 Good morning. Welcome back to the nest dev room our next speakers Aaron Hoffman He will be speaking about the state of dgb DNS curve six Oh, oh, oh, oh spoilers You'll you leave my oh, yeah, this yeah Let's try that again full screen. Yeah Technology. I'm sorry. It's Slatesh fine That's working. Hey. Yeah, good morning everybody. Thanks for the invitation here for a foster I'm here for the talk here and I will try to give you some ideas about what I did regarding the further developments of DJB DNS In particular what I've called DJB DNS curve six Oh behind up behind that line. Okay, fine. Yeah, okay fine And I also would like to provide you some ideas about a particular use case that means how to integrate IPv6 Link local unicast addresses here to use on a stop resolver and a DNS server So that's a particular use case, which I think it's quite nice in order to get some ideas about the IoT devices here so Let's make at first some kind of historical note DJB DNS curve essentially. It's it's a fork of Daniel Bernstein's DJB DNS I'm not here to advocate Bernstein and I'm not here to talk about the benefits of curved DNS versus DNS sec That's not the scope of my topic here But rather what I did so far is to make it more usable here The software here of Daniel Bernstein and also to provide some kind of libraries But you can use for standard projects, let's say and one of those libraries I call a VH Q-lips or just simply Q-lips, which simply integrate all the All the functions you need in order to do IPv6 address passing in particular Sider recognition and also the use of socket interface and all that stuff what you actually need for network programming. So This is done in a way we have a DNS stop resolver we can use and on the other side DJB DNS curve 6 It's a more or less full-blown DNS server, although with a limited scope more or less So the achieved results I would like to present here are mainly a part of the results We have done at the University of the University in Frankfurt University of Applied Sciences here together with my students And I put them into software here and I presented it here in that way So also if you'd like to have some deeper understanding of the IP version 6 protocol You can read if you can read German some of my books which is called technique of the IP network here So what I actually cover here in my talk here is a little bit about the history of DJB F-curve 6 and also my my software library Q-lips I would like to introduce you to the ideas of using IPv6 addresses and in particular IPv6 link local Unicast addresses here for DNS services Applying those to servers and clients of course and maybe also to discuss some use cases why it is beneficial to do so So it seems actually DNS is something for the for the for the for the for the for the old Gray man here as we have seen so far. Let's see what we could do about that now just To give you some kind of history. I support that the software of the of Bernstein here since about 20 years I would say but initially I did some patches here for q-mail now I have my own fork running what you which is called sq-mail and this is more or less aligned with what Felix von Leitner does which is known to be the German blogger favor here and We all be a little bit work together in a little in this in this context here And what I did so far was essentially to make all the root gains Bernstein has developed like UCSP TCP and q-mail and the in particular the DJB DNS here to make it IPv6 aware and in the sense IPv6 is really completely supported by the product and not just in the in the terms of patches over here So the current releases what I do have it's DJB DNS curve six in the version 36 a and the current running DNS stop resolver library is a part of the of the Qlips in version in the version 12c so far So you see on that table here. What are the what are the essential? Service service which are service which are coming with the DJB DNS curve six Essentially, I do have a content server, which is called tiny DNS. That's really tiny It just speaks UDP and it has no other understanding more or less except for the complete IPv6 support I also have a software piece, which is called REL DNS It's a it's a relay black less demon and that it's actually quite nice because it also provides you with the capability To have IP version six addresses in here and to look up those here for for span for a particular span protection here I do have all DNS inside there But the main routine essentially is what I call DNS cash, which is the caching server and name a recursive names Server here, which is used essentially for the for the clients in order to contact to so this DNS cash as you can see has the benefits It includes TCP support and UDP support EDS Support is done on the server side and the curve DNS has been completely included So what you can get here is that you can receive encrypted DNS responses and and of course you do the query also in In a secure way the clients are pretty slim We have some some clients which is DNS IP. It's DNSMX to look up the end to look up the MX records It's a DNS name It's getting the pointer records here and it's DNS text to get the text records. That's all I have It's nothing really particular in here and cannot compare with other full-blown software stacks like power DNS or Bind whatever you have. So it's a really tiny section over here. So the idea what I had was Back some years when I gave some lecture lectures about distributed systems here at the Vietnamese German University in Ho Chi Minh City to solve somehow the so-called Byzantineian general's problem to get valid answers essentially from a collaborating system But that's the basic idea without using essentially signatures like DNSSEC it's providing now The main idea here of that talk is to give you some ideas why it is useful to have IP version 6 link local cast link Local unicast address support in DNS It gives a particular scope here and let's let's discuss essentially some some important items here at first the IP version 6 link local cast addresses are prohibited to be part of a zone file That means you cannot have every 80 kind of address here in a zone file It's it's simply not working you can you probably can't do that But it's not working because you're lacking the so-called interface index here And that's actually expressed here already in the in the RFC 447 what essentially so you cannot do that but on the other hand you are free to bind your DNS server and Also to use your DNS clients a sub resolver here to use IP version 6 local link local cast unicast addresses here and I don't know what which product is actually using this but at least you can get that here with my kind of software here that means we have to solve two essential problems over here one problem is that the DNS server whether it is a content server or