2
0
mirror of https://github.com/namecoin/ncdns synced 2024-11-10 01:10:31 +00:00
Go to file
JeremyRand 4cb4768424
Merge #77: Travis: various static analysis fixes/improvements
c1f6d2c ncdomain: fix redundant return statement in parseSingleService. (JeremyRand)
a876b17 ncdomain: fix redundant return statement in parseSingleMX. (JeremyRand)
40eeed1 ncdomain: fix redundant return statement in parseTXT. (JeremyRand)
497faca goimports -w tlsrestrictchromium/tlsrestrict_chromium_tool/main.go (JeremyRand)
a107d33 goimports -w tlsrestrictchromium/chromium_test.go (JeremyRand)
056215e Travis: mark megacheck linter as non-critical. (JeremyRand)
91e1ce4 Travis: aligncheck linter is replaced by maligned linter. (JeremyRand)
cf97a1a Travis: mark nakedret linter as non-critical. (JeremyRand)
f031d2b goimports -w tlsrestrictchromium/chromium.go (JeremyRand)
5350011 Travis: update gometalinter to v2. (JeremyRand)
9b6643d goimports -w server/server.go (JeremyRand)
4c66b15 certinject: Fix duplicated log variable. (JeremyRand)
5d508f6 goimports -w certdehydrate/certdehydrate_test.go (JeremyRand)
519f47f goimports -w main.go (JeremyRand)

Pull request description:

  TODO:

  - [x] Fix any static analysis warnings that this triggers.

Tree-SHA512: 4071af04fa08534815b8d14fccc998087d9d9580b2407bea0671e290e370a5e75d608a21d351b7377387e0f4029f870049feaa0adeaef0e99fa3252eef272df7
2018-06-27 07:16:27 +00:00
_doc Refactoring for travis, make 2015-12-06 05:28:47 +00:00
_tpl/std Refactoring for travis, make 2015-12-06 05:28:47 +00:00
.travis Merge #77: Travis: various static analysis fixes/improvements 2018-06-27 07:16:27 +00:00
backend Backend: fixed misspellings. 2018-03-12 22:10:46 +00:00
certdehydrate goimports -w certdehydrate/certdehydrate_test.go 2018-06-23 10:04:19 +00:00
certinject certinject: Fix duplicated log variable. 2018-06-23 10:04:20 +00:00
generate_nmc_cert generate_nmc_cert: disable goimports linter. 2018-06-23 09:54:49 +00:00
namecoin Add cookie support 2017-04-16 04:38:57 +01:00
ncdomain ncdomain: fix redundant return statement in parseSingleService. 2018-06-23 10:04:27 +00:00
ncdt Fix imports due to repository move 2017-06-07 05:14:50 +01:00
ncdumpzone ncdumpzone: Use easyconfig instead of kingpin. 2018-06-23 06:01:42 +00:00
server goimports -w server/server.go 2018-06-23 10:04:21 +00:00
testutil more compliance 2014-12-08 06:07:07 +00:00
tlshook gofmt -s tlshook/tlshook.go 2017-11-04 08:00:09 +00:00
tlsoverridefirefox ncdumpzone: Add Firefox mode. 2018-03-24 02:25:40 +00:00
tlsrestrictchromium goimports -w tlsrestrictchromium/tlsrestrict_chromium_tool/main.go 2018-06-23 10:04:25 +00:00
util gofmt -s util/util_test.go 2017-11-04 08:01:56 +00:00
x509 Rebase x509 onto Go 1.9. 2018-06-23 05:08:00 +00:00
.travis.yml Travis: build releases with Go 1.9. 2018-06-23 05:14:41 +00:00
BorderlessBlockParty2015.md TLS dehydrated certificate injection for CryptoAPI trust store (triggered by hooking DNS lookups). 2017-07-28 02:26:40 +00:00
main.go goimports -w main.go 2018-06-23 10:04:19 +00:00
Makefile Build: Makefile: move repo from hlandau/ncdns to namecoin/ncdns. 2017-08-08 05:57:57 +00:00
README.md Mention DNSSEC Trigger. 2017-09-19 22:44:56 +01:00

ncdns

A Go daemon to bridge Namecoin to DNS. The daemon acts as an authoritative nameserver and queries a Namecoin daemon over JSON-RPC in order to obtain zone data.

The daemon can optionally sign zones with DNSSEC and supports the use of DS records in Namecoin. It works best when used by Unbound or another recursive resolver, or as an authoritative nameserver for a stub zone.

Using ncdns to provide a suffix

The daemon acts as an authoritative nameserver for any name containing a 'bit' label. For example, all of the following queries return the same records:

  • example.bit.
  • example.bit.example.com.

