How to deploy DNSCurve
I’ve recently started to support DNSCurve on my nameservers running djbdns and you might do the same on your infrastructure: deploying DNSCurve turned out to be very easy and took about 1 hour of work!
Migrating your server to DNSCurve
But let’s start with the installation: First, you need to install a dnscurve-forwarder: The forwarder will listen for incoming requests on your public_interface:53 and forwards all queries to the dns-server (such as tinydns) listening on 127.0.0.1:53.
Keep in mind that dnscurve-0.87 does not chroot() itself: This patch (sent to upstream) will make dnscurve chroot() itself if $ROOT is set. To activate chroot you should run:
$ mkdir /etc/curvedns/root $ echo /etc/curvedns/root > /etc/curvedns/env/ROOT $ svc -t /service/curvedns
$ ls -l /proc/`pgrep curvedns`/root lrwxrwxrwx 1 root root 0 2011-01-09 17:47 /proc/6620/root -> /etc/curvedns/root/
Whee, that was easy, wasn’t it? We can now modify the NS-Records of the server to include its private key!
Configuring the NS-Records
You should now create an entry for your new nameserver A (or AAAA) record: (remember the curvedns-keygen output?) In my case /etc/tinydns/root/data looks like this:
..and the SOA record is set to
(do not forget to run make ;-) )
You must now also change/add the new NS-Record for you domain in the webinterface of your registrar.
Testing your DNSCurve installation
Testing the glue-records
We will now check if the TLD-Servers will ‘publish’ the public key of our domain (eg. eqmx.net).
Step 1: Ask the root-servers for the TLD-Servers of eqmx.net:
$ dig +short eqmx.net @a.root-servers.net .... net. 172800 IN NS a.gtld-servers.net. net. 172800 IN NS b.gtld-servers.net. ....
Step 2: Ask the .net servers for information about eqmx.net:
$ dig NS eqmx.net @j.gtld-servers.net. ... eqmx.net. 172800 IN NS dns1.workaround.ch. eqmx.net. 172800 IN NS uz5mnv8n4dzrp95zl50jryb4wgf45my27q6pvx8f540l9sspkcwvtm.nszh1.eqmx.net. eqmx.net. 172800 IN NS uz5crn6x92t4vb4k3z68du7rmwmnnvkbdd29t79yzg9fr2s2rx5pk0.nsde1.eqmx.net. ....
Great: the public key is there! (If it isn’t: Did you update the records at your registrar? And even if you did: It can take some time until your changes are active)
Query the DNSCurve server
Chances are that there is no dnscurve-aware client installed on your host: we will use a simple dnscurve-aware client written in python (no installation needed)
Step 1: Grab a copy of Matthew Dempsky’s dnscurve repository at github:
$ cd /tmp $ git clone https://github.com/mdempsky/dnscurve.git $ cd dnscurve/tools $ ln -s ../slownacl . # link to a python-nacl implementation
Step 2: Run dnsq.py:
$ python dnsq.py a www.eqmx.net 220.127.116.11 uz5crn6x92t4vb4k3z68du7rmwmnnvkbdd29t79yzg9fr2s2rx5pk0 ...output...
dnsq.py will printout some dig-like output if everything is ok. It will hang if you supply the wrong public key.
Patching dnscache to do DNSCurve queries
Matthew Dempsky has also written a patch for dnscache: You can grab a copy at this location