A Rust based DNS client and server, built to be safe and secure from the ground up.
Using the client should be safe. The client is currently hardcoded to a 5 second, timeout. I'll make this configurable if people ask for that, but this allows me to move on. Please send feedback! It currently does not cache responses, if this is a feature you'd like earlier rather than later, post a request. The validation of DNSSec is complete, but negative responses are not yet. The plan is to support NSEC3 primarily, but allow NSEC records to be validated.
The server code is complete, the daemon supports IPv4 and IPv6, UDP and TCP. There currently is no way to limit TCP and AXFR operations, so it is still not recommended to put into production as TCP can be used to DOS the service. Master file parsing is complete and supported. There is currently no forking option, and the server is not yet threaded. There is still a lot of work to do before a server can be trusted with this externally. Running it behind a firewall on a private network would be safe.
Currently the root key is hardcoded into the system. This gives validation of DNSKEY and DS records back to the root. NSEC and NSEC3 are not yet implemented. Because caching is not yet enabled, it has been noticed that some DNS servers appear to rate limit the connections, validating RRSIG records back to the root can require a significant number of additional queries for those records.
This assumes that you have Rust stable installed. These presume that the trust-dns repos have already been synced to the local system:
$ git clone https://github.com/bluejekyll/trust-dns.git
$ cd trust-dns
openssl development libraries are necessary
Mac OS X: using homebrew
$ brew install openssl
$ brew link --force openssl
Unit tests
These are good for running on local systems. They will create sockets for local tests, but will not attempt to access remote systems.
$ cargo test
Functional tests
These will try to use some local system tools for compatibility testing, and also make some remote requests to verify compatibility with other DNS systems. These can not currently be run on Travis for example.
$ cargo test --features=ftest
Benchmarks
Waiting on benchmarks to stabilize in mainline Rust.
Production build
$ cargo build --release
Warning: Trust-DNS is still under development, running in production is not recommended. The server is currently only single-threaded, it is non-blocking so this should allow it to work with most internal loads.
Verify the version
$ target/release/named --version
Get help
$ target/release/named --help
Why are you building another DNS server?
Because of all the security advisories out there for BIND. Using Rust semantics it should be possible to develop a high performance and safe DNS Server that is more resilient to attacks.
Licensed under either of
at your option.
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.