From f2741ec585b0b361a72dd4791ae6cc700de4744d Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Sun, 6 Dec 2015 05:28:47 +0000 Subject: [PATCH] Refactoring for travis, make --- .travis.yml | 32 +++++--- .travis/after_success | 32 ++++++++ .travis/script | 34 +++++++++ Makefile | 85 +++++++++++++++++++++ README.md | 149 ++++++++++++++++++++++++++++++++++++ _doc/ncdns.conf.example | 112 +++++++++++++++++++++++++++ _tpl/std/layout.tpl | 110 +++++++++++++++++++++++++++ _tpl/std/lookup.tpl | 50 ++++++++++++ _tpl/std/main.tpl | 165 ++++++++++++++++++++++++++++++++++++++++ backend/backend.go | 1 + 10 files changed, 760 insertions(+), 10 deletions(-) create mode 100644 .travis/after_success create mode 100644 .travis/script create mode 100644 Makefile create mode 100644 README.md create mode 100644 _doc/ncdns.conf.example create mode 100644 _tpl/std/layout.tpl create mode 100644 _tpl/std/lookup.tpl create mode 100644 _tpl/std/main.tpl diff --git a/.travis.yml b/.travis.yml index ff978c1..c44d39e 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,12 +1,24 @@ language: go go: - - 1.5 - - tip -before_install: - - if [ "$TRAVIS_OS_NAME" == "linux" ]; then travis_retry sudo apt-get update -qq; fi - - if [ "$TRAVIS_OS_NAME" == "linux" ]; then travis_retry sudo apt-get install -y libcap-dev; fi -notifications: - irc: - channels: - - "chat.freenode.net##hl-t" - skip_join: true + - 1.5.2 + +addons: + apt: + packages: + - libcap-dev + - gcc-multilib + - libc6-dev:i386 + - libcap-dev:i386 + +sudo: false + +install: + - go get -v -t ./... +script: + - source ./.travis/script +after_success: + - source ./.travis/after_success + +env: + # GITHUB_TOKEN for automatic releases + - secure: "at1oJs7ib7glx3W+zk+OkT041LdknVXirIhN403CIihVUrlOhODY7yCTgvF4Rk0jYBJiT35Q2qxpgfWF2qGnsNsQmjG3ydDWQDCepDc/CgXfLyoiSTJK5vTK72dYWTVsBTycXbj1CbSy2X2ah/KWjc4RcgZ67ER7mDpRU5nFeow=" diff --git a/.travis/after_success b/.travis/after_success new file mode 100644 index 0000000..0d6c8f2 --- /dev/null +++ b/.travis/after_success @@ -0,0 +1,32 @@ +#!/bin/bash + +# Only upload version tags. +if ! [[ "$TRAVIS_TAG" =~ ^v[0-9] ]]; then + echo Skipping release upload because this build is not for a release tag. + return 0 +fi + +if [ -z "$GITHUB_TOKEN" ]; then + echo "Don't appear to have GitHub token, cannot continue." + return 0 +fi + +# Make archives. +echo Archiving releases... +SRC_DIR="$(pwd)" +cd "$GOPATH/releasing/idist" +for x in *; do + echo "$x" + cp "$GOPATH/src/github.com/$TRAVIS_REPO_SLUG/.travis/dist-readme.md" "$x"/README.md || \ + cp "$GOPATH/src/github.com/$TRAVIS_REPO_SLUG/README.md" "$x/" || true + tar -zcf "../dist/$(basename "$x").tar.gz" "$x" +done + +# Must be in the right directory when calling ghr. +cd "$SRC_DIR" + +echo Uploading releases... +TRAVIS_REPO_OWNER="$(echo "$TRAVIS_REPO_SLUG" | sed 's#/.*$##g')" +travis_retry ghr -u "$TRAVIS_REPO_OWNER" "$TRAVIS_TAG" "$GOPATH/releasing/dist/" + +echo Done diff --git a/.travis/script b/.travis/script new file mode 100644 index 0000000..a675728 --- /dev/null +++ b/.travis/script @@ -0,0 +1,34 @@ +#!/bin/bash + +go test -v ./... +RESULT=$? + +echo Done tests with exit code $RESULT +if [ "$RESULT" != "0" ]; then + return $RESULT +fi + +# Test cross-compilation. The binaries produced are also used for release +# upload in after_success if this is a release tag. + +echo Cross-compiling releases... +mkdir -p "$GOPATH/releasing/idist" "$GOPATH/releasing/dist" + +# cgo crosscompile +REPOS="github.com/$TRAVIS_REPO_SLUG" +gox -cgo -osarch 'linux/386 linux/amd64' -output "$GOPATH/releasing/idist/{{.Dir}}-$TRAVIS_TAG-{{.OS}}_{{.Arch}}/bin/x" $REPOS +RESULT1=$? + +# non-cgo crosscompile +gox -osarch 'darwin/386 darwin/amd64 linux/arm freebsd/386 freebsd/amd64 freebsd/arm openbsd/386 openbsd/amd64 netbsd/386 netbsd/amd64 netbsd/arm dragonfly/amd64 solaris/amd64' -output "$GOPATH/releasing/idist/{{.Dir}}-$TRAVIS_TAG-{{.OS}}_{{.Arch}}/bin/x" $REPOS +RESULT2=$? + +echo cgo crosscompile exited with code $RESULT1 +echo non-cgo crosscompile exited with code $RESULT2 + +if [ "$RESULT1" != "0" ]; then + return $RESULT1 +fi +if [ "$RESULT2" != "0" ]; then + return $RESULT2 +fi diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..2206dcf --- /dev/null +++ b/Makefile @@ -0,0 +1,85 @@ +PROJNAME=github.com/hlandau/ncdns +BINARIES=$(PROJNAME) $(PROJNAME)/ncdt $(PROJNAME)/ncdumpzone + +############################################################################### +# v1.8 NNSC:github.com/hlandau/degoutils/_stdenv/Makefile.ref +# This is a standard Makefile for building Go code designed to be copied into +# other projects. Code below this line is not intended to be modified. + +-include Makefile.extra +-include Makefile.assets + +## Paths +ifeq ($(GOPATH),) +# for some reason export is necessary for FreeBSD's gmake +export GOPATH := $(shell pwd) +endif +ifeq ($(GOBIN),) +export GOBIN := $(GOPATH)/bin +endif +ifeq ($(PREFIX),) +export PREFIX := /usr/local +endif + +DIRS=src bin public + +## Quieting +Q=@ +QI=@echo -e "\t[$(1)]\t $(2)"; +ifeq ($(V),1) + Q= + QI= +endif + +## Buildinfo +BUILDNAME?