1 % Namecoin pipe backend for PowerDNS
3 There exists a project named
4 [nmcontrol](https://github.com/namecoin/nmcontrol) to create an
5 all-in-one tool that can, among other things, act as a DNS server
6 for the `.bit` zone. There is also a tool,
7 [NamecoinToBind](https://github.com/namecoin/NamecoinToBind),
8 for offline conversion of namecoin data into BIND zone file.
10 Unlike those, this project is a single-purpose tool acting as a (real
11 time) bridge between [Namecoin](http://namecoin.info/) and DNS.
12 It is implemented as a `pipe backend` to
13 [PowerDNS](https://www.powerdns.com/), which provides stable DNS
14 frontend, and has simple backend interface.
18 The program is built as a single executable to be run by PowerDns's
19 pipe backend. It is written in [Haskell](http://www.haskell.org/).
20 There is no `cabal` configuration at the moment, so to build it,
24 ghc --make pdns-pipe-nmc
27 and install any missing packages it complains about.
31 In the powerdns configuration, you want to specify `master=yes`.
32 Enable `pipe` backend by setting `launch=pipe`.
33 Wherever your pdns package keeps the backend configurations, set
34 this for the pipe backend:
37 pipe-command=/path/to/pdns-pipe-nmc
40 pipebackend-abi-version=1 ## all versions supported, but extra data ignored
43 Copy `pdns-pipe-nmc` to the place that you've set up as `pipe-command`.
44 Copy your namecoin cofig file to `/etc/namecoin.conf` and make sure it
45 is readable by the userid specified in the powerdns config. Entries
46 recognized in the `/etc/namecoin.conf` file (with default values) are:
55 They are the parameters needed to contact the `namecoind` server over
56 its JsonRPC interface. With default installation on `localhost`, you
57 will only need to specify `rpcpassword`.
59 Configure your resolvers to use the PowerDns instance for queries in
60 the `.bit` zone. This is left as an exercise to the reader.
62 ## Security Considerations
64 Namecoin per se has excellent non-repudiation characteristics. But
65 once you've converted the data into (non-DNSSEC-protected) DNS
66 format, all bets are off. If you intend to query your powerdns
67 instance over public Internet, remember that nothing prevents evil
68 hackers or ruthless governments from tampering with your queries
69 and powerdns responses. There are two possible approaches to
70 mitigation of this problem:
72 * Run namecoind and powerdns as close to the consumer as
73 possible: on the same host, or at least on the same network, and
75 * I did not try it, but it should be possible to use PowerDNS
76 [Front-signing](http://doc.powerdns.com/html/dnssec-modes.html#dnssec-frontserver),
77 so the communication will happen over DNSSEC protocol without the
78 need to keep the signatures in the zone data itself. You probably
79 would need to create signing key for the PowerDNS instance, and add
80 the corresponding public key as "trusted" into the configuration of
85 Beta. It is mostly feature-complete, but insufficiently tested.
86 It implements the data format specification (SPEC.md in the source
87 distribution) that slightly deviates from the
88 [official specification](https://wiki.namecoin.info/index.php?title=Domain_Name_Specification).
89 I am using it to access some of the `.bit` websites and it works
96 The biggest problem by far is generating meaningful `SOA` records.
98 ### SOA Version a.k.a. Generation Count
100 DNS infrastructure (including PowerDNS implementation) relies on the
101 "generation" field of the `SOA` RR when it makes decision to invalidate
102 the cache. So, if there is zone data in the DNS cache, and a DNS server
103 needs to respond to a request about an object from that zone, it first
104 checks if the TTL has expired. If it has not, the server takes the data
105 from the cache. If it has expired, the server asks the "authoritative
106 source" (which is in our case the dnamecoin daemon) for the SOA record
107 and compares the generation count in the received response with the
108 number kept in the cache. If the "authoritative" SOA does not have a
109 greater generation count than the cached SOA, DNS server **does not**
110 refresh its cache, presuming that the data there is still valid.
112 So, it is important that the generation count in the SOA record is
113 incremented every time when the domain object, or any of the object that
114 it "include"-s or to which it "delegate"-s is changed.
116 At present, there is no machanism for that. In most cases, simply
117 summing the number of entries in `name_history`-s of all domain object
118 involved in resolution would work, but this approach would produce
119 wrong result when an "import" entry is removed from a domain, because
120 in such case the sum would decrease. It would also not notice the
121 changes in an object "include"-ed in a subdomain, unless complete
122 recursive resolution of the subdomain tree is enforced for when
123 SOA record is requested. That would invalidate the reason to have
124 caching in the first place.
126 One possible workaround, currently implemented in `pdns-pipe-nmc`, is to
127 use a derivative of absolute time, in our case the number of 10-munute
128 intervals elapsed since Namecoin was concieved, as the SOA generation
133 There is no "reasonable" value that could be placed there. Except
134 possibly the name of the host on which the PoweDNS instance is running,
135 in the `.bit` zone. Currently, `pdns-pipe-nmc` just puts a dot "."
136 there, and no problems where noticed so far.
138 ## Getting the Software
140 Check the [project homepage](http://www.average.org/pdns-pipe-nmc/).
144 Git [clone](git://git.average.org/git/pdns-pipe-nmc.git) or
145 [browse](http://www.average.org/gitweb/?p=pdns-pipe-nmc.git;a=summary),
146 or use [github mirror](https://github.com/crosser/pdns-pipe-nmc).
148 ### Binary Executable
150 There is a binary built for x86_64 Linux with glibc6:
152 | Executable file | PGP |
153 |----------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------|
154 | [**pdns-pipe-nmc.linux-glibc6.x86_64.2014-04-22.git-108b6c2**](http://www.average.org/pdns-pipe-nmc/pdns-pipe-nmc.linux-glibc6.x86_64.2014-04-22.git-108b6c2) | [sig](http://www.average.org/pdns-pipe-nmc/pdns-pipe-nmc.linux-glibc6.x86_64.2014-04-22.git-108b6c2.sig) |
155 | [pdns-pipe-nmc.linux-glibc6.x86_64.2014-04-20.git-e9bd43f](http://www.average.org/pdns-pipe-nmc/pdns-pipe-nmc.linux-glibc6.x86_64.2014-04-20.git-e9bd43f) | [sig](http://www.average.org/pdns-pipe-nmc/pdns-pipe-nmc.linux-glibc6.x86_64.2014-04-20.git-e9bd43f.sig) |
159 Eugene Crosser \<crosser at average dot org\>
160 <http://www.average.org/~crosser/>