[Twisted-Python] State of Names / DNS server
![](https://secure.gravatar.com/avatar/eee0b758e45f8555f03352f74f723409.jpg?s=120&d=mm&r=g)
Dear Twisted people, I've been taking a good look at twisted.names as a sever after checking twisted-infra/braid/services/names and how the zones are saved. Basically, I wonder what the state-of-afairs of running DNS with twisted is. By checking the code I see a couple things like: * That zone transfers are enabled by default and open to any host and only subclassing would help override that (it is the case on twistedmatrix.com btw). * Comments saying how some things are not RFC-compliant, but not how. * That DNSSEC is not implemented Besides the 1st point which could be a ticket (should I open it?), the other points appear to be somewhat documented in the open tickets: https://twistedmatrix.com/trac/query?status=assigned&status=new&status=reopened&component=names&group=priority&max=200&col=id&col=summary&col=status&col=owner&col=type&col=priority&col=milestone&order=priority But I wonder if there is something like a roadmap that I haven't seen or a very specific way to start helping on this front. Basically, I'd hate to start working on sth and it overlapping with someone else's work ;). I checked a couple tickets, and see that there is definitely a need for some cleanup, e.g. this one appears to be ready for closing https://twistedmatrix.com/trac/ticket/5048 as it is marked as duplicate of a closed ticket. Also, I recall this PR from early summer, which appears to have been OK'd but is blocked by some failure in appveyor + buildbot: https://github.com/twisted/twisted/pull/954 Thank you for any pointers, and thank you for Twisted! -- Evilham
![](https://secure.gravatar.com/avatar/e1554622707bedd9202884900430b838.jpg?s=120&d=mm&r=g)
The way the zones are saved there is fairly primitive. It would be nice if we had a more robust backend; in particular I'd love it if we had a DNS API so that e.g. https://github.com/glyph/lancer could talk to something on twistedmatrix.com to provision HTTPS certificates via the LE DNS-01 challenge.
Basically, I wonder what the state-of-afairs of running DNS with twisted is.
We run it on production on twistedmatrix.com and that site sees plenty of DNS traffic :-).
It would certainly be nice if this were controllable via a flag. As you notice, this should be a ticket.
* Comments saying how some things are not RFC-compliant, but not how.
Some investigation into these comments to make them more specific would be good.
* That DNSSEC is not implemented
On the one hand, it would be great if someone would take the DNSSEC support already in various branches and get it over the finish line. On the other, DNSSEC is bad (see <https://sockpuppet.org/blog/2015/01/15/against-dnssec/> for example), and is really not necessary to run a real-life DNS server or client, so it's a little difficult for various DNS-interested parties to get excited about it. Nonetheless if people are going to do DNSSEC I'd rather they do it with Twisted than BIND, so if you could help integrate DNSSEC work that is a definite goal for the project! So I hope somebody who disagrees with me about the utility of DNSSEC contributes to it.
Besides the 1st point which could be a ticket (should I open it?),
Yup :).
Right now the main thing we need is a motivated, interested maintainer to advance these goals. This email sounds suspiciously like volunteering to be that :).
Basically, I'd hate to start working on sth and it overlapping with someone else's work ;).
There's lots of other work in progress, but as you can see from most of them, most of this work is stalled. I'm 100% sure that if you started working on some of these tickets, the people whose work you might duplicate would be overjoyed that someone had done that, so I don't think you need to worry about stepping on anyone's toes.
Please go ahead and close it if you are reasonably sure of that!
