Development Update — Summer Edition 2021

My balcony this summer :D

Here are some DNS-OARC development highlights from the past couple of months. These updates are usually bi-monthly but this one is a summer edition special. Previous articles can be found on our Medium blog.

dnsjit modules

A way to create your own dnsjit modules is now available!

With the release of v1.2.0 (coming soon!) there are now development files that can be installed and used to create your own C modules for dnsjit. To help with this I’ve created a few example modules to look at.

The input.zero and output.null were testing modules I created when developing dnsjit, these are now located under examples/modules and made into stand-alone automake projects which can be used as a base for any modules you want to create. There is also an example of stand-alone tools in examples/stand-alone-tool (once v1.2.0 is released) if you wish to distribute your dnsjit hacks!

With this the output.dnssim module, heart of DNS shotgun, have been moved out of dnsjit to DNS shotgun’s repository.

RPKI origin validation

There have been some exciting development within the area of testing for RPKI origin validation. Willem Toorop and Jasper den Hertog (NLnet Labs) with help from RIPE NCC have created a new setup that works a bit differently than the current that Check My DNS uses.

This new setup makes use of route announcement to announce a more specific route that is invalid. This makes it so that if you’re not validating the Route Origin Authorization (ROA) object then you’ll contact that IP address instead of going to the one with a valid ROA. As a references, the current setup used by Check My DNS uses two ROAs for separate networks, one valid ROA and one invalid ROA.

Here’s an example where Willem tests from NLnog Ring:

nlnetlabs@xs4all01:~$ dig rpkitest.nlnetlabs.nl TXT +short
“HOORAY — Your resolver is protected by Route Origin Validation :)!”
nlnetlabs@isc01:~$ dig rpkitest.nlnetlabs.nl TXT +short
“NO — Your resolver is NOT protected by Route Origin Validation :(“

== HELP NEEDED ==

Right now we’ve only set this up for the RIPE RPKI Trust Anchor (TA), since they were kind enough to provide networks for this, so we are looking for help to set this up for the other TAs.

The requirements for any RPKI OV test setup is quite steep and this setup needs a /23 IPv4 and a /47 IPv6 block. Because of the availability of IPv4 addresses, we’re aware that we might only be able to check IPv6 for some RIRs/TAs.

If you want to help or if you know someone else that might, please let us know! You can find both Willem and I on our Mattermost.

dnsperf — DNS-over-HTTPS support

The work has started to add support for DNS-over-HTTPS to dnsperf and is being done by our new project specific Software Engineer Atanas Argirov.

We expect to have preliminary support added in a few weeks which will be followed by a release. It’s greatly appreciated if you’re able to help with the testing once that’s out! And expect more releases during the course of this final phase in the project as we are working out the kinks.

DSC + Grafana crash course

I’m currently planning an online interactive crash course on how to setup DSC, dsc-datatool, InfluxDB and Grafana, and how to create custom graphs on the data.

This crash course will be available for anyone to join but since there is a lot of interest from our members I don’t know when I will be able to run a public one.

Ideally the format should be short as well as interactive and engaging, so I’ll need to decide the right number of seats for that. I also plan to run this course a number of times which will be flexible regarding dates and time of day depending on the group.

If this peaked your interest and you can’t wait for the public one then you could sign up as a member today! ;) ;)

Heads-up: OARC35a!

We will shortly announce the details around our next conference, OARC 35a — a short online-only version of our regular conferences. Stay Tuned!

Cheers,
Jerry

Domain Name System Operations Analysis and Research Center