This repository contains a authoritative name server and a validating resolver and can be used to study resolver behavior for names under bench.pqdnssec.dedyn.io. The resolver and autorithative name server are based on a PowerDNS fork using an OpenSSL fork to support PQ-Algorithms. Both rely on two pre-built images from DockerHub, which can be found under the following link: https://hub.docker.com/repository/docker/gothremote/pdns-auth and https://hub.docker.com/repository/docker/gothremote/pdns-recursor.

Install docker and docker-compose. Then run

docker-compose build
docker-compose up -d

Check the status of the containers with

docker-compose ps

Allow a couple of seconds for MariaDB to spin up.

After the system is started and ready to use, use the included script to initialize the server with DNS information:

docker-compose exec auth bash init-zones

The authoritative name server is equipped with a zone under the name of bench.pqdnssec.dedyn.io. As the DS record for this zone is hosted upstream by desec.io, the private key is part of this repository. There are three additional zones which are delegated appropriately: oldfashion.bench.pqdnssec.dedyn.io, baseline.bench.pqdnssec.dedyn.io and falcon.bench.pqdnssec.dedyn.io. The latter is using the Falcon512 signature scheme. In order for the changes to take effect restart the containers using:

docker-compose restart

Data served by the authoritative name server is kept across restarts, unless the database volume is deleted.

TODO: Add info on how to add broken DNSSEC, add info on how to use different algorithm.

The usual pdns CLI can be used, e.g., to set an additional A record at the zone $Z, use

docker-compose exec auth pdnsutil add-record $Z @ A 9.9.9.9

To query the authoritative name server directly, use port 5300 like so:

dig @localhost -p 5300 +dnssec baseline.bench.pqdnssec.dedyn.io.

To query the resolver and get a validated answer, use port 5301 like so:

dig @localhost -p 5301 +dnssec baseline.bench.pqdnssec.dedyn.io.

To query the resolver without validation, use the +cd flag:

dig @localhost -p 5301 +dnssec TXT baseline.bench.pqdnssec.dedyn.io. +cd

The zone pqdnssec.dedyn.io contains NS records pointing to the private IP address 172.20.0.3 for queries under bench.pqdnssec.dedyn.io. This directs the recursor to contact the authoritative name server for queries under that name.