Sadly we don't have a queue of "already approved" tickets (that I know of and check, anyway) so if this is stuck, it would be best to put it back into review so it shows up on https://twisted.reviews/ and gets attention. -glyph
![](https://secure.gravatar.com/avatar/eee0b758e45f8555f03352f74f723409.jpg?s=120&d=mm&r=g)
Always a pleasure to read you Glyph, Am 15/10/2018 um 2:00 schrieb Glyph:
indeed, this is pretty much one of the main reasons why I am looking into Twisted as a my DNS server :-). Twisted DNS + Klein --> (große) Awesomeness (reading Twisted's source code, makes you prone to bad jokes, that should be an official warning somewhere)
Done, ticket #9551. (Trac always thinks I am Spam with probability 90%, wonders!) https://twistedmatrix.com/trac/ticket/9551
Also documented in ticket #9552; mostly to use trac as a quick overview. https://twistedmatrix.com/trac/ticket/9552
:-D I am also not fond of DNSSEC being *the* thing; but apparently email servers complain otherwise in certain environments. Twisted supporting DNSSEC would indeed make things easier.
Ouch, I guess I'll have to invent a time-dilution bubble first :-D. I'll see what I can do about this (DNS, not time-dilution bubble).
I was hoping for one of the involved parties remembering and saying "oh yeah, that should be closed" otherwise it requires actual analysis, so I'll leave that for some-time-soon.
Added the review keyword again and removed the owner as per the developer documentation. Thank you for the helpful reply, -- Evilham
![](https://secure.gravatar.com/avatar/82bbf56e965eb9c44f5f8a40c6958d77.jpg?s=120&d=mm&r=g)
Evilham writes:
That one's mine. I've finally figured out the Twisted CI infrastructure well enough to get things marked green (and I have commit access now as well, thanks Glyph!), so that PR is really only waiting for me to read & consider some of the review feedback on public attribute names. Trac 9373 was my attempt to upstream work I did last year on secure dynamic dns updates (NSUPDATE + transaction signatures). 9373 has narrowed in scope to just the two RR types in PR 954, since there are older tickets for the other records. I plan to combine my work with some of the existing abandoned PRs for KEY, DNSKEY, and SIG and try to sheperd those through the process but that's on the back burner for now. Russ Nelson is/was also doing some work with Names and these RR types. I think he's interested in the server side of secure dyn-dns, but I'm not sure. (I was only working on a client implementation.) Both he and I have github forks with some of our work in branches, if you'd like to see the direction we've been going. As for DNSSEC, I've seen those arguments against it and I find them pretty unconvincing, but I suppose that's a topic for a different thread.
![](https://secure.gravatar.com/avatar/e1554622707bedd9202884900430b838.jpg?s=120&d=mm&r=g)
Thanks very much for sending out this summary; sounds like we may have an actual twisted.names team soon!
As for DNSSEC, I've seen those arguments against it and I find them pretty unconvincing, but I suppose that's a topic for a different thread.
You don't need to convince me! Someone should work on DNSSEC for twisted.names, and that person should probably think DNSSEC is a good idea, so I don't want to convince you :-). -g
![](https://secure.gravatar.com/avatar/e1554622707bedd9202884900430b838.jpg?s=120&d=mm&r=g)
The way the zones are saved there is fairly primitive. It would be nice if we had a more robust backend; in particular I'd love it if we had a DNS API so that e.g. https://github.com/glyph/lancer could talk to something on twistedmatrix.com to provision HTTPS certificates via the LE DNS-01 challenge.
Basically, I wonder what the state-of-afairs of running DNS with twisted is.
We run it on production on twistedmatrix.com and that site sees plenty of DNS traffic :-).
It would certainly be nice if this were controllable via a flag. As you notice, this should be a ticket.
* Comments saying how some things are not RFC-compliant, but not how.
Some investigation into these comments to make them more specific would be good.
* That DNSSEC is not implemented
On the one hand, it would be great if someone would take the DNSSEC support already in various branches and get it over the finish line. On the other, DNSSEC is bad (see <https://sockpuppet.org/blog/2015/01/15/against-dnssec/> for example), and is really not necessary to run a real-life DNS server or client, so it's a little difficult for various DNS-interested parties to get excited about it. Nonetheless if people are going to do DNSSEC I'd rather they do it with Twisted than BIND, so if you could help integrate DNSSEC work that is a definite goal for the project! So I hope somebody who disagrees with me about the utility of DNSSEC contributes to it.
