DNSSEC for tinydns
This project adds DNSSEC support to D. J. Bernstein's tinydns.
It consists of two parts (mostly):
- tinydns-sign, a perl script for augmenting a tinydns-data file with DNSSEC-related RRs, and
- a patch to tinydns / axfrdns to make them produce DNSSEC-authenticated answers.
The patch tries to preserve the behaviour of tinydns/axfrdns wrt non-DNSSEC queries, with these noteworthy exceptions:
- The interpretation of wildcard records now matches the description in
RFC-1034 section 4.3.3.
Specifically, if there's a wildcard *.x and a
record for a.x, then a query for y.a.x will not be answered using the
wildcard (for a label 'a' and series of labels 'x' and 'y').
This change is required for signed domains, because authentication of negative responses requires a common understanding between client and server about the meaning of wildcards.
- EDNS0 in queries will be honoured also for non-DNSSEC queries, i. e.
tinydns may produce answers exceeding 512 bytes. (There is a hard
limit of 4000 bytes, though.)
This can lead to problems on IPv6 networks.
- TXT records are split into character-strings of 255 bytes, not 127. This is not really a DNSSEC-related change, but this is kind of a FAQ and tinydns-data and tinydns-sign must agree on how this is handled or the generated RRSIG won't match.
- The patch includes a fix for the broken CNAME handling in tinydns. The usual patch for this conflicts with fefe's IPv6 patch and requires further modifications for DNSSEC, so I decided to roll my own solution.
Be careful with publishing signed zones as a secondary nameserver: the modified tinydns/axfrdns require certain helper RRs in the database to simplify locating NSEC3 records. Without these helpers, tinydns cannot generate valid negative response nor valid wildcard responses.
Axfrdns will publish these helper RRs, other primaries will most likely not.