CHANGEScommits | blame
Makefile.freebsdcommits | blame
Makefile.linuxcommits | blame
Makefile.netbsdcommits | blame
Makefile.openbsdcommits | blame
Makefile.openwrtcommits | blame
READMEcommits | blame
TODOcommits | blame
additional.ccommits | blame
axfr.ccommits | blame
base64.ccommits | blame
cache.ccommits | blame
configure*commits | blame
crypto.ccommits | blame
db.ccommits | blame
ddd-crypto.hcommits | blame
ddd-db.hcommits | blame
ddd-dns.hcommits | blame
ddd-rr.hcommits | blame
dddctl.8commits | blame
dddctl.ccommits | blame
delphinusdns.confcommits | blame
delphinusdns.conf.5commits | blame | blame
delphinusdnsd.8commits | blame
delphinusdnsd.ccommits | blame
dnssec.ccommits | blame
do53.ccommits | blame
do53t.ccommits | blame
dot.ccommits | blame
endian.hcommits | blame
ent.ccommits | blame
filter.ccommits | blame
forward.ccommits | blame
log.ccommits | blame
parse.ycommits | blame
passlist.ccommits | blame
passname.ccommits | blame
query.ccommits | blame
ratelimit.ccommits | blame
raxfr.ccommits | blame
region.ccommits | blame
reply.ccommits | blame
sign.ccommits | blame
siphash.ccommits | blame
siphash.hcommits | blame
tsig.ccommits | blame
util.ccommits | blame
zone.ccommits | blame


 1.1 AUTHOR(S)
 3.1 FreeBSD
 3.2 Linux
 3.3 OpenBSD
 6.1 Signing your zone with dddctl sign
 6.2 re-signing with existing keys
 6.3 What to do with the .signed file
 6.4 How can I sub-delegate a zone with DNSSEC
 6.5 What algorithms are supported with dddctl sign
 7.1 DNSSEC algorithm rollover  
 7.2 RR support missing


Delphinusdns is a small authoritative nameserver.  It does not recurse nor 
search.  Since version 1.5.0 it does forwarding (with TSIG security even). 
This program is written to a BSD Style License.  BSD's tree(3) Red Black 
btree macros are used for the main in-memory database.  

You can download delphinusdnsd from for a limited time.


Peter J. Philipp <> who wrote delphinusdnsd while 
residing in Schweinfurt, Germany.

Some contribution came from other people (worldwide) with minor patches.

A website exists, with blog concerning delphinusdnsd.  Please see


DNS is simple.  Yet, implementation of DNS servers is not so simple.
DelphinusDNS is written for research into the DNS system so that perhaps one
day the author has a better understanding of it.  Delphinusdnsd is developed
on OpenBSD, due to pledge(2) and other security mitigations, it is recommended
that serious delphinusdnsd users also use OpenBSD.  Ports to other OS's exist
for those that cannot do without those platforms, but at the risk of more
attack surface*.  Delphinusdnsd chroots and privseps on all platforms, meaning 
that a direct root exploit is not possible.

Usually the primary branch is for OpenBSD and the other ports are not 
guaranteed to compile until shortly before release time, when testing occurs 
for these platforms.

Use the tool "dig" that comes with bind9 to debug Delphinusdns.  If you like to 
program, then you can fork DelphinusDNS and make your own creation, or you
can send patches to the author who may implement them into the code.  The
current contact mail address is


To install, type ./configure on your platform.  This will copy the proper 
Makefile to ./Makefile and dddctl and delphinusdnsd.  Then you would type 
make, followed by su'ing and make install.  Delphinusdnsd installs to 

By default installation the configuration file is not installed you need to
do this manually.  Also by default the config file is specified as 
/etc/delphinusdns/delphinusdns.conf this can be changed by adding the -f 
option to delphinusdnsd.

A sample config file exists with the sources.  example7.conf was a real life
config once. 

3.1 FreeBSD

# get the libressl package
$ pkg install libressl
## configure the platform
$ ./configure
## add a privsep user (_ddd) with a chroot directory (as root)
$ vipw
## or
$ pw user add _ddd -m
## make the program
$ make
## install the binary (as root)
$ make install
## done, create a config file and start delphinusdnsd

3.2 Linux

In Linux MINT you need to apt-get install build-essential.