Besides the 1st point which could be a ticket (should I open it?),
Yup :).
Right now the main thing we need is a motivated, interested maintainer to advance these goals. This email sounds suspiciously like volunteering to be that :).
Basically, I'd hate to start working on sth and it overlapping with someone else's work ;).
There's lots of other work in progress, but as you can see from most of them, most of this work is stalled. I'm 100% sure that if you started working on some of these tickets, the people whose work you might duplicate would be overjoyed that someone had done that, so I don't think you need to worry about stepping on anyone's toes.
Please go ahead and close it if you are reasonably sure of that!
Sadly we don't have a queue of "already approved" tickets (that I know of and check, anyway) so if this is stuck, it would be best to put it back into review so it shows up on https://twisted.reviews/ and gets attention. -glyph
![](https://secure.gravatar.com/avatar/eee0b758e45f8555f03352f74f723409.jpg?s=120&d=mm&r=g)
Always a pleasure to read you Glyph, Am 15/10/2018 um 2:00 schrieb Glyph:
indeed, this is pretty much one of the main reasons why I am looking into Twisted as a my DNS server :-). Twisted DNS + Klein --> (große) Awesomeness (reading Twisted's source code, makes you prone to bad jokes, that should be an official warning somewhere)
Done, ticket #9551. (Trac always thinks I am Spam with probability 90%, wonders!) https://twistedmatrix.com/trac/ticket/9551
Also documented in ticket #9552; mostly to use trac as a quick overview. https://twistedmatrix.com/trac/ticket/9552
:-D I am also not fond of DNSSEC being *the* thing; but apparently email servers complain otherwise in certain environments. Twisted supporting DNSSEC would indeed make things easier.
Ouch, I guess I'll have to invent a time-dilution bubble first :-D. I'll see what I can do about this (DNS, not time-dilution bubble).
I was hoping for one of the involved parties remembering and saying "oh yeah, that should be closed" otherwise it requires actual analysis, so I'll leave that for some-time-soon.
Added the review keyword again and removed the owner as per the developer documentation. Thank you for the helpful reply, -- Evilham
![](https://secure.gravatar.com/avatar/82bbf56e965eb9c44f5f8a40c6958d77.jpg?s=120&d=mm&r=g)
Evilham writes:
That one's mine. I've finally figured out the Twisted CI infrastructure well enough to get things marked green (and I have commit access now as well, thanks Glyph!), so that PR is really only waiting for me to read & consider some of the review feedback on public attribute names. Trac 9373 was my attempt to upstream work I did last year on secure dynamic dns updates (NSUPDATE + transaction signatures). 9373 has narrowed in scope to just the two RR types in PR 954, since there are older tickets for the other records. I plan to combine my work with some of the existing abandoned PRs for KEY, DNSKEY, and SIG and try to sheperd those through the process but that's on the back burner for now. Russ Nelson is/was also doing some work with Names and these RR types. I think he's interested in the server side of secure dyn-dns, but I'm not sure. (I was only working on a client implementation.) Both he and I have github forks with some of our work in branches, if you'd like to see the direction we've been going. As for DNSSEC, I've seen those arguments against it and I find them pretty unconvincing, but I suppose that's a topic for a different thread.
![](https://secure.gravatar.com/avatar/e1554622707bedd9202884900430b838.jpg?s=120&d=mm&r=g)
Thanks very much for sending out this summary; sounds like we may have an actual twisted.names team soon!
As for DNSSEC, I've seen those arguments against it and I find them pretty unconvincing, but I suppose that's a topic for a different thread.
You don't need to convince me! Someone should work on DNSSEC for twisted.names, and that person should probably think DNSSEC is a good idea, so I don't want to convince you :-). -g
participants (3)
-
Evilham
-
Glyph
-
Wim Lewis