In my quest to write a DNS server in Go I found myself lacking an interface to PKCS#11, so I wrote one. PKCS#11 is the interface to HSMs (including SoftHSM), and even though the interface sucks, I think a DNS server should store its keys in an HSM, by default.

So… here it is. I’m still putting in the finishing touches and some general polish, but it is already usable.

In the standard library the DNS types have been renamed from RR_MX to MX which I think is a good change. So I made the same change in Go DNS, but this time I’m providing gofmt -r rewrite rules. They all have the form:

gofmt -r 'RR_A -> A' -w *.go

And then for all the types, so it’s quite a list.

Download the rewrite rules here and use it like $SHELL rewrite.

Inspired by NLnet Labs and PowerDNS, I figured I couldn’t stay behind, so here is how to add new RRs to Go DNS.

A small note before I delve into the details, I haven’t optimized Go DNS for adding new types, as this is a relative infrequent event. There are a few items that need to be added before Go DNS understands the new RR type.

1. Adding the type itself (as a structure) and the four methods needed to implement the RR interface;
2. Adding the type number and the text string belonging it;
3. Parsing from text, i.e. when parsing zonefiles.

Lets take the new DANE (RFC6698) as an example. The record is called TLSA, and looks like:

If you do DNS for too long everything looks like 53.

In this “trace” I’m showing the logging of fksd when I add a zone, try to list it as a non-existent user miekg (which fails), add the user miekg and list it again. User are identified by the key in the TSIG record, their password is the shared secret.

The “config files” from nsupdate can be found in the github repo of fksd. The nsupdate commands are preceded with a %, extra comments are preceded with #:

I’m writing a nameserver called fksd (Funkensturm daemon), which is currently in a prototype stage (but the code is available at github).

In this server I’m pursuing some interesting directions in nameserver development, such as the dynamic configuration as provided by BIND10.

BIND10 uses http(s), but I think using DNS packets is more in line with a nameserver, so I opted for that route.

With fksd you can use packets (which will be TSIG signed in the future tomorrow) to configure the server. The only configuration possible at the moment is adding a zone. Such a packet needs to have a TXT record like the following in its AUTHORITY SECTION:

I’ve created a small wrapper for libunbound for use in Go.

The code can be found at github. It depends on my Go DNS library which can be found here.

Official announcement on the Unbound-users@ list.

To give you a little taste of how it looks, I’ve (re)created tutorials 2 to 6 in Go. Tutorial 2 looks like this, for instance:

package main

// https://www.unbound.net/documentation/libunbound-tutorial-2.html

import (
        "dns"
        "fmt"
        "os"
        "unbound"
)

func main() {
        u := unbound.New()
        defer u.Destroy()

        if err := u.ResolvConf("/etc/resolv.conf"); err != nil {
                fmt.Printf("error %s\n", err.Error())
                os.Exit(1)
        }

        if err := u.Hosts("/etc/hosts"); err != nil {
                fmt.Printf("error %s\n", err.Error())
                os.Exit(1)
        }

        r, err := u.Resolve("www.nlnetlabs.nl.", dns.TypeA, dns.ClassINET)
        if err != nil {
                fmt.Printf("error %s\n", err.Error())
                os.Exit(1)
        }
        fmt.Printf("%+v\n", r)
}

Now that the API seems to stabilize it is time to update these items.

We want to create a little program that prints out the MX records of domains, like so:

% mx miek.nl
miek.nl.        86400   IN      MX      10 elektron.atoom.net.

Or

% mx microsoft.com 
microsoft.com.  3600    IN      MX      10 mail.messaging.microsoft.com.

We are using my Go DNS package. First the normal header of a Go program, with a bunch of imports. We need the dns package:

The development of the language Go is going at a fast pace, hence an updated version of Super-short guide to gettinq q.

Get the latest version (called weekly) of Go:

1. Get Go: hg clone -u release https://go.googlecode.com/hg/ go Note the directory you have downloaded it to and set add its bin directory to your PATH: PATH=$PWD/go/bin.

2. Update Go to the latest weekly: cd go; hg pull; hg update weekly

3. Compile Go: cd src, you should now sit in go/src. And compile: ./all.bash

Due to the new go tool (long story), I’ve renamed godns to dns. This means the github repo is also somewhere else.

godns installed itself as dns so code using it does not need to be changed.

Announcing FP

The tool for DNS fingerprinting is fpdns, which is Perl based. In recent times development seems to have picked up, but a little competition never hurt anyone, so I wrote fp in Go. Fp is also a fingerprint program for DNS servers. Its aim is to be more readable then fpdns is (was?). And make it more easy to add new server types.

Help needed!

Do you have some old(er) nameserver laying around that can be queried? Does your (sick) mind know of a few extra evil queries that can be sent to nameservers? If so, please contact me: query@evilquery.nl. I want to get to a point where fp sends about 10 queries that can be used to identify a server.