=$(shell date -u "%Y%m%d%H%M%S") on $(shell hostname -f) +BUILDINFO=$(shell (echo built $(BUILDNAME); go list -f '{{range $$imp := .Deps}}{{printf "%s\n" $$imp}}{{end}}' $(1) | sort -u | xargs go list -f '{{if not .Standard}}{{.ImportPath}}{{end}}' | awk "{print \"$$GOPATH/src/\" \$$0}" | (while read line; do x="$$line"; while [ ! -e "$$x/.git" -a ! -e "$$x/.hg" ]; do x=$${x%/*}; if [ "$$x" = "" ]; then break; fi; done; echo "$$x"; done) | sort -u | (while read line; do echo git $${line\#$$GOPATH/src/} $$(git -C "$$line" rev-parse HEAD) $$(git -C "$$line" describe --all --dirty=+ --abbrev=99 --always); done)) | base64 -w 0) +BUILDINFO_FLAG= + +ifeq ($(USE_BUILDINFO),1) + BUILDINFO_FLAG= -ldflags "-X github.com/hlandau/degoutils/buildinfo.RawBuildInfo=$(call BUILDINFO,$(1))" +endif + +## Standard Rules +all: prebuild-checks $(DIRS) + $(call QI,GO-INSTALL,$(BINARIES))go install $(BUILDFLAGS) $(call BUILDINFO_FLAG,$(BINARIES)) $(BINARIES) + +prebuild-checks: + $(call QI,RELOCATE)if [ `find . -iname '*.go' | grep -v ./src/ | wc -l` != 0 ]; then \ + if [ -e "$(GOPATH)/src/$(PROJNAME)/" ]; then \ + echo "$$GOPATH/src/$(PROJNAME)/ already exists, can't auto-relocate. Since you appear to have a GOPATH configured, just use go get -u '$(PROJNAME)/...; go install $(BINARIES)'. Alternatively, move this Makefile to either GOPATH or an empty directory outside GOPATH (preferred) and run it. Or delete '$$GOPATH/src/$(PROJNAME)/'."; \ + exit 1; \ + fi; \ + mkdir -p "$(GOPATH)/src/$(PROJNAME)/"; \ + for x in ./* ./.*; do \ + [ "$$x" == "./src" ] && continue; \ + mv -n "$$x" "$(GOPATH)/src/$(PROJNAME)/"; \ + done; \ + ln -s "$(GOPATH)/src/$(PROJNAME)/Makefile"; \ + [ -e "$(GOPATH)/src/$(PROJNAME)/_doc" ] && ln -s "$(GOPATH)/src/$(PROJNAME)/_doc" doc; \ + fi; \ + exit 0 + +$(DIRS): | .gotten + $(call QI,DIRS)mkdir -p $(GOPATH)/src $(GOBIN); \ + if [ ! -e "src" ]; then \ + ln -s $(GOPATH)/src src; \ + fi; \ + if [ ! -e "bin" ]; then \ + ln -s $(GOBIN) bin; \ + fi + +.gotten: + $(call QI,GO-GET,$(PROJNAME))go get $(PROJNAME)/... + $(Q)touch .gotten + +.NOTPARALLEL: prebuild-checks $(DIRS) +.PHONY: all test install prebuild-checks + +test: + $(call QI,GO-TEST,$(PROJNAME))for x in $(PROJNAME); do go test -cover -v $$x/...; done + +install: all + $(call QI,INSTALL,$(BINARIES))for x in $(BINARIES); do \ + install -Dp $(GOBIN)/`basename "$$x"` $(DESTDIR)$(PREFIX)/bin; \ + done diff --git a/README.md b/README.md new file mode 100644 index 0000000..d79b4d2 --- /dev/null +++ b/README.md @@ -0,0 +1,149 @@ +ncdns +===== + +A Go daemon to bridge Namecoin to DNS. The daemon acts as an authoritative +nameserver and queries a Namecoin daemon over JSON-RPC in order to obtain zone +data. + +The daemon can optionally sign zones with DNSSEC and supports the use of DS +records in Namecoin. It works best when used by Unbound or another recursive +resolver, or as an authoritative nameserver for a stub zone. + +Using ncdns to provide a suffix +------------------------------- +The daemon acts as an authoritative nameserver for any name containing a 'bit' +label. For example, all of the following queries return the same records: + + - example.bit. + - example.bit.example.com. + +This enables the easy use of suffixes. (Note that this will cause a different +hostname to be transmitted for protocols like HTTP, and server configuration +may need to be modified to enable this. In some cases there may be no simple +solution to enabling arbitrary suffix use with a given piece of server +software, in which known suffixes can be configured; patches for such software +would be desirable.) + +Using ncdns with a recursive resolver +------------------------------------- +Of course the daemon can also be used simply as an authoritative nameserver for +bit. directly. One way to do this is to run a recursive resolver (such as +Unbound) and configure it to serve the zone as a 'stub zone'. Here is an example +unbound configuration: + + server: + do-not-query-localhost: no + stub-zone: + name: bit. + stub-addr: 127.0.0.1@1153 + +If you don't want to use DNSSEC, also add: + + server: + domain-insecure: