I realised recently an interesting milestone has been reached, that will thrill the people who have slaved on DNSSEC for over a decade: DNSSEC running end-to-end, into the house the way “it should really work” without requiring any configuration or intervention has happened. After all the SOPA/PIPA anguish, seeing DNSSEC come to life is really, really nice. This post may also interest router hackers who’d like a real home router they can afford, particularly one that will do mesh routing.
Over the last five years, as part of my bufferbloat wanderings (and due to lightning), I have taste tested more home routers than I care to think about. In general, they have tasted rotten to the core. No amount of spices have been able to cover the off flavour, of even the best on the market (note that I’ve tried all the major home router vendors except Apple in this wandering).
A couple weeks ago I upgraded my home network to Dave Taht’s latest CeroWrt build which is running Linux 3.3-RC6; CeroWrt is a bleeding edge OpenWrt build that runs on a small set of hardware where we do our bufferbloat work. I now have two home routers meshed; all networks are routed, not bridged. At 6 networks/router, that makes 12 networks in my house. CeroWrt is a real home router, and it’s beginning to taste very nice indeed. CeroWrt does lots of other neat stuff a router should do.
CeroWrt uses Bind 9.9, and has DNSSEC enabled; with both internal and external views, and caching for my local pleasure.
Here are recent DNSSEC milestones that made this all work:
- First half of 2010: the root name servers start actually running DNSSEC.
- January 2012: Comcast completes its DNSSEC deployment.
- Sometime before 2), as CeroWrt has had DNSSEC running for quite a while, the existence proof of running DNSSEC completely into the house occurred: precisely when, I don’t know. Previously, I was using Comcast’s test DNS servers manually configured, rather than the “regular” DNS server address handed out by DHCP by Comcast.
- When I installed CeroWrt again recently, everything “just worked” for DNSSEC after we managed to work around the one remaining CeroWrt/Bind bug. Since Comcast had finished its deployment, using their DNSSEC test servers was no longer needed. DNSSEC is now working end to end (with local caching, which is better than having to go to an ISP’s name servers for validation, or in this case, actually I’m two hops away from my ISP). I gather dnsmasq is also working on an dnssec proxy implementation.
# Generated by NetworkManager domain home.lan search home.lan nameserver 172.30.48.65
The name server address is the CeroWrt router. This particular router is talking to my other primary router (remember, I’m running a two router mesh here), so in fact, that router happens to ask 192.168.1.1; but my primary router then shows it is using Comcast’s regular 22.214.171.124 and 126.96.36.199 addresses. I’ll spare you two screen shots of that information.
While tons more work needs to be done by everyone to finish the DNSSEC job, all of those people who have slaved away make DNSSEC real so that it “just works” should all pat yourselves on the back, and we can all make a toast together. There are certainly still bugs and further excitement (including one in CeroWrt), but DNSSEC has come a long, long way.
For the DNS people out there: the problem we’re having in CeroWrt is that DNSSEC needs the time to be correct within 60 minutes to validate certificates. But there is no TOY clock in home routers, and you need to be able to do DNS lookups to find out what time it is. As you can see, this is a circular problem that needs fixing for bind to be willing to validate addresses.
And, for the first time, I’m running a Linux version on my home router that is close to the same as my laptop, and is based on same as the latest release from kernel.org: Linux 3.3-RC6, which has BQL in it, even before Linus has been able to release RC7! My hat is off to Dave, and all the OpenWrt folks who have worked hard to make that happen, including juhos, otto, felix, and many others. From my iPAQ work a decade or so ago, and much more recently at OLPC, I know just how hard it is to keep up with mainline Linux development.
And, of course, I must thank all the OpenWrt contributors and Dave Taht, who leads the CeroWrt!