First publication of this article on 23 March 2025
On 15 and 16 March 2025, I was at the DNS hackathon 2025 in Stockholm, organised by RIPE NCC, DNS-OARC and Netnod. I worked on a mechanism to synchronize the caches of DNS resolvers.
Hackathons are meant to be a collective work. After all, if you just code alone, you can as well stay at home/office. The organisers insist that you make big groups, with people of various profiles. (Speaking of diversity, there was apparently two women for more than thirty participants, which is typical for hackathons.) The subject I championed, implementation and interoperability of DELEG, did not raise sufficient interest so I went to another project, Poisonlicious. The idea for this project came from Quad9, a big public DNS resolver. Their network of resolvers is made of many sites, each with several physical machines, each physical machines hosting several virtual machines. When a DNS client asks the resolution of a domain name, each of the virtual machines has to do it on its own, without sharing work with the others, even if they were very close. The idea is therefore to synchronize the caches: when a machine finishes the resolution work, it sends a copy of the responses it got to other machines.
The practical work included:
In the current iteration of the Internet-Draft, the data is sent as an ordinary DNS message in UDP, authenticated by TSIG (otherwise, poisoning other machines with bad data is a risk). In the future, techniques like MQTT may be used for efficient synchronization.
The work done by Willem Toorop on Unbound is in this pull
request (it required to add TSIG support in Unbound, which
did not need it before). The Internet draft is draft-bortzmeyer-dnsop-poisonlicious
. It
will be discussed in the dnsop IETF working
group. I also developed a small program in Python, using the excellent
dnspython library to
resolve a domain name and send it, following the protocol, to the
receiving machine:
. Reading its source code gives
you a good idea about how the mechanism works. You can also get a
pcap of the packet sent: poisonlicious.py
(the command was
poisonlicious.pcap
python poisonlicious.py www.afnic.fr
). But
nothing extraordinary, it is an ordinary DNS packet, with the TSIG
signature.
There were other interesting projects during this hackathon:
getaddrinfo
is available
everywhere but very limited (no other types than the IP addresses,
no information about whether the resolution was validated, for
instance with DNSSEC, etc). Daniel Stenberg was not at the hackathon but
was often quoted since he wrote
a lot about getaddrinfo issues. Also, there was a great
talk at the last FOSDEM on this: "getaddrinfo
sucks, everything else is much worse". The hackathon
project added some code in Ladybird.Thanks to Vesna Manojlović who convinced me to come, to Johanna Eriksson and Denesh Bhabuta for the organisation, and to my nice project group, Willem Toorop, Babak Farrokhi and Moin Rahman.
Version PDF de cette page (mais vous pouvez aussi imprimer depuis votre navigateur, il y a une feuille de style prévue pour cela)
Source XML de cette page (cette page est distribuée sous les termes de la licence GFDL)