Migrating your server to DNSCurve
But let's start with the installation: First, you need to install a dnscurve-forwarder: The forwarder will listen for incoming requests on your public_interface:53 and forwards all queries to the dns-server (such as tinydns) listening on 127.0.0.1:53. I'm using CurveDNS which fits nicely into existing djbdns/tinydns installations. Installing it is only a matter of minutes, thanks to the very good documentation.Keep in mind that dnscurve-0.87 does not chroot() itself: this patch (sent to upstream) will make dnscurve chroot() itself if $ROOT is set. To activate chroot you should run:
# mkdir /etc/curvedns/root
# echo /etc/curvedns/root > /etc/curvedns/env/ROOT
# svc -t /service/curvedns
..you can verify the result by running:
# echo /etc/curvedns/root > /etc/curvedns/env/ROOT
# svc -t /service/curvedns
# ls -l /proc/`pgrep curvedns`/root
lrwxrwxrwx 1 root root 0 2011-01-09 17:47 /proc/6620/root -> /etc/curvedns/root/
lrwxrwxrwx 1 root root 0 2011-01-09 17:47 /proc/6620/root -> /etc/curvedns/root/
Whee, that was easy, wasn't it? We can now modify the NS-Records of the server to include its private key!
Configuring the NS-Records
You should now create an entry for your new nameserver A (or AAAA) record: (remember the curvedns-keygen output?)In my case /etc/tinydns/root/data looks like this:
=uz5crn6x92t4vb4k3z68du7rmwmnnvkbdd29t79yzg9fr2s2rx5pk0.nsde1.eqmx.net:80.246.50.17
..and the SOA record is set to
.eqmx.net::uz5crn6x92t4vb4k3z68du7rmwmnnvkbdd29t79yzg9fr2s2rx5pk0.nsde1.eqmx.net
(do not forget to run make ;-) )
You must now also change/add the new NS-Record for you domain in the webinterface of your registrar.
Testing your DNSCurve installation
Testing the glue-records
We will now check if the TLD-Servers will 'publish' the public key of our domain (eg. eqmx.net).Step 1: Ask the root-servers for the TLD-Servers of eqmx.new
$ dig +short eqmx.net @a.root-servers.net
....
net. 172800 IN NS a.gtld-servers.net.
net. 172800 IN NS b.gtld-servers.net.
....
....
net. 172800 IN NS a.gtld-servers.net.
net. 172800 IN NS b.gtld-servers.net.
....
Step 2: Ask the .net servers for information about eqmx.net:
$ dig NS eqmx.net @j.gtld-servers.net.
...
eqmx.net. 172800 IN NS dns1.workaround.ch.
eqmx.net. 172800 IN NS uz5mnv8n4dzrp95zl50jryb4wgf45my27q6pvx8f540l9sspkcwvtm.nszh1.eqmx.net.
eqmx.net. 172800 IN NS uz5crn6x92t4vb4k3z68du7rmwmnnvkbdd29t79yzg9fr2s2rx5pk0.nsde1.eqmx.net.
....
Great: the public key is there! (If it isn't: Did you update the records at your registrar? And even if you did: It can take some time until your changes are active)
...
eqmx.net. 172800 IN NS dns1.workaround.ch.
eqmx.net. 172800 IN NS uz5mnv8n4dzrp95zl50jryb4wgf45my27q6pvx8f540l9sspkcwvtm.nszh1.eqmx.net.
eqmx.net. 172800 IN NS uz5crn6x92t4vb4k3z68du7rmwmnnvkbdd29t79yzg9fr2s2rx5pk0.nsde1.eqmx.net.
....
Query the DNSCurve server
Chances are that there is no dnscurve-aware client installed on your host: we will use a simple dnscurve-aware client written in python (no installation needed)Step 1: Grab a copy of Matthew Dempsky's dnscurve repository at github:
$ cd /tmp
$ git clone https://github.com/mdempsky/dnscurve.git
$ cd dnscurve/tools
$ ln -s ../slownacl . # link to a python-nacl implementation
$ git clone https://github.com/mdempsky/dnscurve.git
$ cd dnscurve/tools
$ ln -s ../slownacl . # link to a python-nacl implementation
Step 2: Run dnsq.py:
$ python dnsq.py a www.eqmx.net 80.246.50.17 uz5crn6x92t4vb4k3z68du7rmwmnnvkbdd29t79yzg9fr2s2rx5pk0
...output...
dnsq.py will printout some dig-like output if everything is ok. It will hang if you supply the wrong public key.
...output...