Introducing dnst — a DNS Toolbox for network operators

Introducing dnst — a DNS Toolbox for network operators
Photo by Todd Quackenbush / Unsplash

By Alex Band

More than two decades ago, NLnet Labs started the ldns library, with the goal of letting developers easily create RFC compliant DNS software in the C programming language. The library included a number of example programs, many of which have found their way into operator workflows.

With the domain crate, we are offering a natural successor to the ldns library in the Rust programming language. Today, we are launching the first Release Candidate of dnst, a modern toolbox that offers drop-in replacements for some of the widely used ldns example utilities, such as signzone and keygen.

Development Vision

We'll continue to make occasional use of ldns in an experimental setting, such as during an IETF Hackathon to build a proof of concept for an Internet Draft. However, ldns has been in maintenance mode since 2020, with no plans for major features, such as DNS-over-QUIC. Moreover, the ldns example utilities were always intended as guidance for using the ldns library for developers, not as standalone software at the quality level of Unbound or Routinator for use by operators in production environments.  

🛠️
Going forward, dnst will be a first-class citizen that offers tried-and-tested utilities on top of everything we provide in the domain library. dnst has the goal of being an ever-evolving toolbox of commands to aid DNS operators in the maintenance and operation of their zones and nameservers.

All of our DNS projects in Rust get our long-term commitment. This means support contracts with an SLA will be available for dnst once we do a production release of the software, later this year.

Current Implementation

The dnst toolset initially offers drop-in replacements of the following six ldns example utilities:

  • key2ds
  • keygen
  • nsec3hash  
  • signzone  
  • notify  
  • update

One of the tools that accompanies ldns is drill, an alternative implementation of the well-known dig tool. We have reimagined the functionality and output of such a DNS inspection tool in dnsi, with a focus on usability.

Learn more

When reimplementing the ldns example programs we were able to make several improvements. For example, signing a zone should be quite a bit faster. At the same time, we came across various quirks, such as inconsistencies in certain command line options, as well as weird behavior, for instance when signing an already signed zone. We tried to gracefully handle these situations in dnst so that behavior remains consistent. We meticulously documented these occurrences in the dnst manual page with each subcommand. 

Because of the number of nooks and crannies you have likely used these six ldns example programs in over the last twenty years, we decided it would be best to first offer a Release Candidate of dnst 0.1.0.

We’d like you to try out dnst over the next few months and report any other bugs and quirks you may find, which may prevent you from using dnst as a drop-in replacement. After a final polish, we should feel confident to do a first official release after the summer. 

Installation

To make installation of dnst easy, we offer packages on the NLnet Labs package repository for Debian, Ubuntu and Red Hat Enterprise Linux (RHEL) and compatible systems such as Rocky Linux. You can also build dnst from the source code using Cargo, Rust’s build system and package manager. Cargo lets you run dnst on almost any operating system and CPU architecture.

The documentation offers a comprehensive overview of both methods. Please keep in mind that when installing a binary package today, you will need to add the 'proposed' repository, because this first version is marked as a Release Candidate. When installing using Cargo, the man page is not included, but you can rely on the online version included in the documentation. Note that dnst offers a choice between OpenSSL or the Rust ring crate for its cryptography related functions.

Operating Modes

In the core design, dnst supports two modes of operation; you can either run it in native mode or in ldns emulation mode. Native mode works by simply invoking it with a subcommand, such as dnst keygen. The ldns emulation mode is activated by using the name of a supported ldns example program, e.g. ldns-keygen. It does this by deducing the command to invoke via the name of the symlink. This behavior is similar to how other backward compatible replacement tools are often installed in Linux.

For example, when you install the dnst package on a Debian system that already has ldnsutils installed, it will be removed in favour of dnst:

# apt install dnst
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following package was automatically installed and is no longer required:
  libldns3
Use 'apt autoremove' to remove it.
The following packages will be REMOVED:
  ldnsutils
The following NEW packages will be installed:
  dnst
0 upgraded, 1 newly installed, 1 to remove and 0 not upgraded.

Usage

To verify if dnst was installed correctly try running:

# dnst --version
dnst 0.1.0-rc1

The symbolic links for the compabitible ldns utilities will have been created automatically. For example, try to run:

# ldns-keygen -v
ldns-keygen provided by dnst v0.1.0-rc1 (compatible with ldns v1.8.4)

To demonstrate dnst in action, let's try signing this example.zone file. Let's use the keygen command first:

# dnst keygen -a ECDSAP256SHA256 example.
Kexample.+013+23269
# dnst keygen -a ECDSAP256SHA256 -k example.
Kexample.+013+40660

Then we sign the zone:

# dnst signzone -o example. example.zone Kexample.+013+23269 Kexample.+013+40660

And then we can for example use dnssec-verify from the bind9-utils to see if our signed zonefile checks out:

# dnssec-verify -o example. example.zone.signed 
Loading zone 'example.' from file 'example.zone.signed'

Verifying the zone using the following algorithms:
- ECDSAP256SHA256
Zone fully signed:
Algorithm: RSASHA256: KSKs: 0 active, 1 stand-by, 0 revoked
                      ZSKs: 0 active, 1 stand-by, 0 revoked
Algorithm: ECDSAP256SHA256: KSKs: 1 active, 0 stand-by, 0 revoked
                            ZSKs: 1 active, 0 stand-by, 0 revoked

Please Give Us Your Feedback

Our DNS tools in Rust set the stage for the next decade of software from NLnet Labs. You can learn more about our vision in this article

We hope that this first Release Candidate of dnst offers a path forward for all DNS operators who currently depend on the ldns example programs. We look forward to your feedback and feature requests.

Please don’t hesitate to open an issue on GitHub, or find us on Mastodon, Bluesky and the DNS-OARC Mattermost chat server.