035](https://tools.ietf.org/html/rfc1035): Base DNS spec (partial, caching not yet supported)
|
|
|
|
- [RFC 3596](https://tools.ietf.org/html/rfc3596): IPv6
|
2015-11-16 04:57:59 +00:00
|
|
|
- [RFC 2782](https://tools.ietf.org/html/rfc2782): Service location
|
|
|
|
|
|
|
|
### Update operations
|
2015-10-18 20:45:31 +00:00
|
|
|
- [RFC 2136](https://tools.ietf.org/html/rfc2136): Dynamic Update
|
2015-10-17 22:33:13 +00:00
|
|
|
|
|
|
|
## RFC's in progress or not yet implemented
|
|
|
|
|
2015-11-16 04:57:59 +00:00
|
|
|
### Basic operations
|
|
|
|
- [RFC 2308](https://tools.ietf.org/html/rfc2308): Negative Caching of DNS Queries
|
|
|
|
- [RFC 2317](https://tools.ietf.org/html/rfc2317): Classless IN-ADDR.ARPA delegation
|
|
|
|
- [RFC 6891](https://tools.ietf.org/html/rfc6891): Extension Mechanisms for DNS
|
|
|
|
|
|
|
|
### Update operations
|
2015-10-18 20:45:31 +00:00
|
|
|
- [RFC 1995](https://tools.ietf.org/html/rfc1995): Incremental Zone Transfer
|
|
|
|
- [RFC 1996](https://tools.ietf.org/html/rfc1996): Notify slaves of update
|
2015-11-16 04:57:59 +00:00
|
|
|
- [Update Leases](https://tools.ietf.org/html/draft-sekar-dns-ul-01): Dynamic DNS Update Leases
|
|
|
|
- [Long-Lived Queries](http://tools.ietf.org/html/draft-sekar-dns-llq-01): Notify with bells
|
|
|
|
|
|
|
|
### Secure DNS operations
|
2015-10-18 20:45:31 +00:00
|
|
|
- [RFC 3007](https://tools.ietf.org/html/rfc3007): Secure Dynamic Update
|
|
|
|
- [RFC 4034](https://tools.ietf.org/html/rfc4034): DNSSEC Resource Records
|
2015-11-16 04:57:59 +00:00
|
|
|
- [RFC 4035](https://tools.ietf.org/html/rfc4035): Protocol Modifications for DNSSEC
|
|
|
|
- [RFC 4509](https://tools.ietf.org/html/rfc4509): SHA-256 in DNSSEC Delegation Signer
|
|
|
|
- [RFC 5155](https://tools.ietf.org/html/rfc5155): DNSSEC Hashed Authenticated Denial of Existence
|
|
|
|
- [RFC 5702](https://tools.ietf.org/html/rfc5702): SHA-2 Algorithms with RSA in DNSKEY and RRSIG for DNSSEC
|
|
|
|
- [RFC 6840](https://tools.ietf.org/html/rfc6840): Clarifications and Implementation Notes for DNSSEC
|
|
|
|
- [RFC 6944](https://tools.ietf.org/html/rfc6944): DNSKEY Algorithm Implementation Status
|
2015-10-18 20:45:31 +00:00
|
|
|
- [DNSCrypt](https://dnscrypt.org): Trusted DNS queries
|
2015-10-17 22:33:13 +00:00
|
|
|
|
|
|
|
# Usage
|
|
|
|
|
2015-10-18 20:45:31 +00:00
|
|
|
This assumes that you have [Rust](https://www.rust-lang.org) stable installed. These
|
|
|
|
presume that the trust-dns repos have already been synced to the local system:
|
2015-10-18 20:51:12 +00:00
|
|
|
|
|
|
|
$ git clone https://github.com/bluejekyll/trust-dns.git
|
|
|
|
$ cd trust-dns
|
2015-10-18 20:45:31 +00:00
|
|
|
|
2015-11-18 08:10:49 +00:00
|
|
|
## Prerequisites
|
|
|
|
|
|
|
|
- openssl development libraries are necessary
|
|
|
|
|
|
|
|
Mac OS X: using homebrew
|
|
|
|
|
|
|
|
$ brew install openssl
|
|
|
|
$ brew link --force openssl
|
|
|
|
|
2015-10-18 20:45:31 +00:00
|
|
|
## Testing
|
|
|
|
|
|
|
|
- Unit tests
|
|
|
|
|
|
|
|
These are good for running on local systems. They will create sockets for
|
|
|
|
local tests, but will not attempt to access remote systems.
|
2015-10-18 20:51:12 +00:00
|
|
|
|
|
|
|
$ cargo test
|
2015-10-18 20:45:31 +00:00
|
|
|
|
|
|
|
- Functional tests
|
|
|
|
|
|
|
|
These will try to use some local system tools for compatibility testing,
|
|
|
|
and also make some remote requests to verify compatibility with other DNS
|
|
|
|
systems. These can not currently be run on Travis for example.
|
2015-10-18 20:51:12 +00:00
|
|
|
|
|
|
|
$ cargo test --features=ftest
|
2015-10-18 20:45:31 +00:00
|
|
|
|
|
|
|
- Benchmarks
|
|
|
|
|
|
|
|
Waiting on benchmarks to stabilize in mainline Rust.
|
|
|
|
|
|
|
|
## Building
|
|
|
|
|
|
|
|
- Production build
|
2015-10-18 20:51:12 +00:00
|
|
|
|
|
|
|
$ cargo build --release
|
2015-10-18 20:45:31 +00:00
|
|
|
|
|
|
|
## Running
|
|
|
|
|
|
|
|
Warning: Trust-DNS is still under development, running in production is not
|
|
|
|
recommended. The server is currently only single-threaded, it is non-blocking
|
|
|
|
so this should allow it to work with most internal loads.
|
|
|
|
|
|
|
|
- Verify the version
|
2015-10-18 20:51:12 +00:00
|
|
|
|
|
|
|
$ target/release/named --version
|
2015-10-18 20:45:31 +00:00
|
|
|
|
|
|
|
- Get help
|
2015-10-18 20:51:12 +00:00
|
|
|
|
|
|
|
$ target/release/named --help
|
2015-08-14 23:28:01 +00:00
|
|
|
|
|
|
|
# FAQ
|
|
|
|
|
2015-10-18 20:51:12 +00:00
|
|
|
- Why are you building another DNS server?
|
2015-08-14 23:28:01 +00:00
|
|
|
|
2015-11-16 04:57:59 +00:00
|
|
|
Because of all the security advisories out there for BIND.
|
2015-08-14 23:28:01 +00:00
|
|
|
Using Rust semantics it should be possible to develop a high performance and
|
|
|
|
safe DNS Server that is more resilient to attacks.
|