## configure the platform
$ ./configure
## this will install the development programs you'll need (as root)
$ apt-get install make bison cvs gcc libssl-dev libbsd-dev
## add a privsep user with a chroot directory (option -m) (as root)
$ useradd -m _ddd
## make the program
$ make
## install the binary (as root)
$ make install
## done, create a config file and start delphinusdnsd

3.3 OpenBSD

## configure the platform
$ ./configure
## add a privsep user (_ddd) with a chroot directory (as root)
$ useradd -m -s /sbin/nologin _ddd
## or
$ adduser
## make the program
$ make
## install the binary (as root)
$ make install
## done, create a config file and start delphinusdnsd


Operating System  | makes and compiles | responds to queries |
FreeBSD 14.0      |        yes	       |       yes           |
Linux  (devuan)	  |        yes         |       yes           |
OpenBSD 7.4       |        yes         |       yes           |


in the directory "examples" are a few examples from working configs.  The
author uses example8.conf often to test functionality and compatibility
on any platform.


DNSSEC is added hostcontact responsible person commitment.  You will have to 
re-sign your zone at periodic intervals.  This can be automated though.

6.1 Signing your zone with dddctl sign

The very first time you'll want to create ZSK and KSK keys.  They are the
zone signing and key signing keys respectively.  Every DNSSEC zone has at
least one of these.  To create these with dddctl sign I use -Z and -K
options.  Here is an example:

	dddctl sign -Z -K -i -n -o

What this does is it creates the keys and signs the zone '' with
the zonename  No trailing dots are needed.  The output will be
called and the keys will be created and look like this:

alpha$ ls K*   

This is a compatible output format of dnssec-keygen utility from BIND and 
format is simple:

K for key, for the zone name, +008 for the algorithm used in
this case it's rsasha256 and lastly a unique identifier for the key.  

Keep these keys in a private place and only pull them out when you are going
to re-sign the zone, as shown in #6.2.  The K* files should say inside which
is the ZSK and which is the KSK.

6.2 re-signing with existing keys

In order to do the monthly re-signing you must know which key is the ZSK and
which is the KSK.  The K*.key files will tell you which is the ZSK and which
is the KSK.

	dddctl sign -z -k \
		-i -n -o

Note, this will overwrite any file.

6.3 What to do with the .signed file

Install the .signed file as your zone.  I personally use include's in my 
configfile so that this is managed easy.  Then restart delphinusdnsd after
setting the 'dnssec' option.  Your zone should talk DNSSEC, after you upload
the KSK to your registrar.  They'll likely want the DNSKEY and in some cases
grab it themselves over the insecure channel.  My registrar did 
this.  Other than that dddctl sign creates a file which 
has the uploadable DS keys in it.

It's up to you to upload DS or DNSKEY (which can derive DS keys) to your 
registrar and from there to your parent zone.

6.4 How can I sub-delegate a zone with DNSSEC

This was recently fixed.  When delegating to a signed zone be sure to copy
back the DS file (dsset-zone. file), it is in RFC1034/BIND format so you'll
have to convert it to delphinusdnsd format most likely.  You then sign over
this and publish the delegation (restart delphinusdnsd).  That should be all.
Here is an example zone entry for,ds,86400,35905,13,2,"CB0EC7995E5223BC823A0AF96180613C7B24295F47E066E690EE448626995044"

6.5 What algorithms are supported with dddctl sign

The following algorithms are supported since version 1.8:

RSASHA256 (alg 8), RSASHA512 (alg 10), ECDSAP256SHA256 (alg 13),
and ECDSAP384SHA384 (alg 14), lastly ED25519 (alg 15) is supported.

The default algorithm is alg 13 the others have to be specified by number (int).


7.1  DNSSEC algorithm rollover  

This is undefined.  I don't know how well we could do this.  Do all recursors 
support the methods described per RFC?

7.2  RR support missing

In terms of RR support there is only a few missing by now from the generally
acceptable list of RR's

a) AFSDB(18) - andrew file system db record
b) APL(42) - Address prefix list record
d) CSYNC(62) - child to parent synchronization
e) DHCID(49) - DHCP identifier
f) DLV(32769) - DNSSEC Lookaside Validation record
g) DNAME(39) - Delegation name record
h) HIP(55) - Host Identity Protocol 
j) OPENPGPKEY(61) - OpenPGP public key record
k) SMIMEA(53) - S/MIME cert association
l) TA(32768) - DNSSEC trust authorities
m) TKEY(249) - transaction key record
n) URI(256) - Uniform Resource Identifier

Perhaps at 1.8 time a few of these will be supported.