bit. + +If you do want to use DNSSEC, see the instructions below. + +Note how you can specify a port other than 53. This allows you to run both +Unbound and ncdns on the same machine. Alternately, you could add an additional +loopback IP address (127.0.0.2) and bind ncdns to that. This is useful if your +recursive resolver doesn't support a port number other than 53. + +Using DNSSEC +------------ +To use DNSSEC, generate keys with `dnssec-keygen` or `ldns-keygen`. You will need +to generate a key-signing key and a zone-signing key: + + # Generate KSK. + $ dnssec-keygen -a RSASHA256 -3 -b 2048 -f KSK bit + + # Generate ZSK. + $ dnssec-keygen -a RSASHA256 -3 -b 2048 bit + +Each of these commands will generate a pair of files, a `.key` file and a +`.private` file. Make a note of which is the KSK and which is the ZSK. If you +forget, check the comments inside the .key file. (If there are no comments for +some reason, a KSK usually contains the string `DNSKEY 256` and a ZSK +`DNSKEY 257`.) + +(You could substitute something else for `bit` as ncdns doesn't care. However +if you want to use the key as a trust anchor with a recursive resolver such as +unbound, you should specify `bit`.) + +If using Unbound as a recursive resolver, you should add the KSK's public key file +as a trust anchor to unbound like so: + + server: + trust-anchor-file: "/etc/unbound/keys/bit.key" + +`bit.key` should be the file containing the KSK DNSKEY (or DS) which ncdns is +configured to use. + +Building +-------- + +On non-Windows platforms: + +1. Ensure you have the Go tools installed. + +2. If using Linux, ensure you have the `libcap` development headers + installed. (Most distributions will have a package called `libcap-dev` or + similar.) + +3. Run `make`. The source repository will be retrieved via `go get` + automatically. You must have the Go compiler tools installed. + +On Windows platforms: + +1. Ensure you have the Go tools installed. + +2. Ensure you have the GOPATH environment variable set. (For those not not + familar with Go, setting it to the path to an empty directory will suffice. + The directory will be filled with build files.) + +3. Run `go get github.com/hlandau/ncdns`. The ncdns source code will be + retrieved automatically and ncdns will be built. The binary will be at + $GOPATH/bin/ncdns. + +ncdns can be run as a Windows service; see the output of `ncdns --help`. + +Configuration +------------- +ncdns uses a configuration file which is looked for at `../etc/ncdns.conf` +(relative to the executable path) and `/etc/ncdns/ncdns.conf`. You can override +this and all options on the command line. An annotated example configuration +file `ncdns.conf.example` is available in doc. + +You will need to setup a `namecoind`, `namecoin-qt` or compatible Namecoin node +and enable the JSON-RPC interface. You will then need to provide `ncdns` with +the address of this interface and any necessary username and password via the +configuration file. + +If you only want to resolve .bit names yourself, here is a suggested setup on +Linux: + + - Install `namecoind` (or `namecoin-qt`) and set it to start automatically + at boot or login. Set up the JSON-RPC interface and make sure it works + by making a test query: `namecoind name_show d/example`. + + - Write a ncdns configuration file and set ncdns up to start at boot. + Since Unbound will tie up port 53, set a different port (ideally one >=1024, + so it needn't be run as root.) Test that ncdns works by trying to resolve + a `.bit` domain. If you want to use DNSSEC, generate keys as shown above + and configure ncdns appropriately. + + - Install and setup the Unbound recursive resolver on your system. Set it up + to start at boot. See above for configuration suggestions. If you wish to + use DNSSEC, add the ncdns DNSKEY to Unbound as a trust anchor as shown + above. (Make sure Unbound listens only on localhost.) + + - Edit `/etc/resolv.conf` to point to the Unbound resolver at 127.0.0.1. + (If this file is generated automatically via DHCP or similar, you may + find these changes keep getting wiped out. Either reconfigure whatever + keeps overwriting it to stop doing so, or, as a stopgap measure, make + the file immutable using `chattr +i`.) + +Licence +------- + Licenced under the GPLv3 or later. + © 2014-2015 Hugo Landau diff --git a/_doc/ncdns.conf.example b/_doc/ncdns.conf.example new file mode 100644 index 0000000..f1fd830 --- /dev/null +++ b/_doc/ncdns.conf.example @@ -0,0 +1,112 @@ + +### ncdns will look for its configuration file in the following directories. +### The first configuration file