% Namecoin pipe backend for PowerDNS
There exists a project named
nmcontrol to create an
all-in-one tool that can, among other things, act as a DNS server
for the .bit zone. There is also a tool,
NamecoinToBind,
for offline conversion of namecoin data into BIND zone file.
Unlike those, this project is a single-purpose tool acting as a (real
time) bridge between Namecoin and DNS.
It is implemented as a pipe backend to
PowerDNS, which provides stable DNS
frontend, and has simple backend interface.
The program is a single executable to be run by PowerDns's pipe backend. It is written in Haskell. If you have haskell installed on your system, run
cabal configure
followed by
cabal build
and hopefully it will tell you what packages are missing. You can
install them either with your OS package manager (if they exist in
your distribution) or with cabal install.
In the powerdns configuration, you want to specify master=yes.
Enable pipe backend by setting launch=pipe.
Wherever your pdns package keeps the backend configurations, set
this for the pipe backend:
pipe-command=/path/to/pdns-pipe-nmc
pipe-timeout=10000
pipe-regex=.bit;.*$
pipebackend-abi-version=1 ## all versions supported, but extra data ignored
Copy pdns-pipe-nmc to the place that you've set up as pipe-command.
Copy your namecoin cofig file to /etc/namecoin.conf and make sure it
is readable by the userid specified in the powerdns config. Entries
recognized in the /etc/namecoin.conf file (with default values) are:
rpcuser=
rpcpassword=
rpchost=localhost
rpcport=8336
They are the parameters needed to contact the namecoind server over
its JsonRPC interface. With default installation on localhost, you
will only need to specify rpcpassword.
Configure your resolvers to use the PowerDns instance for queries in
the .bit zone. This is left as an exercise to the reader.
Namecoin per se has excellent non-repudiation characteristics. But once you've converted the data into (non-DNSSEC-protected) DNS format, all bets are off. If you intend to query your powerdns instance over public Internet, remember that nothing prevents evil hackers or ruthless governments from tampering with your queries and powerdns responses. There are two possible approaches to mitigation of this problem:
- Run namecoind and powerdns as close to the consumer as possible: on the same host, or at least on the same network, and keep it guarded.
- I did not try it, but it should be possible to use PowerDNS Front-signing, so the communication will happen over DNSSEC protocol without the need to keep the signatures in the zone data itself. You probably would need to create signing key for the PowerDNS instance, and add the corresponding public key as "trusted" into the configuration of your resolvers.
Beta. It is mostly feature-complete, but insufficiently tested.
It implements the
data format specification
(SPEC.md in the source distribution) that slightly deviates from the
official specification.
I am using it to access some of the .bit websites and it works
for me.
Try at your risk.
The biggest problem by far is generating meaningful SOA records.
DNS infrastructure (including PowerDNS implementation) relies on the
"generation" field of the SOA RR when it makes decision to invalidate
the cache. So, if there is zone data in the DNS cache, and a DNS server
needs to respond to a request about an object from that zone, it first
checks if the TTL has expired. If it has not, the server takes the data
from the cache. If it has expired, the server asks the "authoritative
source" (which is in our case the dnamecoin daemon) for the SOA record
and compares the generation count in the received response with the
number kept in the cache. If the "authoritative" SOA does not have a
greater generation count than the cached SOA, DNS server does not
refresh its cache, presuming that the data there is still valid.
So, it is important that the generation count in the SOA record is incremented every time when the domain object, or any of the object that it "include"-s or to which it "delegate"-s is changed.
At present, there is no machanism for that. In most cases, simply
summing the number of entries in name_history-s of all domain object
involved in resolution would work, but this approach would produce
wrong result when an "import" entry is removed from a domain, because
in such case the sum would decrease. It would also not notice the
changes in an object "include"-ed in a subdomain, unless complete
recursive resolution of the subdomain tree is enforced for when
SOA record is requested. That would invalidate the reason to have
caching in the first place.
One possible workaround, currently implemented in pdns-pipe-nmc, is to
use a derivative of absolute time, in our case the number of 10-munute
intervals elapsed since Namecoin was concieved, as the SOA generation
count.
There is no "reasonable" value that could be placed there. Except
possibly the name of the host on which the PoweDNS instance is running,
in the .bit zone. Currently, pdns-pipe-nmc just puts a dot "."
there, and no problems where noticed so far.
Check the project homepage.
Git clone or browse, or use github mirror.
There is a binary built for x86_64 Linux with glibc6:
Eugene Crosser <crosser at average dot org>
http://www.average.org/~crosser/