You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
Hannes Mehnert fc26568b97 encoding and decoding of users (using json) 2 months ago
lib encoding and decoding of users (using json) 2 months ago
mirage initial user management 2 months ago
.gitignore a library and move unikernel to mirage subdirectory 2 months ago
README.md nit in README 2 months ago
dns-web.opam a library and move unikernel to mirage subdirectory 2 months ago
dune-project a library and move unikernel to mirage subdirectory 2 months ago

README.md

DNS-web

An authoritative DNS server with a web interface. As a MirageOS unikernel. Storage in a git remote repository.

Features:

  • Secure, reliable, fast (MirageOS unikernels)
  • Import and export of zone files (no vendor lock)
  • Let's encrypt integration
  • Dynamic updates (via nsupdate, HTTP API, web interface)
  • Two factor authentication with webauthn
  • Checks modifications of a zone and does not accept changes leading to invalid data
  • Donation based

Future features

  • Dynamic update via ssh
  • IPv6 support (authoritative nameservers)
  • DNSSec support (nsec and nsec3)
  • Audit logs for each zone and user account (provided by using git storage)
  • Metrics
  • Notification system (for cyber threats / anomalities)
  • Git interface for zone editing (needs a git server)
  • Social login
  • eMail verification

Design

A unikernel using Dream and webauthn. It relies on a git remote repository for persisting data.

The available services are HTTP/HTTPS.

The data, apart from the zone files, are user accounts and shared secrets for dynamic updates. This data is kept in text files. Each user has a name, eMail address, authentication data, and a set of domains. The authentication data should be a list of webauthn tokens and optionally a passphrase.

If privileged access is necessary, we can manually shutdown the service and push to the git repository directly.

Workflows

Enroll a new account

Basically the code from the webauthn demo. The eMail address must be unique across users.

Register a second authentication mechanism

Requires a logged in user. May as well remove a webauthn token, or the passphrase. There must be at least one authentication mechanism present at any time. There should be no more than 5 authentication mechanisms.

Pass privileges to another user for that domain

Requires a logged in user with access to that domain. Specifies an eMail address of another registered user to provide them access.

Delete an account

Should be possible if there's no domain that is now not maintained by anyone.

Add a domain

Requires a logged in user and that the domain is not yet on the system.

Import a zonefile for a domain

Requires a logged in user and that the domain either does not exist yet, or is owned by the user (bulk change).

Manage a domain: add/edit/remove DNS records

Requires a logged in user with access to that domain. The domain check should succeed before writing.

Export domain as zone file

Requires a logged in user with access to that domain.

Register a token for a dynamic update (HTTP/nsupdate)

Either generate or upload a shared secret. Usable via HTTP or nsupdate (as a SHA256 hash). The output is a key file downloadable and usable with nsupdate (from bind-tools).

Future workflows

Add a domain and prove ownership (future)

Similar to let's encrypt: user requests a domain, and the system asks the user to add a TXT record with a token, which is then verified.

Register ssh public key for dynamically updating an address record

A ssh login with any user from a remote machine should trigger an update.