Here are some DNS-OARC development highlights from the past couple of months. These updates are usually bi-monthly and previous ones are available on our Medium blog.
The December update was replaced by another blog post on APNIC’s blog, this time it was about how DNSTAP support in DSC can allow you to monitor all of the DNS.
With the release of v2.4.0, the dependencies on BIND’s internal development libraries have been removed and replaced with dependencies on OpenSSL and LDNS.
I do not know the whole story but I believe dnsperf was once part of BIND, or a side/sub-project, and because of that it used BIND’s own development libraries for managing things like memory, linked lists and network sockets, along with everything DNS related.
These dependencies have survived for quite a long time because ISC has continued to maintain their development libraries aside from BIND itself, making it possible for other projects to use them. For example, linked lists have been used in both dsc and dnscap.
Some time ago Ondřej Surý, Director of DNS Engineering at ISC, told me about the upcoming plans for BIND 9.16 w.r.t. these development libraries, and as the roll out of 9.16 started we began getting reports of incompatibility.
While we were grateful for a work-around patch from Petr Menšík (Red Hat) worked (released in v2.3.4), it would not work long term.
dnsperf DNS-over-HTTPS project
At the same time as all this was happening, we were also planning for the project funded by Mozilla Open Source Support (MOSS) program, and the Comcast Innovation Fund that we just recently announced in a blog post about OARC Neutrality.
I suggested that we add additional phases to the project, as requirements to have a successful implementation of DNS-over-HTTPS support, so we did.
The first phase was about the removal of BIND’s internal development libraries, and while that might sound easy it was still a bit tricky since dnsperf has the capability to do TSIG and dynamic updates.
The DNS related requirements were solved with the help of LDNS, the functions that construct DNS packets were quite easy because dnsperf did most of the wire formatting itself already. Except for dynamic updates, LDNS helped a lot since it was using name compression.
TSIG functionality was also quite easy to move to OpenSSL as dnsperf only used the hashing functions for checksums, and constructed the DNS packet itself.
With the conclusion of the first phase of the project, dnsperf is in a much better state and is a lot easier to maintain and package. For example, this solved a long outstanding issue with Ubuntu packages due to how BIND’s internal development libraries themselves handled dependency and versioning.
The next phase in this project is to re-factor the engine, splitting it into two. One engine for stateless (UDP) and one for stateful/connection-oriented (TCP, DoT) communications. This will prepare it for phase 3, adding DNS-over-HTTPS support, which is scheduled to be completed in late summer this year.
Check My DNS — RPKI
With the funding awarded by the ARIN Community Grant Program in October 2020, Check My DNS has been given some much needed updates and more!
The first thing I did was update all the dependencies, this included the Go version, all Go dependencies, jQuery, Bootstrap, ChartJS and the theme from Bootswatch.
Next was to add something I’ve been thinking about for a while
These achievements can be used to indicate features and functionality, or a collection of them, that might be outside the scope of the rating. For example, the RPKI checks do not currently affect the rating you get, even if they fail.
Note on RPKI! See my blog post “RPKI origin validation for resolvers!”, which includes important caveats about how the check works.
This is also a very easy visual way (thanks freesvg.org!) of showing support for a specific feature or functionality. Another example — that I would like to add — is checking for all DNSSEC algorithms’ support. Here, the check could be that you support enough DNSSEC algorithms to have a functional DNS but if you support all the current algorithms you could also be awarded an achievement for it!
So, once I’d added the achievements functionality I changed the RPKI check to be included in the default setup of checks and it is now available for anyone to try out on Check My DNS.
Disclaimer: while writing this blog post I noticed that Check My DNS had stopped, so there might still be a few bugs in the system. If you find that it’s not working then please reach out to me via email or Mattermost.
-”But, what a minute, Beta banner gone?”
Yes, I’ve removed that because it was quite a difficult UI element to maintain. This does not mean Check My DNS is now a super duper stable production-ready thing, it is still mainly a testing, research and experiment tool. And there will be bugs… there are always bugs.
Depending on when this blog post gets release, OARC 34 will be in a week… or just in a few days!!! \o/ Slam packed with tons of DNS content! Hope to see you there!