cash server It needs to bind to a link local unicast address Which only can be done if you if you actually perform an additional information which we call the interface index Second we have to tell the DNS stuff resolver that it can use this kind of address And that's the more tricky part and how this is done. I'm just will tell in a few minutes here So I Don't know how how well you are familiar with the IP version 6 protocol and its and its benefits So it's a little bit different bees like IP version 4 what we have seen before So the main idea of IP version 6 is the following that everything what you do essentially is auto-configured And you can see that you're on the very on the slide on the left hand on the right hand side here So what essentially the client does in case it is In case it's it's going online on the network so you get some kind of link here on the network It asks for essentially a prefix and also it does some kind of auto-configuration of the IP address We call this stateless address Auto-address configuration over here. That means that the client looks for an IP Configure itself an IP version 6 address which is in the beginning a so-called link local unicast address starting with every 80 Essentially, so that's the basic idea Now the next step in IP version 6 network if it is a real IP version 6 network is that we have a router in the network Which does some kind of router advertisements the router advertisements are done again using this IP version 6 LLU address And the router advertisements provide us with the with the with the network prefix here like 2001 something blah blah blah and also we can get the IP addresses of the routers and In particular what you can also get and that's the very at the very that's point number three You can get information about the DNS services That means the DNS service the recursive name service in your network are published or could be published by means of a router advertisement demon for instance and In addition with the IP version 6 address it can publish a search list here. That's quite nice to have it Oh, it's all it's all confined and the very interesting idea about that is everything here What is happening on that slide here is happening using link local cast of a link local unicast addresses or perhaps or perhaps some kind of Multicast addresses So let's have an idea about the addresses the address strategy in IP version 6 is a little bit different Regarding IP version 6 so it's very strongly depends on the very first bit of the IP version 6 address It starts with the highest bits to be one with these are multicast addresses remember in IP version 6 We do not have any broadcast just multicast Yeah, and from here we have a kind of functional addresses and one particular functional address is the DNS Is the DNS multicast address which is shown here to be ff 01 Fb at the very at the very end so we can have multicast Services here DNS service here on the network, but that's nothing. I talk about today. It's a future project essentially Now we need to understand in the IP version 6 networks information essentially is sent to multicast addresses and that's this idea here that we have That we use multicast address as a recipient address the target address Rather could either be a unicast address or it could be what we call an unspecified address The unspecified address is something you know in the IP version 6 network, which is simply Simply indicated by the double dots double dots is the unspecified address And that's at the very at the very lowest line that means in IP version 6 address everything is essentially Everything is essentially set to zero So sorry, and then you can get the hierarchy here We have the we have the we have the host addresses here the back the loopback address here We have the LLU addresses we have the ULA addresses which are a little bit about like IP version 4 private addresses here And we have the routable addresses in the IP network, which is a blue zone over here so The problem is now how how to get a server how to make a server understanding about the interface index here and I have chosen in my software two different ways the one way you can specify Additionally with the IP version 6 act address like every 80 every 80 dot dot one for instance You can specify as a certain as a particular argument the interface of the interface name like eth 0 or Whatever you like to do You know that's that's something you can do the other way is you have something like a composite address as a composite address Essentially includes on the one side the the respective IP version 6 LLU address and then Concatenated by means of a percent sign the particular interface name Yeah, that can be done now remember in the IP version 6 world We have we have in we have the following very important issue the IP version 6 address Given its LLU variant it can be it can be the same on different interfaces And that's the reason why we have the requirement to have this interface index whatever you have whatever you need But that's the idea how to bind it. That's pretty easy. You can find it in my software It's online. You can see the links later on and you can see how to do it. That's a basic idea now In particular for a DNS service It would be very nice to have a common service for IP version 4 and IP version 6 of course It's the same information. We do not have different zone files or databases for IP version 4 and IP version 6 I rather do not like I have a particular Forwarding and reverse zone. I would like to keep it simply in a simple database here And in order to do so you need to you need to bind the server both to the available a IP version 4 and IP version 6 Addresses that's not that easy because mostly today The operating system inhibits this and you have to find a particular socket setting in order to do so And in my software, I have chosen a simple scheme That means if I if you are if you're using the software and to simply define a dot a Colon Zero address it says bind to all available IP version 4 and IP version 6 addresses and that's done That means now a DNS cache can can essentially handle requests from IP version 4 and IP version 6 clients remember What's also interesting in z and that's in the box down there in a IP version 6 network You have now three loopback interfaces the one loopback interface is given for the IP version 4 address That's a common one two seven over one. We have the global scope loopback interface Which is it which is it a colon colon one address and we have a local scoped Loopback interface in a BSD kind of software in a bit of BSD unix simply it's it is expressed as every 80 colon colon one Percentage aloe aloe aloe zero for instance. Yeah, so we have a different kind of guy here We could you can bind a service to any of those addresses Now let's have a real understanding