README
¶
Intro
psa-ns was written as an enhanced drop-in replacement for tinydns.
Features
psa-ns supports most features of tinydns but also includes some enhancements.
The following table gives a brief overview:
| Feature | psa-ns support | tinydns support |
|---|---|---|
| Can act as authorative nameserver | ✅ | ✅ |
| TCP Support | ✅ | ✅ (via axfrdns) |
| Supports EDNS0 | ✅ | ❌ |
| Supports EDE (RFC 8914) | ✅ | ❌ |
| Supports IPv6 | ✅ | ❌ (patches exist) |
| Supports DNSSEC | ❌ | ❌ (patches exist) |
| Zone transfer | consul / scripts | rsync / scripts |
| Language written in | Golang | C |
| Has thousands of installations and is shipped with many distributions | ❌ | ✅ |
Installation
Just run
$ go build cmd/psa-ns.go
to build the main binary.
After this, you can start writing your zone file which would typically be called data.
Zone file format
psa-ns uses the same zone file format as tinydns. See https://cr.yp.to/djbdns/tinydns-data.html for details.
All features of tinydns-data excluding the 'loc' format are supported. psa-ns also supports some custom verbs to simplify IPv6 support. See psa-zone-format for psa-ns specific details.
Sample zone (data) file
# SOA with ns-a.example.com
.example.com::ns-a.example.com
# another NS
&example.com::ns-b.example.com
# NS with auto-generated A record and auto fqdn expansion
&example.com:192.168.1.11:foo
# Define an MX with distance 5
@example.com:192.168.1.12:mx-a.example.com:5
# A record
=example.com:192.168.1.1:30
# AAAA record
6example.com:2a000000000000000000000000000001:30
# AAAA record for MX
6mx-a.example.com:2a0000000000000000000000000000be:30
# A for ns-a.example.com
=ns-a.example.com:192.168.1.12:30
Building the data file
Once you created your data file, you'll have to convert it into psa-ns's (tinydns-data compatible) binary format.
This can be done by running:
$ psa-ns -make-data
...which will create a data.cdb file.
Just like with tinydns, this is an atomic operation and can be safely executed while psa-ns is running.
Running psa-ns
In the directory in which data.cdb is located, just run:
# change binary owner to root.root and allow psa-ns to bind
# to port 53 as a normal user.
$ sudo chown root.root psa-ns
$ sudo setcap cap_net_bind_service=ep
$ psa-ns -listen 127.0.0.1:53
See psa-ns --help for more options.
Consul support
psa-ns supports data file retrival via consul.
This is optional but can be very handy to distribute zone file updates to multiple servers.
To use this feature, launch psa-ns like this:
# A key which has read access to the specified -consul-key.
$ export CONSUL_HTTP_TOKEN="93333221-fefe-f0f0-baba-123456789abc"
# The datacenter to use.
$ export CONSUL_DATACENTER=www
psa-ns -listen '[2001::f00]:53,192.168.1.1:53' \
-consul-key=dns/zone/prod -consul-mark=EOF_MARKER 2>&1
This will cause psa-ns to watch for changes/updates on dns/zone/prod and (once they happened) build a data.cdb from the read data.
As a paranoia mechanism, the data will only be used if psa-ns can find the string EOF_MARKER in the supplied data (may be a plain comment).
This protects against accidential key deletions: In such a scenario, psa-ns would simply refuse the data from consul and continue serving
from the existing / old data file.
Note that psa-ns always keeps a copy of the zone file in its own directory (and hence needs write access to it), making consul a non critical dependency.
Directories
¶
| Path | Synopsis |
|---|---|
|
lib
|
|
|
tdns/decoder
Package decoder decodes a raw tinydns record.
|
Package decoder decodes a raw tinydns record. |