Date: Tue, 11 Jan 2011 02:47:36 GMT From: Leo Vandewoestijne <freebsd@dns-lab.com> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/153881: dns/curvedns Forwarding NS that adds DNSCurve Message-ID: <201101110247.p0B2laTM070474@red.freebsd.org> Resent-Message-ID: <201101110250.p0B2o6Yw073345@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 153881 >Category: ports >Synopsis: dns/curvedns Forwarding NS that adds DNSCurve >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Tue Jan 11 02:50:06 UTC 2011 >Closed-Date: >Last-Modified: >Originator: Leo Vandewoestijne >Release: >Organization: DNS-lab >Environment: >Description: CurveDNS is a forwarder nameserver that adds DNSCurve to DNS, and the first publicly released forwarding implementation that implements the DNSCurve protocol. It is a project of Harm van Tilburg (TU Eindhoven). Jeroen Scheerder and Lieuwe Jan Koning. => http://curvedns.on2it.net/about DNSCurve is a security protocol superior to DNSSEC, but addressing different and more known vulnerabilities in the DNS. Besides that it's far more practical to deploy. It was designed D.J.Bernstein, notable for qmail and tinydns. => http://dnscurve.org/ The protocol was described in an RFC-draft by Matthew Dempsky. => http://tools.ietf.org/html/draft-dempsky-dnscurve-01 Because the public key part of the FQDN of the authoritive nameserver, it's pretty much compatible with each tested TLD. => http://dns-lab.com/pub/dnscurve/registry-compatibility.lasso So also mind it can add a considerable portion of security to internal networks to. Technically DNSCurve and DNSSEC can co-exist without problem, in reality it seems to make ego's clash problematicly. Articles: DJB exposing DNSSEC is relative: => http://cr.yp.to/talks/2009.08.10/slides.pdf Paul Vixie 'striking' back: => http://www.isc.org/community/blog/201002/whither-dnscurve Heated discussion: => http://www.cricketondns.com/post.cfm/dnssec-vs-dnscurve OpenDNS adopts DNSCurve: => http://blog.opendns.com/2010/02/23/opendns-dnscurve/ >How-To-Repeat: >Fix: Please use enclosed .shar file to replicate. Patch attached with submission follows: # This is a shell archive. Save it in a file, remove anything before # this line, and then unpack it by entering "sh file". Note, it may # create directories; files and directories will be owned by you and # have default permissions. # # This archive contains: # # curvedns # curvedns/files # curvedns/files/freebsd.patch # curvedns/Makefile # curvedns/pkg-descr # curvedns/distinfo # curvedns/pkg-message # curvedns/pkg-deinstall # curvedns/pkg-plist # echo c - curvedns mkdir -p curvedns > /dev/null 2>&1 echo c - curvedns/files mkdir -p curvedns/files > /dev/null 2>&1 echo x - curvedns/files/freebsd.patch sed 's/^X//' >curvedns/files/freebsd.patch << 'a694d2af01a99fbb7ddf6ace9c6be8de' Xdiff -rupN curvedns-0.87.orig/Makefile.in curvedns-0.87/Makefile.in X--- curvedns-0.87.orig/Makefile.in 2011-01-10 21:15:14.000000000 +0000 X+++ curvedns-0.87/Makefile.in 2011-01-10 23:12:35.000000000 +0000 X@@ -8,9 +8,9 @@ NACLINC=nacl/build/include/$(ABI) X CDNSCFLAGS=-Wall -fno-strict-aliasing -O3 -I$(NACLINC) X X # If you have libev at a non-standard place, specify that here: X-#EV= X-#EVCFLAGS=-I$(EV)/include X-#EVLDFLAGS=-L$(EV)/lib X+EV=$(PREFIX) X+EVCFLAGS=-I$(EV)/include X+EVLDFLAGS=-L$(EV)/lib X X CC=@CC@ X CFLAGS=@CFLAGS@ $(CDNSCFLAGS) $(EVCFLAGS) X@@ -33,7 +33,7 @@ distclean: clean X rm -f Makefile X X install: X- @echo Sorry, no automated install. Copy the following binaries to your preferred destination path: X+ @echo Copieng the following binaries to /usr/local/bin X @echo " $(TARGETS)" X X debug.o: debug.c debug.h a694d2af01a99fbb7ddf6ace9c6be8de echo x - curvedns/Makefile sed 's/^X//' >curvedns/Makefile << '8957d6287ba3674417b427f8a38bc516' X# New ports collection makefile for: curvedns X# Date created: 19 December 2010 X# Whom: Leo Vandewoestijne <freebsd@dns-lab.com> X# X# $FreeBSD$ X# X XPORTNAME= curvedns XPORTVERSION= 0.87 XCATEGORIES= dns XMASTER_SITES= http://curvedns.on2it.net/releases/ X XMAINTAINER= freebsd@dns-lab.com XCOMMENT= A forwarder adding DNSCurve to an authoritive nameserver X XLIB_DEPENDS= ev.3:${PORTSDIR}/devel/libev XRUN_DEPENDS= setuidgid:${PORTSDIR}/sysutils/daemontools XBUILD_DEPENDS= bash:${PORTSDIR}/shells/bash X XHAS_CONFIGURE= yes XCONFIGURE_SCRIPT= configure.nacl XALL_TARGET= # yes, an empty target. X Xpost-patch: X @cd ${WRKSRC} && ${PATCH} --quiet < ${FILESDIR}/freebsd.patch X