what the thing is doing. That's a more general picture here What my DNS cache is doing? It receives essentially requests from the clients these requests on from the clients can Can originate from an IP version 4 network? They can originate from IP version 6 network or they can reach the server by means of a link local unicast addresses Yeah, that means I can configure that server to listen to all these kind of addresses That's quite nice on the other hand the forwarding of the query to the internet to the to the recursion Could be done on a complete different address that means recursion and and and listening are sitting on different IP addresses So we can you can you can have more more resilent situation here It's a more robust way in order to do the DNS look up here And you see I do not currently support DNS sec validation, but that's the project which will come out also So that's the difference yet now if you see if you see The dual-stack bind in what I have is indicated here on the yellow box having the having the dollar having the colon zero kind of address And there's one other address which is of quite of which is quite of some interest I can use in my software so double colon address to bind to the unspecific address To bind to the unspecific address which is actually used not for receiving, but it's actually used just for sending So what does that mean? This means essentially that I can do what I call reverse IP version 6 any casting Which means in a IP version 6 network you can actually have the generation of of Interfaces here on demand that means you can set up a villain Vlan interface on demand for software defined network for instance and here what you can do essentially is The server is able to bind to newly generated interfaces So as soon as it record nice is a new IP version 6 address it binds automatically to that new address without any kind of Reconfiguration that's completely done automatically and there you use a specific socket option in order to do so So that's a nice thing that means you can generate this kind of these kind of bindings here Which are not common these days Now the more tricky part is the DNS stuff resolver The problem is the DNS stuff resolver regarding the unix operating system is mostly based on what we have seen It's called the system wide configuration file, which is simply etcresolve.conf The problem with the etcresolve.conf is it is not standardized There's no rfc telling what it's a format and there is no way to integrate a IP version 6 LLU address in that DNS configuration file. No way. That's it simply doesn't work Yeah, you can try it, but it does not work Essentially you can break it that's a standard unix way to have a central Contour a central Central system wide configuration file the windows operating system makes it different the windows operating system essentially generates for each interface a certain Possibility to forward the DNS requests over the interface here. So that's interface specific What I use in my software according to what Daniel Bernstein actually has coded is an application specific kind of binding That's very similar to DOH if you have DOH you have a web browser It simply checks for its own name resolver and that's what you can do here also for any application using it Well, that's quite nice to see that this is working that way so Essentially, it's it's this kind of configuration what we have in a standard way We have the etcresolve.conf and you remember the etcresolve.conf just what we have heard from Renzo It's essentially fed with information coming from either from the right from the router advertisement demand or from the DHCP server Or from the DHCP version 6 server or you could you could enter configuration in etc Etcresolve.conf manually, but it's overwritten by any of those services. Yeah, you cannot rely on it It could change, you know everything could change here Yeah, but that's a rather unfavorable situation more or less Yeah, essentially what we need to have is a DNS send a DNS sent it says what are the DNS recursive Servers we need to we need to contact here and what is our local domain essentially typically this is done in the in the in the Libresolve.so Shared object file here given the bind APIs, but that's a standard situation now the way I did it is a little bit different The way I do it here is that I have a specific library given my QLIBs here or the DJB DNS curve 6 libraries here Which needs to be linked with your with your application given this link application You can have a certain environment variable which is called a DNS cache IP And now you can say in the DNS cache IP environment variable which name servers you need to which name service You can actually contact to in particular including the interface index and also what you could have here to define What is your local domain that means you can have a you can have a specific network setting for application Which is using this kind of interface here. So this is a site from the from the standard Libresolve.con for instance and This Feature what I have introduced of course does a fallback the fallback simply says if sees environment variables are not present Simply use a standard ETC resolve.con of course here. So these these things are not are not These things are not in opposite, but rather you can use them all together. So that's the basic idea Yeah Now giving this idea you can set up some kind of you can we can set up some kind of some kind of services You can have IOT communication and here essentially the software is so tiny that you can you can build up by mean of these libraries Here DNS resolve routines here for IOT devices and that stuff So that is one case one case one case you can do you could have this solution to be used for software defined networking here Having virtual interfaces. Yeah, which you actually can can feed now And also you can have here the situation where you can have here some kind of information So that said networking defining particular DNS services for an application. Yeah so Time is over. I'm sorry about that So look out essentially here is what I would like to do here is to add multicast support to my stuff here at TCP support the tiny DNS server and all the other projects are in the in the in the future essentially So that's it for my point. Thank you very much. Thank you, Erin. I'm sorry. We'll have no time for questions Where where could people find you if they have questions, but where can people find you we stick around for a bit? I think around for a bit and My slides you find a lot of IP addresses you can use here and You'll be one of those Bob. You will be at one of those of course. Yeah, otherwise simply simply Google for that It's easy. Yeah, sorry about that. I will update these for the The transparencies with some kind of perfect. Thank you. Thank you All right