Review of 2019

2020-01-29 - Progress - Tony Finch

Some notes looking back on what happened last year...


1028 commits to IP Register

121 commits to Superglue

48 commits to

26 commits to BIND

4287 IP Register / MZS support messages (about 6% more than last year)

2786 cronspam messages (less than half of last year, mainly due to changes in the MWS)


  • Server reshuffle (Jan, Nov, Dec)

    January was continuing upgrades/renames from the end of 2018.

    November was initial work on splitting authoritative servers from zone transfer servers. (This is still work in progress.)

    December was abolishing the old authdns.csx names. (nearly done!)

  • Wholesale delegation cleanup (Jan, Sep, Oct, Nov, Dec)

    This was in support of:

    • the authdns.csx -> auth.dns server renaming

    • the withdrawal of and moving our off-site secondary service to Mythic Beasts

    • upgrading DNSSEC from RSASHA1 to ECDSA256

    • ensuring all our domains have consistent ownership and contact information - there was an error rate of more than 10% due to mistakes and omissions in manual maintenance

    The development work involved:

    • porting the web site automation code from CasperJS to WebDriver

    • new integration code for Mythic Beasts

    • extending the scope to cover domain ownership and contact information as well as DNS delegations

    • improvements to the way we manage encrypted secrets

    • Zonemaster DNS rule checking for all zones

    Overall this took a lot longer than I would have liked. This automation code has been a barely-working mess since 2015, but at last now it is close to the point of being releasable production code.

    We now have fast, automated consistency checking and enforcement across our domains. The anomaly rate has been pushed down from somewhere over 10% to near zero.

Future of IP Register

  • Porting web front end from Jackdaw to (Apr, May, Jun, Jul, Aug)

    Building on 2018's work on the web site infrastructure.

    Ported Jackdaw's Oracle + mod_perl platform and web application framework - simplifying and moving to the DNS web server.

    Reskinned the IP Register web forms to Project Light.

    This project is more than half done, but it had to go on the back burner after more urgent work turned up, which is somewhat irritating.

git.uis -> GitLab

  • February: added a light-weight self-service migration tool, with documentation.

  • September: determined timetable for migration and shut-down.


  • Less busy this year.

  • ANAME draft dropped due to technical difficulties; the consensus was to pursue different solutions to the general problem.

  • Received thanks in RFC 8482 (minimal ANY responses), RFC 8499 (DNS Terminology), RFC 8689 (SMTP Require TLS).

Open Source

  • Superglue scripts for managing domain registrations and delegations

    This is the code supporting the delegation cleanup project.

    It is not quite up to a releasable standard - there are missing safety checks, missing documentation, missing build/install scripts.

  • regpg

    Support for YAML metadata alongside encrypted secrets. This was for Superglue's login credentials, but it also led to improvements in IP Register's secret handling in several places.

  • nsdiff

    Improved handling of CDS and CDNSKEY records.

  • Twenty-six patches committed to BIND9.

    Several improvements to rndc

    Cryptography improvements: deprecated SHA-1, upgraded default RSA key size.

    Better support for CDS and CDNSKEY records.

    Numerous others.

What's next?

Short term:

  • Split authoritative servers from zone transfer servers

  • Sort out RPZ + RBL subscriptions

  • Deploy replacement hardware for recursive DNS servers

  • Finish Superglue; publish ReGPG and Superglue on CPAN; proper Debian package builds

Longer term:

  • Operating system refresh

  • Finish new IP Register web front end

  • Start porting IP Register database from Oracle to PostgreSQL