Unified IPv6 DNS Security
While DJBDNS is the unsurpassed DNS content and cache server implementation written by Daniel Bernstein, it lacks IPv6 features. Using Felix von Leitner's IPv6 add-on, we have included Matthew Dempsky's DNSCurve patch utilizing Bernstein's approach to provided a full solution.
In order to achieve DNS message enrcyption on the server side, you need to install Harm von Tilborg's CurveDNS server along-side with Daniel Bernstein's, Tanja Lange's, and Peter Schwabe's NaCl library.
- DJBDNSCurve6 in package format (to be done).
- CurveDNS (recommended)
- NaCl Library (required)
- Daemontools (recommended)
Meanwhile, Harm van Tilborg, Jeroen Schreeder, and Lieuwe Jan Koning have started a similar project and released
- djbdns-1.06 (?)
- DNSCurve: Usable security for DNS
- dnscache Log File Format
- TinyDNS Format
- MaraDNS (perhaps)
Before fragmenting the available software even more, I stall my project and check for those resources.
Currently, I'am working on
- Kai Peter's Qlibs including a DNS stub resolver based an DJBDNS (mostly done) -- and be part of s/qmail 3.4.
- DJBDNS6 as a first step to provide connectivity, in particular for dnscache (progressing).
My roll-out plan for DJBDNSCurve6 stretches several phases:
- Phase: DJBDNS6 based on Qlibs (and it's DNS stub resolver routines) conforming to slashpackage installation conventions and covering IPv6 completely. This is the basic framework.
- Phase: DJBDNS6++ understanding EDNS(0) and support for current CurveDNS implementation.
- Phase: Integrated DNSCurve implementation based on NaCL.
The integration of IPv6 and DNS on network level is rather frustrating. Ever tried to set up a DNS Server listening on 'fe80::1%eth0' and enabling to reach it via /etc/resolv.conf? Ever heard of IPvFuture?
The release is due in 2018+.