Introducing dnst — a DNS Toolbox for network operators

By Alex Band
More than two decades ago, NLnet Labs started the ldns
library, with the goal of letting developers easily create RFC compliant DNS software in the C programming language. The library included a number of example programs, many of which have found their way into operator workflows.
With the domain
crate, we are offering a natural successor to the ldns
library in the Rust programming language. Today, we are launching the first Release Candidate of dnst
, a modern toolbox that offers drop-in replacements for some of the widely used ldns
example utilities, such as signzone
and keygen
.
Development Vision
We'll continue to make occasional use of ldns
in an experimental setting, such as during an IETF Hackathon to build a proof of concept for an Internet Draft. However, ldns
has been in maintenance mode since 2020, with no plans for major features, such as DNS-over-QUIC. Moreover, the ldns
example utilities were always intended as guidance for using the ldns
library for developers, not as standalone software at the quality level of Unbound or Routinator for use by operators in production environments.
dnst
will be a first-class citizen that offers tried-and-tested utilities on top of everything we provide in the domain
library. dnst
has the goal of being an ever-evolving toolbox of commands to aid DNS operators in the maintenance and operation of their zones and nameservers. All of our DNS projects in Rust get our long-term commitment. This means support contracts with an SLA will be available for dnst
once we do a production release of the software, later this year.
Current Implementation
The dnst
toolset initially offers drop-in replacements of the following six ldns
example utilities:
- key2ds
- keygen
- nsec3hash
- signzone
- notify
- update
One of the tools that accompanies ldns
is drill
, an alternative implementation of the well-known dig
tool. We have reimagined the functionality and output of such a DNS inspection tool in dnsi
, with a focus on usability.
When reimplementing the ldns
example programs we were able to make several improvements. For example, signing a zone should be quite a bit faster. At the same time, we came across various quirks, such as inconsistencies in certain command line options, as well as weird behavior, for instance when signing an already signed zone. We tried to gracefully handle these situations in dnst
so that behavior remains consistent. We meticulously documented these occurrences in the dnst
manual page with each subcommand.
Because of the number of nooks and crannies you have likely used these six ldns
example programs in over the last twenty years, we decided it would be best to first offer a Release Candidate of dnst
0.1.0.
dnst
over the next few months and report any other bugs and quirks you may find, which may prevent you from using dnst
as a drop-in replacement. After a final polish, we should feel confident to do a first official release after the summer. Installation
To make installation of dnst
easy, we offer packages on the NLnet Labs package repository for Debian, Ubuntu and Red Hat Enterprise Linux (RHEL) and compatible systems such as Rocky Linux. You can also build dnst
from the source code using Cargo, Rust’s build system and package manager. Cargo lets you run dnst
on almost any operating system and CPU architecture.
The documentation offers a comprehensive overview of both methods. Please keep in mind that when installing a binary package today, you will need to add the 'proposed' repository, because this first version is marked as a Release Candidate. When installing using Cargo, the man page is not included, but you can rely on the online version included in the documentation. Note that dnst
offers a choice between OpenSSL or the Rust ring
crate for its cryptography related functions.
Operating Modes
In the core design, dnst
supports two modes of operation; you can either run it in native mode or in ldns
emulation mode. Native mode works by simply invoking it with a subcommand, such as dnst keygen
. The ldns
emulation mode is activated by using the name of a supported ldns
example program, e.g. ldns-keygen
. It does this by deducing the command to invoke via the name of the symlink. This behavior is similar to how other backward compatible replacement tools are often installed in Linux.
For example, when you install the dnst
package on a Debian system that already has ldnsutils
installed, it will be removed in favour of dnst
:
# apt install dnst
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following package was automatically installed and is no longer required:
libldns3
Use 'apt autoremove' to remove it.
The following packages will be REMOVED:
ldnsutils
The following NEW packages will be installed:
dnst
0 upgraded, 1 newly installed, 1 to remove and 0 not upgraded.
Usage
To verify if dnst
was installed correctly try running:
# dnst --version
dnst 0.1.0-rc1
The symbolic links for the compabitible ldns
utilities will have been created automatically. For example, try to run:
# ldns-keygen -v
ldns-keygen provided by dnst v0.1.0-rc1 (compatible with ldns v1.8.4)
To demonstrate dnst
in action, let's try signing this example.zone file. Let's use the keygen
command first:
# dnst keygen -a ECDSAP256SHA256 example.
Kexample.+013+23269
# dnst keygen -a ECDSAP256SHA256 -k example.
Kexample.+013+40660
Then we sign the zone:
# dnst signzone -o example. example.zone Kexample.+013+23269 Kexample.+013+40660
And then we can for example use dnssec-verify
from the bind9-utils
to see if our signed zonefile checks out:
# dnssec-verify -o example. example.zone.signed
Loading zone 'example.' from file 'example.zone.signed'
Verifying the zone using the following algorithms:
- ECDSAP256SHA256
Zone fully signed:
Algorithm: RSASHA256: KSKs: 0 active, 1 stand-by, 0 revoked
ZSKs: 0 active, 1 stand-by, 0 revoked
Algorithm: ECDSAP256SHA256: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked
Please Give Us Your Feedback
Our DNS tools in Rust set the stage for the next decade of software from NLnet Labs. You can learn more about our vision in this article.
We hope that this first Release Candidate of dnst
offers a path forward for all DNS operators who currently depend on the ldns
example programs. We look forward to your feedback and feature requests.
Please don’t hesitate to open an issue on GitHub, or find us on Mastodon, Bluesky and the DNS-OARC Mattermost chat server.