Xpre-configure: X @${ECHO_MSG} "===> Configuring may take a couple of minutes" X Xpost-configure: X @cd ${WRKSRC} && ./configure.curvedns X Xpost-install: X ${CP} ${WRKSRC}/curvedns ${WRKSRC}/curvedns-keygen ${PREFIX}/bin/ X ${MKDIR} ${PREFIX}/etc/curvedns/log ${PREFIX}/etc/curvedns/env X ${MKDIR} /var/service X ${CP} ${WRKSRC}/contrib/curvedns-run ${PREFIX}/etc/curvedns/run X ${CP} ${WRKSRC}/contrib/curvedns-log-run ${PREFIX}/etc/curvedns/log/run X ${ECHO} 53 > ${PREFIX}/etc/curvedns/env/UID X ${ECHO} 53 > ${PREFIX}/etc/curvedns/env/GID X ${CHOWN} -R 53:53 ${PREFIX}/etc/curvedns X ${CHMOD} 755 ${PREFIX}/etc/curvedns/run ${PREFIX}/etc/curvedns/log/run X ${CHMOD} 0700 ${PREFIX}/etc/curvedns/env X @${CAT} ${PKGMESSAGE} X X.include <bsd.port.mk> 8957d6287ba3674417b427f8a38bc516 echo x - curvedns/pkg-descr sed 's/^X//' >curvedns/pkg-descr << '931623700713f578c21099743ca3e780' XCurveDNS is a forwarder nameserver that adds DNSCurve to DNS, Xand the first publicly released forwarding implementation Xthat implements the DNSCurve protocol. X XIt is a project of Harm van Tilburg (TU Eindhoven). XJeroen Scheerder and Lieuwe Jan Koning. X=> http://curvedns.on2it.net/about X XDNSCurve is a security protocol superior to DNSSEC, but Xaddressing different and more known vulnerabilities in the DNS. XBesides that it's far more practical to deploy. XIt was designed D.J.Bernstein, notable for qmail and tinydns. X=> http://dnscurve.org/ X XThe protocol was described in an RFC-draft by Matthew Dempsky. X=> http://tools.ietf.org/html/draft-dempsky-dnscurve-01 X XBecause the public key part of the FQDN of the authoritive Xnameserver, it's pretty much compatible with each tested TLD. X=> http://dns-lab.com/pub/dnscurve/registry-compatibility.lasso X XSo also mind it can add a considerable portion of security to Xinternal networks to. X X XTechnically DNSCurve and DNSSEC can co-exist without problem, Xin reality it seems to make ego's clash problematicly. X X XArticles: X XDJB exposing DNSSEC is relative: X=> http://cr.yp.to/talks/2009.08.10/slides.pdf X XPaul Vixie 'striking' back: X=> http://www.isc.org/community/blog/201002/whither-dnscurve X XHeated discussion: X=> http://www.cricketondns.com/post.cfm/dnssec-vs-dnscurve X XOpenDNS adopts DNSCurve: X=> http://blog.opendns.com/2010/02/23/opendns-dnscurve/ X X X XWWW: http://curvedns.on2it.net/ 931623700713f578c21099743ca3e780 echo x - curvedns/distinfo sed 's/^X//' >curvedns/distinfo << '7136d019fe84aabd37034f07185a22a6' XSHA256 (curvedns-0.87.tar.gz) = a44da0ce88f88f78020040bc8331485e0befbf784574af3d123091ab30d0d830 XSIZE (curvedns-0.87.tar.gz) = 330412 7136d019fe84aabd37034f07185a22a6 echo x - curvedns/pkg-message sed 's/^X//' >curvedns/pkg-message << 'b9d3883d10f82bf7b5c1a2e489a63893' X########################################################### X X To start using curvedns, finish these tasks: X X----- place key ------------------------------------------- Xrun curvedns-keygen to generate and install your key X X----- "bug" ----------------------------------------------- X# somehow env vars are not loaded, add them different: Xee ~/.cshrc X# (asuming you've kept the default csh shell) X# and add the following 4 lines at the bottom: X X# tmp solution: Xforeach f (`ls /usr/local/etc/curvedns/env`) X setenv $f `cat /usr/local/etc/curvedns/env/$f` Xend X X# and logout/login X X----- configure ------------------------------------------- Xedit /usr/local/etc/curvedns/run X X----- startup --------------------------------------------- Xln -s /usr/local/etc/curvedns /var/service/curvedns Xecho svscan_enable=\"YES\" >> /etc/rc.conf X/usr/local/etc/rc.d/svscan start X X----- verify ---------------------------------------------- Xdig @<your-ip-addr> version.bind chaos txt Xdig @<your-ip-addr> domain.example a Xtail /usr/local/etc/curvedns/log/main/current | tai64nlocal X X########################################################### b9d3883d10f82bf7b5c1a2e489a63893 echo x - curvedns/pkg-deinstall sed 's/^X//' >curvedns/pkg-deinstall << '380abf65110587f5dd4cd7d35f5ba6c2' X#rm /usr/local/bin/curvedns \ X# /usr/local/bin/curvedns-keygen X# X# ${PREFIX} X# Xrm -rf etc/curvedns 380abf65110587f5dd4cd7d35f5ba6c2 echo x - curvedns/pkg-plist sed 's/^X//' >curvedns/pkg-plist << '6fd03dfb0778ec1448c9fff232fa025e' Xbin/curvedns Xbin/curvedns-keygen X@dirrmtry etc/curvedns 6fd03dfb0778ec1448c9fff232fa025e exit >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201101110247.p0B2laTM070474>