domain is a Rust library for interacting with the Domain Name System. The crate contains an ever-growing set of building blocks for including DNS functionality in applications.
The domain library aims to provide a comprehensive – ideally complete – range of building blocks necessary to build specialised DNS applications or include uses of DNS in other applications.
domain is continually developed, so if you are an existing user or have plans to deploy it, we encourage you to share your feedback on the functionality, API, documentation, or any other aspect of the project. Please don’t hesitate to open an issue on GitHub or start a discussion.
We maintain several tools that use the domain library:
Client Capabilities
domain offers a client architecture that lets users break down DNS client functionality into many composable layers. Each layer implements a single feature (e.g. caching requests, adding TSIG protection, or communicating over UDP). Users can pick the layers they want and build a custom pipeline for answering DNS requests. This offers a lot of flexibility, and it allows us to incrementally develop new features by introducing new layers. The architecture also features a caching layer.
domain also features a complete DNSSEC validator, which inspects responses to queries and ensures they are legitimate. It is implemented as a new client layer, so that validation can be added to existing pipelines transparently.
You can also make use of the TSIG layer, allowing clients to sign their requests and prevent modifications by an attacker. To use TSIG, clients and servers need to share a secret key – it can’t be used for regular DNS requests to public servers. Instead, its audience is name servers which need to communicate zone transfers to each other.
All of the basic logic of zone transfers (XFRs) is also available. Rather than fiddling with the minute details of XFR responses, clients simply get an updated zone to serve. This is important for secondary name servers which need to be synchronized to an upstream source.
Server Capabilities
The server side of domain features the same layered service architecture as the client. Requests can be received over UDP and TCP. Important middleware services, like EDNS cookie management, are implemented as well. Users can pick the layers they want, put them in a pipeline, and get a functional DNS server.
domain also features an an in-memory storage for zones and trees of zones. A DNS zone can be loaded from a zonefile (using domain’s existing support for zonefile parsing) and DNS requests can be answered by traversing the zone. The zone storage can be provided by a custom backend (e.g. a MySQL server) so that users can manage their zone data as they wish.
All the logic of serving both authoritative and incremental transfers (AXFRs and IXFRs, respectively) is also available. Server-side support for TSIG, as well as NOTIFY Requests is also available.
DNSSEC Signing
domain has complete support for the representation for cryptographic keys. They can be generated, stored in memory, and loaded from / saved to disk. Multiple backends are supported (currently ring and OpenSSL), and users can introduce custom backends if necessary.
We also offer lifecycle management for DNSSEC keys. The lifecycle manager determines which keys are appropriate for signing a zone, allowing keys to be safely rotated over time. Zone signing is mostly feature complete, with the ability to handle keys, speedy support for NSEC3 and signing a single zone with multiple keys.