This enables the easy use of suffixes. (Note that this will cause a different hostname to be transmitted for protocols like HTTP, and server configuration may need to be modified to enable this. In some cases there may be no simple solution to enabling arbitrary suffix use with a given piece of server software, in which known suffixes can be configured; patches for such software would be desirable.)

Using ncdns with a recursive resolver

Of course the daemon can also be used simply as an authoritative nameserver for bit. directly. One way to do this is to run a recursive resolver (such as Unbound) and configure it to serve the zone as a 'stub zone'. Here is an example unbound configuration:

server:
  do-not-query-localhost: no
stub-zone:
  name: bit.
  stub-addr: 127.0.0.1@1153

If you don't want to use DNSSEC, also add:

server:
  domain-insecure: bit.

If you do want to use DNSSEC, see the instructions below.

Note how you can specify a port other than 53. This allows you to run both Unbound and ncdns on the same machine. Alternately, you could add an additional loopback IP address (127.0.0.2) and bind ncdns to that. This is useful if your recursive resolver doesn't support a port number other than 53.

Using DNSSEC

To use DNSSEC, generate keys with dnssec-keygen or ldns-keygen. You will need to generate a key-signing key and a zone-signing key:

# Generate KSK.
$ dnssec-keygen -a RSASHA256 -3 -b 2048 -f KSK bit

# Generate ZSK.
$ dnssec-keygen -a RSASHA256 -3 -b 2048 bit

Each of these commands will generate a pair of files, a .key file and a .private file. Make a note of which is the KSK and which is the ZSK. If you forget, check the comments inside the .key file. (If there are no comments for some reason, a KSK usually contains the string DNSKEY 256 and a ZSK DNSKEY 257.)

(You could substitute something else for bit as ncdns doesn't care. However if you want to use the key as a trust anchor with a recursive resolver such as unbound, you should specify bit.)

If using Unbound as a recursive resolver, you should add the KSK's public key file as a trust anchor to unbound like so:

server:
  trust-anchor-file: "/etc/unbound/keys/bit.key"

bit.key should be the file containing the KSK DNSKEY (or DS) which ncdns is configured to use.

Building

Prerequisites:

  1. Ensure you have the Go tools installed.

  2. If using Linux, ensure you have the libcap development headers installed. (Most distributions will have a package called libcap-dev or similar.)

Option A: Using Go build commands (works on any platform with Bash):

  1. Ensure you have the GOPATH environment variable set. (For those not familar with Go, setting it to the path to an empty directory will suffice. The directory will be filled with build files.)

  2. Run go get -d -t -u github.com/namecoin/ncdns/.... The ncdns source code will be retrieved automatically.

  3. Run go generate github.com/namecoin/ncdns/.... Some source code will be generated.

  4. Run go get -t github.com/namecoin/ncdns/.... ncdns will be built. The binaries will be at $GOPATH/bin/ncdns.

Option B: Using Makefile (non-Windows platforms):

  1. Run make. The source repository will be retrieved via go get automatically.

ncdns can be run as a Windows service; see the output of ncdns --help.

Configuration

ncdns uses a configuration file which is looked for at ../etc/ncdns.conf (relative to the executable path) and /etc/ncdns/ncdns.conf. You can override this and all options on the command line. An annotated example configuration file ncdns.conf.example is available in doc.

You will need to setup a namecoind, namecoin-qt or compatible Namecoin node and enable the JSON-RPC interface. You will then need to provide ncdns with the address of this interface and any necessary username and password via the configuration file.

If you only want to resolve .bit names yourself, here is a suggested setup on Linux:

  • Install namecoind (or namecoin-qt) and set it to start automatically at boot or login. Set up the JSON-RPC interface and make sure it works by making a test query: namecoind name_show d/example.

  • Write a ncdns configuration file and set ncdns up to start at boot. Since Unbound will tie up port 53, set a different port (ideally one >=1024, so it needn't be run as root.) Test that ncdns works by trying to resolve a .bit domain. If you want to use DNSSEC, generate keys as shown above and configure ncdns appropriately.

  • Install and setup the Unbound recursive resolver on your system. On most systems, the recommended way to install Unbound is to install DNSSEC Trigger, which installs and configures Unbound automatically.

    If you wish to use DNSSEC, add the ncdns DNSKEY to Unbound as a trust anchor as shown above. See above for configuration suggestions.

  • Edit /etc/resolv.conf to point to the Unbound resolver at 127.0.0.1. (If this file is generated automatically via DHCP or similar, you may find these changes keep getting wiped out. Either reconfigure whatever keeps overwriting it to stop doing so, or, as a stopgap measure, make the file immutable using chattr +i.)

Licence

Licenced under the GPLv3 or later.
© 2014-2015 Hugo Landau <hlandau@devever.net>