found is used and all others are ignored. +### +### /etc/ncdns/ncdns.conf ) Non-Windows only +### /etc/ncdns.conf ) +### (executable path)/ncdns.conf +### (executable path)/../etc/ncdns/ncdns.conf +### (executable path)/../etc/ncdns.conf +### +### You may explicitly specify a path to the configuration file on the +### command line by passing '-conf=PATH'. + +[ncdns] +### This is a TOML configuration file. Values must be in quotes where shown. + + +### Basic Settings (Required) +### ------------------------- + +### The interface to bind to. Defaults to ":53", which causes ncdns to attempt to +### bind to all interfaces on port 53. Unless you are running ncdns as root you +### will probably find that this fails. On Linux, you can run the following +### command on the ncdns binary to authorize it to bind to ports under 1024. +### +### sudo setcap 'cap_net_bind_service=+ep' ./ncdns +### +### On BSD, there are sysctls to disable the low port restrictions. +### +### IMPORTANT NOTE: For Go versions 1.5.0 and 1.5.1 (but not 1.4.x or earlier +### or 1.5.2 when released, or any later version, or HEAD) there is a bug which +### means ncdns cannot listen on privileged ports on Linux systems. This bug +### manifests as ncdns hanging once executed without ever beginning to serve +### requests. This bug will manifest whenever ncdns is executed as root or with +### a non-empty capability set, so it precludes use of setcap to bind to privileged +### ports just as it precludes the use of conventional privilege dropping. +### +#bind="127.0.0.1:53" + + +### namecoind access (Required) +### --------------------------- +### You must configure the RPC address, username and password ## of a trusted +### (i.e. local) namecoind instance. + +### The address, in "hostname:port" format, of the Namecoin JSON-RPC interface. +#namecoinrpcaddress="127.0.0.1:8336" + +### The username with which to connect to the Namecoin JSON-RPC interface. +#namecoinrpcusername="user" + +### The password with which to connect to the Namecoin JSON-RPC interface. +#namecoinrpcpassword="password" + +### ncdns caches values retrieved from Namecoin. This value limits the number of +### items ncdns may store in its cache. The default value is 100. +#cachemaxentries=150 + + +### Nameserver Identity (Optional) +### ------------------------------ + +### ncdns needs to be able to state the hostname and IP address at which the +### nameserver lies. If you are only using ncdns locally you can avoid configuring +### these. +### +### If SelfName is specified, ncdns lists the name specified as an NS record at +### the zone apex: +### +### bit. IN NS ns1.example.com. +### +### This requires that you be able to assign the ncdns instance a hostname. +### +### If SelfName is left blank (the default), ncdns will generate an internal +### psuedo-hostname under the zone, which will resolve to the value of SelfIP. +### +### The default value of SelfIP is the bogus IP of "127.127.127.127", which will +### work acceptably in some cases (e.g. with Unbound). +#selfname="ns1.example.com." +#selfip="192.0.2.1" + + +### DNSSEC (Optional) +### ----------------- +### The following options concern DNSSEC and are optional. +### Leaving them all blank will disable DNSSEC. + +### Path to the file containing the KSK public key. +#publickey="etc/Kbit.+008+12345.key" + +### Path to the file containing the KSK private key. +#privatekey="etc/Kbit.+008+12345.private" + +### Path to the file containing the ZSK public key. +#zonepublickey="etc/Kbit.+008+12345.key" + +### Path to the file containing the ZSK private key. +#zoneprivatekey="etc/Kbit.+008+12345.private" + + +### HTTP server (Optional) +### ---------------------- +### Use of the HTTP server is optional. + +### Set this to enable the HTTP server. If you leave this blank, the HTTP +### server will not be enabled. +#httplistenaddr=":8202" + +### The template directory is usually detected automatically. If it cannot be found +### automatically, you must set the full path to it here manually. Paths will be +### interpreted relative to the configuration file. +#tplpath="../tpl" diff --git a/_tpl/std/layout.tpl b/_tpl/std/layout.tpl new file mode 100644 index 0000000..523a036 --- /dev/null +++ b/_tpl/std/layout.tpl @@ -0,0 +1,110 @@ + + + + + + + + Namecoin DNS + + + + + +
+
+ {{template "Main" .}} +
+
+ Served by {{.SelfName}} at {{.Time}} +
+
+ + diff --git a/_tpl/std/lookup.tpl b/_tpl/std/lookup.tpl new file mode 100644 index 0000000..3677a6c --- /dev/null +++ b/_tpl/std/lookup.tpl @@ -0,0 +1,50 @@ + +{{define "Main"}} +
+
+ Check a domain name + + +

