Trust-DNS 0.7.0


#1

This is a project I started writing about 10 months ago, it was working on this project that I fell in love with Rust specifically because of the ease of writing finite state machines. I’m hoping to get trust-dns.org self hosting on it’s year birthday, but there’s a bunch of last mile stuff left to do that (mostly operations stuff). This represents the first release where I think I would stand by the Client being used.

The Client can be used to validate DNSSec with NSEC (I don’t plan to support NSEC3 at this time). It also supports some other high level operations around dynamic DNS, the coolest one is a compare_and_swap(). This release was rather large:

## 0.6.0 2016-06-01
### Added
- Documentation on all modules, and many standard RFC types
- Authority zone signing now complete, still need to load/save private keys
- DNSKEYs auto inserted for added private keys
- New mocked network client tests, to verify zone signing
- NSEC record creation for zone, with tests
- SIG0 validation for Authentication on for dynamic updates
- Client CQADDD operations, delete_by_rdata, delete_rrset, delete_all
- Client compare_and_swap operation... atomics are here!

### Fixed
- Added loop on TCP accept requests
- Added loop on UDP reads
- Upgraded to mio 0.5.1 for some bug fixes
- Not returning RRSIGs with SOA records on authoritative answers

### Changed
- Internal representation of record sets now a full data structure
- Better rrset keys for fewer clones
- Removed many excessive clones (should make requests even faster)
- Cleaned up authority upsert and lookup interfaces
- All authorities default to IN DNSCLASS now (none others currently supported)
- Cleaned up the Signer interface to support zone signing
- Simplified RData variant implementations
- Improved ENDS and SIG0 parsing on Message deserialization

Full changelog

Up next is support for TSIG (only SIG0 public/private key authentication is supported at the moment). Then on to persistence on the server (this is necessary for restart/crash survivability). After that I’ll start working on dynamic master/slave replication (possibly implementing Raft directly into the DNS protocols, which would be kinda cool). I’ve considered breaking apart the different pieces into three different crates, something that could be done upon request (to say make the Client package smaller for users), open an issue if this is something you’d like.

Anyway, I’d love feedback!


#2

That’s great news. Trust-DNS is one of the first projects that got me interested in Rust, and it’s nice to see such progress being made. I think the project also acts as really good reference code, and it has helped me to learn Rust’s module layout, logging, and lots more. Many thanks for your work.

I filed a couple of feature requests this morning around dnstap and sandboxing, please drop me a line if you want to discuss.


#3

Im glad my project inspired you! Fun to hear that.

In terms of module and code layout, I don’t know that I’m using idiomatic Rust, I actually derive most of that from my Java days. Also, I’ve learned a lot while writing this so there are older sections of code that are not as clean as they could be. As I have the opportunity I go back and clean those up.

One of these days I also need to split my Message struct into an Owned vs. Shared model. Once I do that it should clean up a bunch of unnecessary clones.

BTW, I took a brief look at your requests, both seem pretty reasonable. I think I’ll start trying to prioritize those to stabilization or operations features. Also on a side note, you guys use Unbound, I’m curious, what big features do you like in that project?


#4

We use Unbound because it’s 1) not BIND, 2) really fast, and 3) the default in OpenBSD. We also use it on FreeBSD.
In terms of features, the one we make most use of is the ability to use “local-data” lists for overriding resolution (in BIND this is “Response Policy Zone Rewriting”). We take various threat intelligence feeds (downloaded and processed using Rust :sunglasses: ) and effectively blackhole communication with known malicious domains, advertising content providers etc by having Unbound resolve them to 127.0.0.1. I’ll write up another FR for this one on Github.


#5

Congrats on the first release @bluejekyll!


#6

Thanks, @steven_pack.

We should get together again soon.


#7

(I decided to continue using the same thread)

The 0.7.0 is a continuation on the path of features for running the server in production. This release mainly adds the ability for Trust-DNS keep a journal of dynamic updates using Sqlite. It also adds auto signing and private key generation (be careful to secure the private keys that are generated, I plan to support PKCS11 at some point in the future).

## 0.7.0 2016-06-20
### Added
- Added recovery from journal to named startup
- SQLite journal for dynamic update persistence
- Private Key generation during startup, for dnssec zones
- Read private key from filesystem during start and registers to zone

### Changed
- Removed many of the unwraps in named binary
- Reworked all errors to use error-chain
- Adjusted interface for Signer to use duration
- All `#[cfg(ftest)]` tests now `#[ignore]`

### Fixed
- TXT record case sensitivity

Full changelog


#8

I’m halfway through with my futures implementation around the DNS client in Trust-DNS. The basic UDP client is implemented, but no SIG0 or dynamic DNS support at the moment. TCP will come next. If anyone has any feedback, I’d love to hear it:

https://github.com/bluejekyll/trust-dns/blob/bfry/futures/src/client/client_future.rs#L254

It supports both IPv4 or IPv6, which is derived from the server IP address.