Get the latest version (called weekly) of Go:

1. Get Go: hg clone -u release https://go.googlecode.com/hg/ go Note the directory you have downloaded it to and set $GOROOT to it: export GOROOT=$PWD/go. Add the GOROOT bin directory to your path: PATH=$PATH:$GOROOT/bin

2. Update Go to the latest weekly: cd $GOROOT; hg pull; hg update weekly

3. Compile Go: cd $GOROOT/src ; ./all.bash

   Install missing commands (gcc, sed, bison, etc.) if needed.

The latest Go is now installed.

Thanks to a patch from Thomas Kappler I can now offer two types of PDFs, one for A4 pages and one for E-readers, like the kindle.

The E-reader variant is suffixed with -kindle:

• Learning Go for E-readers
• Learning Go A4 paper

After several years I decided to use a different color scheme for VIM. Also I’m going for force myself to use VIM’s folding abilities and use make from within VIM.

For good measure I also want to use Omni-completion when writing Go code:

Btw, this screenshots also shows the solarized (dark) colorscheme.

Coloring

Google for solarized. In my .vimrc:

let g:solarized_termcolors=256
colorscheme solarized

Make from VIM

Use :make inside the editor and jump through the errors with:

Online signing is cool, but slow. Caching queries in a reverse proxy is nice, but useless for something like NSD. But what if you want to do online signing in a fast way?

Enter: proxy chaining.

I already showed FunkenSign (example code is quite old though) and yesterday FunkenShield.

What if you combine the two? That gives the best of both worlds:

• Online signing;
• Caching;
• And it adheres to the true Unix philosophy: do one thing, and do one thing well.

So lets get some figures again.

Have a slow nameserver and want to spice things up? How about a reverse DNS proxy? For lack of a cool name I chose the name FunkenShield. It’s (of course) in the early stages, but it works quite nicely already.

This is done with the framework of FunkenSturm. Which is part of GoDNS.

How it works:

You place FunkenShield in front of your nameserver and it will cache the binary packets coming from your server in a local cache.

Very well written email message from Geoff Teale on the golang mailing list on programmers and progamming languages (thread).

To summarise a long presentation I gave to non-programmers:

• There are 12 million programmers in the world
• The majority of those programmers are scarcely qualified
• Most technology decisions are made by a combination of following the crowd and a false understanding of risk.
• The high cost and failure rate in software development is no coincidence.

Remember the Stevie Wonder rule - “When you believe in something you don’t understand then you suffer”. In this case that means “Perhaps making programming language decisions based on what 12 million powerless idiots are doing isn’t the golden road to glory and great hacks.”

I’m finally back to coding Go DNS and making it work with the latest Go releases. Also the API has changed quite significantly since the last time I blogged about it.

So this I will detail key2ds which is small utility that queries a zone and print any DNSKEY records as DS records on the fly, to show the new API and some sample usage.

% ./key2ds sidn.nl
sidn.nl.    0   IN  DS  42033 8 1 343F74674D36C9B5BE2CEB2C401AC4EDEB2A05B2
sidn.nl.    0   IN  DS  42033 8 2 BF985EC0738FACC89EE0B12FBD9261827C59191D9EA6A9BDFF55F9BDF3DBBFF3
sidn.nl.    0   IN  DS  39274 8 1 E79E031DFDE8E68EF1E2C6CA0943C2CC0DED1889
sidn.nl.    0   IN  DS  39274 8 2 8E8A8CFB40FD0C30BFA82E53752E1C257DAFB7B6206D12B9EDA43AF3EAB2157D

This util uses synchronous queries. I will explain the main-function:

I’m (again) rewriting the API of godns. I’ve now taking a cue from the http package in Go, the result seems very nice. A reflector (returns your query in the answer) in Go becomes:

package main

import (
        "dns"
        "log"
)

func ReflectServer(w dns.ResponseWriter, req *dns.Msg) {
        m := new(dns.Msg)
        m.SetReply(req)

        m.Extra = make([]dns.RR, 1)
        m.Extra[0] = &dns.RR_TXT{Hdr: dns.RR_Header{Name: m.Question[0].Name, Rrtype: dns.TypeTXT, 
                Class: dns.ClassINET, Ttl: 0}, Txt: "Hello world"}
        buf, _ := m.Pack()
        w.Write(buf)
}

func main() {
        dns.HandleFunc(".", ReflectServer)
        err := dns.ListenAndServe(":8053", "udp", nil)
        if err != nil {
                log.Fatal("ListenAndServe: ", err.String())
        }
}

I’ve tagged a new version of “Learning Go”, version 0.3. It’s more of a snapshot of the current development, than an actual “release” release.

There are lots of fixes, code updates and tweaks. Numerous people send in fixes. Thank you all for the contributions!

Get it:

• PDF download;
• Latest daily build.

Feedback is welcome.

To see the development version you can use:

• Gitweb repository;
• Daily builds.

Major stuff coming in 0.4: