package dns-certify
Install
Dune Dependency
Authors
Maintainers
Sources
sha256=c8b2a49485c7a1bed06c3be47c80c6e865728e3f6658407e179bc5099c4c80a1
sha512=f9997cf9bbe4705ff9d49b3b69300cf5eec12c79bec68e32e20c0356e10fb9e7a150b08e627e429d2eaaf35befcdbabc738dff8535a763e7c57d825d006e21ea
Description
A function to retrieve a certificate when providing a hostname, TSIG key, server IP, and an optional key seed. Best used with an letsencrypt unikernel.
Published: 30 Mar 2020
README
ocaml-dns - a Domain Name System (DNS) library
(c) 2017-2019 Hannes Mehnert (robur.io, Center for the Cultivation of Technology)
v4.4.1
This library supports most of the domain name system used in the wild. It adheres to strict conventions. Failing early and hard. It is mostly implemented in the pure fragment of OCaml (no mutation, isolated IO, no exceptions).
It all started out as an experiment to run a recursive resolver, but after initial prototypes it turned out that every configurable recursive resolver needs a fully-fledged authoritative nameserver as well (for overriding various zones such as .localhost
and reverse lookups of RFC 1918 IP ranges).
Legacy resource record types are not dealt with, and there is no plan to support ISDN
, MAILA
, MAILB
, WKS
, MB
, NULL
, HINFO
, ... . AXFR
, IXFR
, and UPDATE
is only handled via TCP connections. The only resource class supported is IN
(the Internet). In a similar vein, wildcard records are not supported, and it is unlikely they'll ever be in this library. Truncated hmac in TSIG
are not supported (always the full length of the hash algorithm is used).
Please read the blog article for a more detailed overview.
This library is published under the 2 clause BSD license.
Supported RFCs
RFC 1034 Domain Names - Concepts and Facilities
RFC 1035 Domain Names - Implementation and Specification
RFC 1912 Common DNS Operational and Configuration Errors
RFC 1995 Incremental Zone Transfer in DNS
RFC 1996 A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY)
RFC 2136 Dynamic Updates in the domain name system (DNS UPDATE)
RFC 2181 Clarifications to the DNS Specification
RFC 2308 Negative Caching of DNS Queries (DNS NCACHE)
RFC 2782 A DNS RR for specifying the location of services (DNS SRV)
RFC 2845 Secret Key Transaction Authentication for DNS (TSIG)
RFC 3596 DNS Extensions to Support IP Version 6
RFC 4034 Resource Records for the DNS Security Extensions
RFC 4255 Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints
RFC 4343 Domain Name System (DNS) Case Insensitivity Clarification
RFC 4635 HMAC SHA TSIG Algorithm Identifiers
*
RFC 5001 DNS Name Server Identifier (NSID) OptionRFC 5358 Preventing Use of Recursive Nameservers in Reflector Attacks
RFC 5452 Measures for Making DNS More Resilient against Forged Answers
RFC 5936 DNS Zone Transfer Protocol (AXFR)
RFC 6594 Use of the SHA-256 Algorithm with RSA, Digital Signature Algorithm (DSA), and Elliptic Curve DSA (ECDSA) in SSHFP Resource Records
RFC 6698 The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA
RFC 6761 Special-Use Domain Names
*
RFC 6762 Multicast DNSRFC 6844 DNS Certification Authority Authorization (CAA) Resource Record
RFC 6890 Special-Purpose IP Address Registries
RFC 6891 Extension Mechanisms for DNS (EDNS(0))
RFC 6895 Domain Name System (DNS) IANA Considerations (BCP 42)
RFC 7479 Using Ed25519 in SSHFP Resource Records
RFC 7626 DNS Privacy Considerations
RFC 7766 DNS Transport over TCP - Implementation Requirements
RFC 7816 DNS Query Name Minimisation to Improve Privacy
*
RFC 7828 The edns-tcp-keepalive EDNS0 Option*
RFC 7830 The EDNS(0) Padding Option*
RFC 7873 Domain Name System (DNS) CookiesRFC 8109 Initializing a DNS Resolver with Priming Queries
draft-ietf-dnsop-let-localhost-be-localhost-02 Let 'localhost' be localhost.
*
: Please note that the RFCs marked with *
are only partially implemented (i.e. only wire format, but no logic handling the feature).
Installation
You first need to install OCaml (at least 4.07.0) and opam, the OCaml package manager (at least 2.0.0) on your machine (you can use opam to install an up-to-date OCaml (opam switch 4.07.1
)).
You may want to follow the mirage installation instructions to get mirage
installed on your computer.
To minimize the amount of run-time dependencies for each individual functionality, the library is split into multiple opam packages (core, server, client, resolver, cli, certify), with multiple ocamlfind libraries for the different backends (no optional dependencies) -- i.e. dns-server.mirage
contains the MirageOS-specific DNS server code.
Now the µDNS library is installed, and you can try out the examples. Find some examples at the unikernel repository.
Documentation
API documentation is available online.
Transition from older versions
The pre-4.0.0 versions of ocaml-dns had a significantly different interface, and so applications using them will need to be rewritten to follow the stricter coding style used in the post-4.0.0 branches. The major improvements from 1.x to the 4.x series are:
data (rrset) is defined in a single GADT in
Rr_map
added support for: notify, dynamic update, zone transfer, tsig (hmac authentication), edns
no mutable data structures, leading to easier reasoning about library state
switched to an independent
domain_name
library which uses a faster and more compactstring array
instead ofstring list
for storing domain namesintegration with LetsEncrypt for provisioning valid X.509 certificates
no use of exceptions, instead preferring explicit result values from API functions
Please get in touch on mirageos-devel@lists.xenproject.org or on the Discuss forum at https://discuss.ocaml.org (with the mirageos
tag) if you have any questions about migrating (or just general questions).
Development
To work with the opam packages provided when developing modifications to DNS, or when pinning a specific version, you will have to pin the same version for all of them:
: csh syntax
set version=4.99.0
set repo=git+https://github.com/mirage/ocaml-dns.git
# the -y parameter means "force" or
# "do go ahead and register a new package"
# the -n parameter means
# "just register the pin, don't actually install it yet"
foreach pkg ( dns dns-{certify,cli,client,resolver,server,mirage,tsig,stub} )
opam pin add -y -n $pkg.$version --dev $repo
end
: bash syntax
version=4.99.0
repo=git+https://github.com/mirage/ocaml-dns.git
for pkg in dns dns-{certify,cli,client,resolver,server,mirage,tsig,stub}
do
opam pin add -y -n $pkg.$version --dev $repo
done
Now you can install the packages you need, for instance:
opam install dns-client
or
opam install dns-resolver
Dependencies (15)
- logs
-
mirage-stack
>= "2.0.0"
-
mirage-clock
>= "3.0.0"
-
mirage-time
>= "2.0.0"
-
mirage-random
>= "2.0.0" & < "4.0.0"
-
tls
>= "0.11.0" & < "0.13.0"
-
lwt
>= "4.2.1"
-
x509
>= "0.10.0"
-
duration
>= "0.1.2"
-
randomconv
>= "0.1.2" & < "0.2.0"
-
dns-mirage
= version
-
dns-tsig
= version
-
dns
= version
-
ocaml
>= "4.07.0"
-
dune
>= "1.2.0"
Dev Dependencies
None
Used by (1)
-
dns-cli
= "4.4.1"
Conflicts
None