Mastodawn

An additional fun factor is that wildcards in #djbdns by design don't work like wildcards in BIND. The difference was much discussed a quarter of a century ago.

So any bug reports that assume that wildcards in djbdns databases are supposed to behave like they do in BIND's 'zone' files need to be checked for proper foundation.

And with RFC 4592 an even greater divergence then happened.

#djbwares #DNS #shibari

@JdeBP No, wildcards really didn't work in shibari 😅
But that's just why I wrote it: maintainability. I was able to fix it without too much pain, and it should now be compliant with RFC 4592.

I hope not, if working like #djbdns is the goal.

RFC4592 has a tree-structure model of domain name existence that prevents wildcards from working in some cases in a way that the djbdns table-structure model does not prevent.

Using the RFC4592 example:

When one does an MX lookup for _telnet._tcp.example. or ghost.*.example. it returns a non-empty record set because of the @ wildcard at *.example. .

In the RFC4592 model, the *.example. wildcard does not get applied.

#DomainNameSystem

@JdeBP Real talk: shibari working like #djbdns is not the goal. It has never been the goal. It will never be the goal. And I am getting increasingly annoyed at the djbware community who tends to believe that the original djbware is the be-all end-all of software design. djbware was excellent 30 years ago and is sometimes still serviceable; this does not mean it cannot be improved upon. Pretending otherwise is being in a cult.

In fact, the reason why I wrote shibari was twofold:

axfrdns is not RFC-compliant, and at some point BIND became more conservative in what it accepted, so one of my secondaries stopped working.
djbdns does not implement dns-0x20, so at some point some resolvers stopped working and my site became inaccessible.

(Also, of course, IPv6, but this was not the deciding factor.)

Did I try patching djbdns in order to solve my issues? Yes, I did. And it soon became apparent that although the djbdns design is stellar, the code is less than, and finding out where and how to patch it in order to change what I wanted was seriously threatening the few hairs I have left. I found it easier to write an entirely different DNS server from the ground up than to actually patch djbdns. That's how unmaintainable the code is.

So no, shibari's goal isn't to work like djbdns. It is to be a replacement that is, you know, actually compliant with the specifications, because that is what most people expect from their software. And also, a replacement that is actually maintainable and maintained, as proven by the fact that it only took me a few hours to fix the wildcard bug in shibari and make it RFC-compliant, whereas you seem to be saying it would be more or less impossible with djbdns - which I'm fully willing to believe.

https://marc.info/?l=djbdns&m=104636747625737&w=2

It probably would be possible, but it was genuinely a design decision by Bernstein to make wildcards work that way. There were several mailing list discussions.

In this case, working like #djbdns means taking unmodified cdb files and providing the same responses from those data; which is what your WWW page currently says is the #shibari goal.

If taking unmodified data files and giving non-tinydns behaviour instead is the goal, then that WWW page misleads.

'Re: tinydns and wildcards' - MARC

@JdeBP "providing the same responses" does not mean bug-for-bug compatibility. They serve the same data, but when djbdns is noncompliant, shibari serves compliant data instead. This isn't a stretch.

At some point though, shibari will come with its own db format, because the tinydns format is far from optimal. Then I will stop misleading the 3 people who are stuck in 1998. 😛

That rather depends from the claim that something that was deliberately designed, and is documented as working that way, even *is* a bug. Bernstein did design to make things less suprisingly odd than 'zone' files.

Because this was and is unintuitive. I was one of the people who sometimes explained to users that there were implied interior nodes that stopped wildcards from working. As well as the other ways that BIND wildcarding didn't work like MaraDNS, Microsoft DNS, and #djbdns.

@JdeBP You're mixing two different things.

Yes, djbdns was designed to make things simpler than manipulating BIND zone files, and in that, it succeeded. tinydns-data was a wonderful idea, the format is nice (though sugar for AAAA records would be nice to have in 2026, something else that my own format should support) and automatable, and all in all it is clearly superior to most DNS software out there that is still tied to zone files.
Wildcards, however, are not part of what make zone files unintuitive. They may have been confusing back in 2001, but RFC 4592 came out in 2006, which is 20 years ago, and it seems to clarify wildcard semantics enough that no updates were deemed necessary. In that, djbdns refusing to align with the RFC is just as guilty of Microsoft DNS Server and MaraDNS. There's a new spec, the spec's behaviour is not blatantly inferior to your interpretation, the correct decision for a maintainer is to implement the spec. djb didn't do that because by 2006 djbware was already abandonware; that does not mean djbdns wildcards are correct. It means they're obsolete. There would have been an argument for bug-for-bug compatibility in 2007 or 2008; in 20fucking26, there is none.

By upgrading to shibari, you risk making your wildcards behave according to the specification. Oh no!

(Edit: typo)

https://news.ycombinator.com/item?id=44320497

Sugar for AAAA records was done in 2025 by me. Felix von Leitner did it differently 25 years earlier, but I didn't like that it required two parallel toolsets and sets of record types. My way, it's just an IPv6 address in the same '+' records.

That's been available for a *long* time.

No, I'm not mixing things. I was there. I was there when the wildcard draft was made, trying to point out various problems in it, 2 years before publication. I was also there doing the user support, and I can tell you from a lot of actual experience with end users and this stuff that you are quite wrong.

Wildcards were one of the things that users asked about, over and over. BIND wasn't intuitive. Indeed people are still saying so on StackExchage 20 years later.

Don't fall into the trap of treating RFC4592 as a spec.

It's still a proposed standard, and there's a *lot* of stuff in the DNS RFC world that seems like a spec, until one hits the real world and finds that it's a decade-or-more wild goose chase that the RFCs don't tell you has failed to take off.

The reality is that RFC4592 didn't take off, either. *No-one* has adopted it that wasn't the implementation that it sought to ossify.

#DomainNameSystem

Why do we need DNSSEC? | Hacker News