To specify the JSON to validate rather than looking it up via Namecoin, specify it below. (You must still specify the name for the purposes of relative name lookup.)

+ +
+
+{{if .Query}} + 
+{{if .NameParseError}}
+Invalid name: {{.Query}}
+{{else}}
+Namecoin Name:  {{.NamecoinName}}
+Domain Name:    {{.DomainName}}
+Bare Name:      {{.BareName}}
+
+Exists:         {{if .ExistenceError}}{{.ExistenceError}}{{else}}Yes{{end}}
+{{if not .ExistenceError}}Expired:        {{.Expired}}{{end}}
+{{if not .ExistenceError}}
+Valid:          {{.Valid}}
+
+Raw Value:
+{{.Value}}
+{{if .ParseErrors}}
+Parse Errors:{{range .ParseErrors}}
+  {{.}}{{end}}
+{{end}}{{if .ParseWarnings}}
+Parse Warnings:{{range .ParseWarnings}}
+  {{.}}{{end}}
+{{end}}
+{{.NCValue}}
+{{if .Advanced}}
+Parsed Value:   {{.NCValueFmt | printf "%# v"}}
+{{end}}
+RRs:{{range .RRs}}
+  {{.}}{{end}}
+
+{{if .RRError}}
+RR Generation Error: {{.RRError}}
+{{end}}
+
+{{end}}
+{{end}}
+
+{{end}} +{{end}} diff --git a/_tpl/std/main.tpl b/_tpl/std/main.tpl new file mode 100644 index 0000000..5da8113 --- /dev/null +++ b/_tpl/std/main.tpl @@ -0,0 +1,165 @@ + +{{define "Main"}}

