I mainly procrastinate my actual work with DNS - the Domain Name System. Over the past half year I started from scratch and had the goal to implement a recursive resolver. This is working since a few months fine on my laptop, but I’m not sufficiently satisfied to put it online (yet).
While looking into how to configure it, I stumbled upon nsupdate (https://tools.ietf.org/html/rfc2136) (if you add TSIG https://tools.ietf.org/html/rfc2845 you even get authentication) It turns out, a configurable resolver (to be used in a similar fashion as DNSmasq or your system resolver) needs a complete authoritative nameserver next to it for your local overlays.
I went down the rabbit hole, and by now have a primary nameserver (which receives all updates via nsupdate), a secondary nameserver (which waits for notify https://tools.ietf.org/html/rfc1996 from the primary to request a SOA and if there’s a newer serial, start a zone transfer https://tools.ietf.org/html/rfc5936 - both authenticated with TSIG above).
And I just succeeded in the first non-trivial setup:
- primary NS with example zone containing itself and two keys (transfer and update)
- secondary NS with the same transfer key, nothing else
- client (nsupdate from the ISC BIND project) which sends an update frame: add example 300 ns ns2.example ; add ns2.example 300 a 10.0.0.3 (authenticated with the update key) to the primary
- primary sending a notify to the new secondary
- secondary requests the SOA of example from the primary (authenticated with the transfer key)
- primary answering with an authenticated SOA
- secondary - based on the fact that it does not have the example zone with equal serial in the SOA, requesting a zone transfer from the primary (authenticated with the transfer key)
- primary answering the zone transfer with an authenticated zone
- secondary receiving the zone, and now serving it
this may be half the way down, extensions I’d like to have include incremental zone transfer, authentication via TLS, adding keys via nsupdate as well (that should work, but haven’t tried), persistent storage in a (read-only, written by the nameserver) git repository, going back to my resolver implementation and revise it once more, integrate the zone file parser from ocaml-dns, DNSSec (signing and validation), multicast-DNS (“bonjour” / “zeroconf”), …
but first I’ll polish the existing parts, do some more interoperation tests with available server and client software, and put the code publicly accessiblle. And/or go back to my TCP work