The December update was replaced by another blog post on APNIC’s blog, this time it was about how DNSTAP support in DSC can allow you to monitor all of the DNS.
I do not know the whole story but I believe dnsperf was once part of BIND, or a side/sub-project, and because of that it used BIND’s own development libraries for managing things like memory, linked lists and network sockets, along with everything DNS related.
These dependencies have survived for quite a long time because ISC has continued to maintain their development libraries aside from BIND itself, making it possible for other projects to use them. For example, linked lists have been used in both dsc and dnscap.
Some time ago Ondřej Surý, Director of DNS Engineering at ISC, told me about the upcoming plans for BIND 9.16 w.r.t. these development libraries, and as the roll out of 9.16 started we began getting reports of incompatibility.
dnsperf DNS-over-HTTPS project
At the same time as all this was happening, we were also planning for the project funded by Mozilla Open Source Support (MOSS) program, and the Comcast Innovation Fund that we just recently announced in a blog post about OARC Neutrality.
I suggested that we add additional phases to the project, as requirements to have a successful implementation of DNS-over-HTTPS support, so we did.
The first phase was about the removal of BIND’s internal development libraries, and while that might sound easy it was still a bit tricky since dnsperf has the capability to do TSIG and dynamic updates.
The DNS related requirements were solved with the help of LDNS, the functions that construct DNS packets were quite easy because dnsperf did most of the wire formatting itself already. Except for dynamic updates, LDNS helped a lot since it was using name compression.
TSIG functionality was also quite easy to move to OpenSSL as dnsperf only used the hashing functions for checksums, and constructed the DNS packet itself.
With the conclusion of the first phase of the project, dnsperf is in a much better state and is a lot easier to maintain and package. For example, this solved a long outstanding issue with Ubuntu packages due to how BIND’s internal development libraries themselves handled dependency and versioning.
The next phase in this project is to re-factor the engine, splitting it into two. One engine for stateless (UDP) and one for stateful/connection-oriented (TCP, DoT) communications. This will prepare it for phase 3, adding DNS-over-HTTPS support, which is scheduled to be completed in late summer this year.
Check My DNS — RPKI
Next was to add something I’ve been thinking about for a while
These achievements can be used to indicate features and functionality, or a collection of them, that might be outside the scope of the rating. For example, the RPKI checks do not currently affect the rating you get, even if they fail.
Note on RPKI! See my blog post “RPKI origin validation for resolvers!”, which includes important caveats about how the check works.
This is also a very easy visual way (thanks freesvg.org!) of showing support for a specific feature or functionality. Another example — that I would like to add — is checking for all DNSSEC algorithms’ support. Here, the check could be that you support enough DNSSEC algorithms to have a functional DNS but if you support all the current algorithms you could also be awarded an achievement for it!
So, once I’d added the achievements functionality I changed the RPKI check to be included in the default setup of checks and it is now available for anyone to try out on Check My DNS.
Disclaimer: while writing this blog post I noticed that Check My DNS had stopped, so there might still be a few bugs in the system. If you find that it’s not working then please reach out to me via email or Mattermost.
-”But, what a minute, Beta banner gone?”
Yes, I’ve removed that because it was quite a difficult UI element to maintain. This does not mean Check My DNS is now a super duper stable production-ready thing, it is still mainly a testing, research and experiment tool. And there will be bugs… there are always bugs.