Namecoin DNS Services

+

Access any Namecoin .bit domain by appending "{{.TLD}}". For example, example.bit becomes example.{{.CanonicalSuffix}}. Caveats.

+ + + + +
+
+ Check a domain name + + +

You can use this lookup tool to check the validity of a domain's configuration.

+

Other tools: Validate JSON

+
+
+ +

{{.CanonicalSuffix}} provides public Namecoin authoritative DNS services. The nameservers it provides can be used + to convert domain names into Namecoin suffixes, or directly to query the .bit zone.

+
    +

  1. The {{.CanonicalSuffix}} nameservers are authoritative for the .bit zone. For example:

    + 
    $ dig A nf.bit. @{{.SelfName}}
+94.23.252.190
    +

    You can use the nameservers in this mode by configuring a suitable DNS resolver. + Unbound is recommended due to its support for {{if .HasDNSSEC}} DNSSEC and {{end}} configurable + stub zones. See how to configure Unbound.

    +
    2. + +

  2. The {{.CanonicalSuffix}} nameservers are authoritative for any matching suffix. A suffix matches + if it contains the label "bit". Such suffixes are automatically aliased to the "bit" zone. + For example, "example.{{.CanonicalSuffix}}" is equivalent to "example.bit", but because it uses an ICANN TLD, + it can be accessed without prior configuration.

    + +

    Since the {{.CanonicalSuffix}} nameservers automatically recognise any suffix containing the label "bit", you + can convert any suitable name (of the form bit.tld, or rather more verbosely bit.yourdomain.tld) to a .bit suffix by changing its nameservers to those of {{.CanonicalSuffix}}.

    + +

    There are a number of caveats to this mode of operation; see Caveats.

    +
    3. +
+ +

Both of these modes of operation require you to trust the {{.CanonicalSuffix}} operator (and the operator of {{.TLD}}, and ICANN, etc.); see Caveats.

