Two years have passed since we presented Domain crate, our DNS library written in Rust (https://github.com/NLnetLabs/domain) here at FOSDEM. We added a lot of functionality (for example, DNS client and server support, DNSSEC validation, DNSSEC signing) and started writing our first applications. The most notable application is our new DNSSEC signer called Cascade (https://github.com/NLnetLabs/cascade). In this presentation, I go over the work we have, what our plans are for the coming year. And we would like to hear from you, what would you like to see in a DNS library.
Given a large enough network of distributed nameservers, updating their configs and keeping all of them in sync becomes a highly error-prone activity. The problems multiply when multiple sysadmins and different operating systems are involved. We have created a low-complexity solution for syncing the NS configuration and keeping all servers aware of the current shape of the network.
On paper, DNS is a simple request-response protocol. In reality, building an authoritative nameserver that delivers under heavy load, processes malformed packets safely, and resists DDoS attacks is a complex engineering challenge.
This talk peels back the layers of erldns, DNSimple's open-source high-performance DNS server, to explore the fundamental architecture required to handle millions of queries per second. We will focus on:
While the reference implementation uses Erlang, the architectural lessons on isolation, supervision, and fault tolerance are applicable to any language. This session is designed for developers and operators who want to understand the "nuts and bolts" of how robust DNS software is built.
Project Links: - DNS Server (erldns): https://github.com/dnsimple/erldns - DNS Library (dns_erlang): https://github.com/dnsimple/dns_erlang
Isn’t monitoring DNS queries a really bad idea? If the monitoring crosses the line to surveillance, we agree. Monitoring for bad actors is still needed and valuable for cybersecurity. Building such a platform in Open Source and running it as a non-profit is much better than letting commercial actors consume this data without making it an open data commons. For sure many won’t protect the user’s privacy the way we do.
This is the story about the DNS TAPIR Open Source project - the reason we started it, our core principles and the architecture .
As a developer, how do you add an automated check for software updates to your application? You could use DNS! DNS is lightweight, provides redundancy, responses are cacheable, and going through your network resolver gives you some privacy.
But, making DNS changes as part of a software release is not ideal, I've done it. Can we automate this? We can for Go applications! Gopherwatch.org is a free service that monitors the Go sumdb, a transparency log (like certificate transparency) containing all Go "modules" (libraries/applications) and their published versions. Gopherwatch.org provides a DNS interface for querying the latest version for all Go applications/libraries, and the latest Go toolchains.
We'll look at how the Gopherwatch DNS interface works and discuss limitations and possible future improvements. If there's time, we'll also look at how the DNS interface is used to provide one-click or even fully automated software updates for Go services.
The DNS is a hoary protocol, with ancient secrets that man was not meant to know.
It is said that learning too much about the dark corners of this ancient knowledge might drive one mad.
Here is your chance to learn mostly useless things about DNS!
This presentation will cover quirks of the DNS protocol which are probably surprising, and hopefully interesting.
Warning: Due to constraints no entities from beyond time and space will be summoned during this talk.