search

abh / geodns

DNS server with per-client targeted responses
Apache License 2.0
1.39k stars 193 forks source link

DNSSEC support? #12

Open miekg opened 12 years ago

miekg commented 12 years ago

Hello,

Do you want to support DNSSEC?

There are two issues at stack here:

1) DNSSEC is dependent on a correct clock, hence everybody uses NTP. But this creates a catch-22 when DNSSEC validation errors break NTP.

2) Go DNS (and fksd) does not make DNSSEC as easy as it should, but this is minor compared to 1)

abh commented 12 years ago

Yes, I'm planning to. In the short term I don't want to add it as a new variability, but supporting it in the next few months so I can start experimenting with it on something that's not the main pool.ntp.org zone would be good.

Regarding being dependent on NTP, we can make sure the DNS servers here aren't depending on "themselves" for that.

I am most concerned about performance and what impact it will have on the DNS traffic on the (sometimes volunteer) servers, but those are things we can figure out, too.

miekg commented 12 years ago

[ Quoting notifications@github.com in "Re: [geodns] DNSSEC support? (#12)..." ]

I am most concerned about performance and what impact it will have on the DNS traffic on the (sometimes volunteer) servers, but those are things we can figure out, too.

That should not be a problem. DNSSEC zones are pre-signed. The answers are slightly bigger than with DNS, but the server load does not increase (much).

Regards,

Miek Gieben                                                   http://miek.nl
abh commented 12 years ago

But the geodns server makes every answer (just about) different. Maybe a cache could remember answers that worked out to be the same, but I don't think the hit rate would be huge. For 'pool.ntp.org' (assuming no country information for the client) it randomly chooses between 2-3000 weighted servers.

One option is to have 'pool.ntp.org' (for example) unsigned, but sign certain sub-zones (debian.pool.ntp.org, fedora.pool.ntp.org etc) for users who are more likely to care.

(Update: Eh, obviously pool.ntp.org would have to be signed for that to work, but 1.pool.ntp.org etc wouldn't have to be).

miekg commented 12 years ago

[ Quoting notifications@github.com in "Re: [geodns] DNSSEC support? (#12)..." ]

But the geodns server makes every answer (just about) different. Maybe a cache could remember answers that worked out to be the same, but I don't think the hit rate would be huge. For 'pool.ntp.org' (assuming no country information for the client) it randomly chooses between 2-3000 weighted servers.

Ah. But that also means on-the-fly signing and distributing the private keys to slaves. All doable, but this makes for an interesting use case.

One option is to have 'pool.ntp.org' (for example) unsigned, but sign certain sub-zones (debian.pool.ntp.org, fedora.pool.ntp.org etc) for users who are more likely to care.

That would break the chain of trust. Again: an interesting use case :-)

Regards,

Miek Gieben                                                   http://miek.nl
miekg commented 9 years ago

Note that I've implemented on the fly-signing with caching for SkyDNS: https://github.com/skynetservices/skydns/blob/master/server/dnssec.go

It uses NSEC3 whitelies. Something similar can be done for geodns.