OpenBSD Journal

k2k20 hackathon report: Florian Obser on DNS

Contributed by Paul 'WEiRD' de Weerd on from the unwinding with ze germans dept.

The fourth report from k2k20 comes from Florian Obser (florian@), who worked mostly on DNS related things:

I spent the week before the hackathon with monitoring the current pandemic situation. Will ze germans let me in? Will I put people at risk? In the end it all looked OK-ish and I booked my train ticket a day before leaving. Time to pack!

My current bag of holding is an Osprey Talon 22 and it fits an X1, roost laptop stand, Microsoft sculpt keyboard, assorted cables, toiletry bag and clothing for 6 days. Yes, this includes fresh underwear and T-Shirts for every day.

An uneventful train ride later I arrived in Pforzheim for the last switch and boarded a cute little red train which drove through a beautiful valley and dropped me of at Bad Liebenzell. A quick walk up the hill over a foot path and I was at the reception of Burg Liebenzell.

Them: Oh, did you just drive up here by car?
Me: What's a car?

Having arrived at the hackroom I started to work on RFC 8806 "Running a Root Server Local to a Resolver" for unwind(8). Some time ago I asked people to report their unwind(8) usage and it seems to be a fair trade off. Most people do 50 or more queries to the root zone which adds quite a bit of delay for unwind(8)'s typical use case. Downloading the whole zone once (sometimes twice) a day and then always answering from cache is worthwhile.

Unbound(8) has built-in support for this using the "auth-zone" feature and RFC 8806 explains how to use it in Appendix B.2. The feature is implemented in libunbound which we use in unwind(8) for all the DNS heavy lifting but it's not exposed in the API.

Adding the feature to the API was relatively easy but it's not actually doing anything?! Oh right, we need to start up the scheduler. It's still not doing anything, oh, we need to set the current time. Progress! Now it segfaults ho-hum. Long story short, internally libunbound uses a "worker" struct for all its resolving and network needs. It's hanging off a ub_ctx struct and gets lazily initialized on the first call to ub_resolve_event(). The "auth-zone" feature on the other hand expects all of this to be initialized. I have a diff that arranges all this, but I'm not sure it's correct. It might introduce a double free and I was unable to test it at Burg Liebenzell, I would need my captive portal test setup for that so I shelved it for the time being.

It got a bit tired on the first evening while still working on unwind(8) and decided to work on something more… mundane for lack of a better word. dig(1), the gift that keeps on giving. There is always something else to delete.

Every time I got bored or stuck I turned back to it with the goal of removing more of a libc implementation hiding in lib/isc/. In the end I managed to delete about 1000 lines of code and delete these files: boolean.h, byaddr.c, byaddr.h, net.c, net.h, netaddr.c, netaddr.h, parseint.c, parseint.h, time.c, and time.h. Most of the horror was OK'ed by beck@ and he seldomly screamed like a little girl. I think he looked at dig(1) diffs to get away from SSL diffs.

The real connoisseurs should have a look at plus_option() in usr.bin/dig/dig.c. Luckily beck@ pulled me out of that one.

I also committed a finished diff I had brought with me to enable rdomain support in slaacd(8). It now handles all rdomains on a system transparently without the need to start a daemon per rdomain.

Last but not least, I worked a bit on acme-client(1). I cleaned up some more error reporting, and integrated a diff from Bartosz Kuzma from the beginning of the year that lets us set contact details on account keys, and with that we are able to request certificates from, an alternative to

Thanks to jan@, the welcoming staff at Burg Liebenzell, genua GmbH, and everyone else working hard to make this hackathon happen.

Thanks Florian for the report and for all the hard work!

(Comments are closed)

  1. By Peter J. Philipp (pjp) on

    Hi Florian,

    I was wondering whether too much was stripped from dig in OpenBSD. In RFC 8906 section, there is use of the +zflag option which OpenBSD
    dig doesn't seem to have (at least on 6.7).

    beta$ dig +noedns +noad +norec +zflag
    Invalid option: +zflag

    I had to use the dig from the isc-bind package for that one in my tests, I hope that's the best current practice in such scenario.

    Best Regards,


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]