#djbdns — Public Fediverse posts

@cks @lanodan

Missing from @drscriptt 's list are AAAA, HTTPS, and SVCB records.

AAAA has plenty of obvious choices.

You'll know the . convention for SRV, SVCB, and MX resource record sets, of course.

I shall just drop in my personal experience from earlier this year that an accidentally supplied HTTPS resource record can *definitely* break WWW traffic; because browsers in practice do not obey RFC9460 §2.4.2.

#djbdns
#DomainNameSystem
#SplitHorizon
#ReservedSuperDomains #DNS #HTTPS #SVCB

@cks @lanodan @drscriptt

There are actually quite a few, nowadays. See RFCs 6762, 7686, and 8375.

example. is not the worst choice, although you could have gone with test. or internal. or intranet. .

Given your objective, any of the further ones that imply a residence or a corporation seem less well suited.

Although home.arpa.'s public delegation to the blackhole-{1,2}.iana.org. names is re-used.

https://github.com/jdebp/nosh/blob/trunk/source/examples/tinydns/split-horizon#L96

#djbdns #DomainNameSystem #SplitHorizon #ReservedSuperDomains #DNS

@schmonz

#pickdns is dropped as of #djbwares 11.

And the packages that get built out of the box, for what it's worth, now have the easter, nowutc, leapsecs, and yearcal utilities in their own taitools package, leaving libtai as just a development package.

#djbdns

@cks

Scanning for publicly-reachable proxy DNS servers is old-hat. I've been warning people about such since the turn of the century, and #tinydns is never going to be vulnerable in that way.

The more interesting attack, not least because Bernstein got it right all along, is the people that send queries with huge EDNS0 buffer sizes, asking for ANY against fsf.org (which is nearly 5KiB of response) and direct the responses at the tram port of some victim's router.

#djbdns #djbwares

@cks

The first sentence of the new security chapter that I wrote last week for the Guide for #djbwares :

> Expect any Internet-facing DNS service to be attacked immediately that it is up and running.

It has certainly been my experience.

I looked up one of the attackers, and they actually claimed on a WWW page to be a shadowy organization that works for governments but cannot tell you about it.

#tinydns happily logs dropping all of the queries. (-:

#djbdns

If you've been wondering what has been happening with #djbwares 11, you'll have your answer when you see its manual page for walldns. (-:

And when an AAAA lookup on 7.longchain.alias.test.jdebp.info. works.

I might ask @ermo for another quick build check on #FreeBSD 14, in a couple of days. No reason to think that it will fail, though. (I've been improving some DNS stuff instead of installing #GhostBSD, alas.) Still testing things right now, though.

#walldns #djbdns

@JdeBP For good measure, the packaging fixes also work on #FreeBSD 14.3 (and therefore likely also #GhostBSD), in case people are wondering. (-:

#djbwares #djbdns

Have something to whet your appetites for #djbwares version 11.

If you don't know #djbdns, you probably won't notice what will make people who do know djbdns take interest. (-:

It's also going to contain the FreeBSD 13 build fixes that @ermo helped with.

#DomainNameSystem
#DomainNameSystem

Looking up www.bing.com. nowadays involves dnscache looking up intermediate domain names in org., com., net., and info.; the cross-dependencies of which regularly exceed dnscache's nested gluelessness limit above which it switches to a slower resolution algorithm.

Some quick tests indicate that raising this limit from 2 to 3 improves matters.

So this will be in #djbwares 11.

#djbdns #dnscache #DomainNameSystem

I made the mistake of starting to learn about GEMINI from its Frequently Asked Questions document.

It's not aimed at people like me, who already understand the benefits and tradeoffs of static content servers. So it drives lots of points home, repeatedly, that I already know.

It's apparently aimed at the same sort of monoculture Chrome+Apache Think for HTTP that parallels the old BIND Think and Sendmail Think that #qmail and #djbdns were up against years ago.

#GEMINI #djbwares #publicfile

@ska @djb

> The tinydns-data format has one key per domain, so you have to cycle through all records,
> and more lookups are involved to find the authority etc.

I've never had occasion to peek under the hood of #djbdns; it Just Worked and that was enough for me. So I'm a little surprised by that design.

I would have thought the key would be `<domain>-<recordtype>`, at least.

Fascinating.

#JustWork #JustWorks #software

@dangoodin @djb @0x0FFF

Dan G.: to butt in, from experience with #djb from mailing lists for #qmail, #djbdns, etc...

When djb states facts, he is invariably correct. When he presents a logical argument, he is rigorous, but it is frequently non-trivial to follow. Very dense logic, and perhaps omission of the more "obvious" steps, mean you can't grasp it on first read.

When taking apart someone else's argument, it's even denser and crammed with references. But worth it. Spend the time.