+ + +

Nameservers

+

The following nameservers are provided for public use in the modes described above:

+
    + {{range .CanonicalNameservers}} +
  1. {{.}}
    2. + {{end}} +
+ + +

Configuring Unbound

+

The following is an example of the directives which should be placed in an Unbound configuration file:

+ 
server:
+  # (other directives omitted){{if .HasDNSSEC}}
+  trust-anchor-file: "/etc/unbound/keys/{{.CanonicalSuffix}}.key"{{end}}
+  stub-zone:
+    name: bit.
+{{range .CanonicalNameservers}}    stub-host: {{.}}
+{{end}}    stub-prime: yes
+ {{if .HasDNSSEC}}

You will need to place the {{.CanonicalSuffix}} trust anchor (a DS record) in /etc/unbound/keys/{{.CanonicalSuffix}}.key. See DNSSEC.

{{end}} +

See the Unbound documentation for information on setting up Unbound.

+ + +

Caveats

+

Using a suffix has the following caveats:

+ + + +

DNSSEC

+ {{if .HasDNSSEC}} +

The {{.CanonicalSuffix}} nameservers support DNSSEC. For use as a suffix, operation is automatic so long as you use a validating resolver. (Third party suffixes using the {{.CanonicalSuffix}} nameservers should avoid attempting to configure DS records at this time due to the potential need for KSK rollover.)

+ +

If using the {{.CanonicalSuffix}} nameservers to access .bit directly, a DNSSEC trust anchor must be configured. You should use a validating resolver to lookup the DS records for {{.CanonicalSuffix}} and use those as the trust anchor. See Unbound for details on how to configure Unbound.

+ + + {{else}} +

The {{.CanonicalSuffix}} nameservers do not support DNSSEC.

+ {{end}} + + +

Webserver Configuration

+

Apache

+

You can configure a virtual host in Apache which responds to any hostname of the form "example.bit.X." using the following:

+ 
<VirtualHost ...>
+  ServerName example.bit
+  ServerAlias example.bit.*
+</VirtualHost>
+ +

Nginx

+

You can configure a virtual host in nginx which responds to any hostname of the form "example.bit.X." using the following:

+ 
server {
+  listen 80;
+  server_name example.bit example.bit.*;
+}
+

nginx also supports regexes for server names; see the nginx documentation.

+ +

Lighttpd

+

Lighttpd can use regexes to match hostnames, so configuring suffix support is easy:

+ 
$HTTP["host"] =~ "(^|\.)example\.bit(\..*)?$" {
+  ...
+}
+ +

Origin Issues

+ +

Web browsers use a database of public suffixes to determine the maximum domain scope at which a cookie can be set. For example, a site a.b.c.com can set a cookie at a.b.c.com and c.com but not com. Conversely, domains such as this one can have cookies set on them by domains under them. example.{{.CanonicalSuffix}} can set a cookie for {{.CanonicalSuffix}}, thereby creating a “supercookie” which tracks users over all domains under the suffix.

+ + +

The optimal solution to this is to have the domain placed on the public suffix list. However even when this is done it may take some time to be rolled out.

+ +

This page will erase all cookies visible to it whenever you visit it. Thus visiting this page will always erase any suffix-wide supercookies. This is the least (and most) that can be done about the issue without the use of the public suffix list.

+ + + + +

Source Code

+

Each {{.CanonicalSuffix}} nameserver runs a Namecoin full node and ncdns, a daemon for serving DNS records from the Namecoin .bit zone. ncdns relies on the full node.

+

This has the advantage that each nameserver is operationally completely independent of one another (aside from possessing the same zone signing private key, as described above).

+

This software is open source.

+ +

Point of Contact

+

Send enquiries, issues, questions, threats, etc. to {{.Hostmaster}}. + +{{end}} diff --git a/backend/backend.go b/backend/backend.go index 59df4d7..a86596b 100644 --- a/backend/backend.go +++ b/backend/backend.go @@ -348,6 +348,7 @@ func (b *Backend) resolveName(name string) (jsonValue string, err error) { result := make(chan struct{}, 1) go func() { jsonValue, err = b.nc.Query(name) + log.Errore(err, "failed to query namecoin") result <- struct{}{} }()