...how to deploy dnscurve

I've recently started to support DNSCurve on my nameservers running djbdns and you might do the same on your infrastructure: deploying DNSCurve turned out to be very easy and took about 1 hour of work!

Migrating your server to DNSCurve

But let's start with the installation: First, you need to install a dnscurve-forwarder: The forwarder will listen for incoming requests on your public_interface:53 and forwards all queries to the dns-server (such as tinydns) listening on I'm using CurveDNS which fits nicely into existing djbdns/tinydns installations. Installing it is only a matter of minutes, thanks to the very good documentation.

Keep in mind that dnscurve-0.87 does not chroot() itself: this patch (sent to upstream) will make dnscurve chroot() itself if $ROOT is set. To activate chroot you should run: # mkdir /etc/curvedns/root
# echo /etc/curvedns/root > /etc/curvedns/env/ROOT
# svc -t /service/curvedns
..you can verify the result by running: # ls -l /proc/`pgrep curvedns`/root
lrwxrwxrwx 1 root root 0 2011-01-09 17:47 /proc/6620/root -> /etc/curvedns/root/

Whee, that was easy, wasn't it? We can now modify the NS-Records of the server to include its private key!

Configuring the NS-Records

You should now create an entry for your new nameserver A (or AAAA) record: (remember the curvedns-keygen output?)
In my case /etc/tinydns/root/data looks like this: =uz5crn6x92t4vb4k3z68du7rmwmnnvkbdd29t79yzg9fr2s2rx5pk0.nsde1.eqmx.net: ..and the SOA record is set to .eqmx.net::uz5crn6x92t4vb4k3z68du7rmwmnnvkbdd29t79yzg9fr2s2rx5pk0.nsde1.eqmx.net (do not forget to run make ;-) )
You must now also change/add the new NS-Record for you domain in the webinterface of your registrar.

Testing your DNSCurve installation

Testing the glue-records

We will now check if the TLD-Servers will 'publish' the public key of our domain (eg. eqmx.net).

Step 1: Ask the root-servers for the TLD-Servers of eqmx.new $ dig +short eqmx.net @a.root-servers.net
net.          172800 IN NS a.gtld-servers.net.
net.          172800 IN NS b.gtld-servers.net.

Step 2: Ask the .net servers for information about eqmx.net: $ dig NS eqmx.net @j.gtld-servers.net.
eqmx.net. 172800 IN NS dns1.workaround.ch.
eqmx.net. 172800 IN NS uz5mnv8n4dzrp95zl50jryb4wgf45my27q6pvx8f540l9sspkcwvtm.nszh1.eqmx.net.
eqmx.net. 172800 IN NS uz5crn6x92t4vb4k3z68du7rmwmnnvkbdd29t79yzg9fr2s2rx5pk0.nsde1.eqmx.net.
Great: the public key is there! (If it isn't: Did you update the records at your registrar? And even if you did: It can take some time until your changes are active)

Query the DNSCurve server

Chances are that there is no dnscurve-aware client installed on your host: we will use a simple dnscurve-aware client written in python (no installation needed)

Step 1: Grab a copy of Matthew Dempsky's dnscurve repository at github:
$ cd /tmp
$ git clone https://github.com/mdempsky/dnscurve.git
$ cd dnscurve/tools
$ ln -s ../slownacl . # link to a python-nacl implementation

Step 2: Run dnsq.py:
$ python dnsq.py a www.eqmx.net uz5crn6x92t4vb4k3z68du7rmwmnnvkbdd29t79yzg9fr2s2rx5pk0
dnsq.py will printout some dig-like output if everything is ok. It will hang if you supply the wrong public key.

Patching dnscache to do DNSCurve queries

Matthew Dempsky has also written a patch for dnscache: You can grab a copy at http://shinobi.dempsky.org/~matthew/patches/djbdns-dnscurve-20090602.patch


comments powered by Disqus