cbuijs
commented
2 years ago Maybe check this out for examples/inspiration, recursive/validating DNS in GO: https://github.com/semihalev/sdns
Open folbricht opened 3 years ago
cbuijs
commented
2 years ago Maybe check this out for examples/inspiration, recursive/validating DNS in GO: https://github.com/semihalev/sdns
charlieporth1
commented
2 years ago Does Routedns use DNSSEC?
folbricht
commented
2 years ago It does not support it yet. I had a plan to implement, and some draft code even but not found the time to really work on it yet.
cbuijs
commented
2 years ago It needs to be a recursive resolver as well first in my opinion to make it water-proof.
Now you just forward to a resolver that does it for you (and need to trust). Like Google, Quad9 etc.
I forward myself to a powerdns-recursor locally on the same box that does all the internet-resolving recursively, including DNSSEC validation. Would be nice to cut another link in the chain though :-).
charlieporth1
commented
2 years ago Interesting. @folbricht I would be happy to take a look and collaborate on that
folbricht
commented
2 years ago It'd be amazing to have a dnssec validator element, but it's also quite complex and I won't have much time for another 2 months or so. routedns wouldn't really need to be a recursive resolver to implement this. It could just load the necessary keys etc on-demand. My plan was to build it as just another element that could be added to a resolver chain. One would have to be careful not to have any element that modifies things behind it of course to avoid breaking the validation. It should have it's own key-cache, and support loading the key from the official location, or have a fixed root-key provided in the config.
cbuijs
commented
2 years ago Maybe of interest/example for recursive (iterative lookups instead of forwarding): https://github.com/domainr/dnsr
Uses miekg-dns already.
cbuijs
commented
1 year ago Maybe GoResolver would help or provided the needed insights/speedup?
charlieporth1
commented
1 year ago @cbuijs I think I can do a PR with a dnssec implementation with that lib. Putting that ready for frank
folbricht
commented
1 year ago While the library can probably help get started, not sure we can use it directly as it doesn't appear to be in active development/support. It would also need a few tweaks to fit nicely into RouteDNS, like how it resolves signature records (which should go through existing pipelines and resolvers). Quite a fun project for sure, but also complex and time-intensive which is why I won't be able to get to it any time soon.
alpominth
commented
1 year ago @charlieporth1
Good luck!
I will be the first to test if you implement by yourself.
Needed by https://github.com/folbricht/routedns/issues/116 so may as well turn it into a standalone element that could be added to chains. Should support fixed or dynamic keys, with automatic root key update etc.