k-v.io: on DELETE, don't return the deleted value

We don't return the deleted value because doing that would have the unintended consequence of postponing the deletion: downstream caching servers would cache the deleted value for up to three more minutes. We'd rather have the key deleted sooner rather than later.

Some APIs, e.g. etcd's, return a list of deleted values on return: those APIs can afford to do so because they don't need to worry about DNS propagation.

We also lengthen the timeout of an etcd API call from 500 msec to 1928 msecs; 500 msec was too close; some calls routinely took 480 msec to complete, and we wanted more headroom.

We also no longer do two etcd operations when we delete a value. Previously we would do a GET followed by a DELETE, but since we're not returning the value deleted, there's no point to the GET. Furthermore, the GET was never necessary, for the etcd DELETE API call returned the values deleted.

• We no longer produce BOSH releases; if you need a BOSH release, use version 2.5.1.
• You can now select the port to bind to, e.g. sslip.io-dns-server -port 5353. This is useful, for example, when you're not running as a privileged user, and you can't bind to a privileged port (e.g. 53).
• Blocklists are downloaded once per hour, not once per hour per IP address bound to.

Include a CIDR-based blocklist to foil phishers

Typical examples: 43.134.66.67/24, 2601:646:100:69f7:cafe:bebe:cafe:bebe/112

We decided we needed to block by CIDRs as well as strings because phishers can use hostnames that don't lend themselves to being blocked with strings, e.g. nf-43-134-66-67.sslip.io.

• Blocklist downloads every hour
• Private IP addresses aren't blocked

[fixes #13]

Include a blocklist to foil phishers

Typical example: https://raiffeisen.94.228.116.140.sslip.io.

Raiffeisen is a bank.

I was hoping Let's Encrypt would share their blocklist, but they wouldn't. See #13 for more information.

🐞 Fix crashes caused by specially-crafted hostnames

Bug fix: certain hostnames with embedded IPv4 addresses would cause the server to crash (this was caused by my regular expression thinking they were valid IPs, but net.ParseIP() disagreeing). Now the server doesn't crash; instead it returns no answers (correct behavior).

Now with metrics! `metrics.status.sslip.io`

• Feature: you can view the metrics of a given server by querying the TXT record of metrics.status.sslip.io, e.g. dig @ns-aws.sslip.io metrics.status.sslip.io txt +short
• Bug fix: the server would panic() when querying the TXT record of a customized domain which didn't have a customized TXT record, e.g. dig @ns-aws.sslip.io ns.sslip.io txt +short. Now it doesn't panic()
• Change: experimental TXT records to find the server version have been moved from version.sslip.io to version.status.sslip.io, e.g. dig @ns-aws.sslip.io version.status.sslip.io txt +short
• Change: TTL dropped from 300 to 180 seconds (5 minutes to 3 minutes). This lays the groundwork for the upcoming key-value store.

`kv.sslip.io`: (key-value) read/write/delete TXTs

We enable special behavior under the kv.sslip.io subdomain: it can be treated as a key-value store, the sub-subdomain being the key, and the TXT record being the value.

For example, to write ("put") the value "12.0.1" to the key "macos-version" on the ns-gce.sslip.io. nameserver, you'd use the following dig command:

dig @ns-gce.sslip.io. txt put.12.0.1.macos-version.kv.sslip.io.

To read ("get") the value back, you'd write the following dig command:

dig @ns-gce.sslip.io. txt get.macos-version.kv.sslip.io.

Since "get" is the default behavior, you don't need to include it in the
domain name:

dig @ns-gce.sslip.io. txt macos-version.kv.sslip.io.

Finally, when you're done with the key-value, you can "delete" it:

dig @ns-gce.sslip.io. txt delete.macos-version.kv.sslip.io.

Notes:

• Keys are case-insensitive (to accommodate DNS convention). In other words, KEY.kv.sslip.io and key.kv.sslip.io return the same TXT record.
• Values are case-sensitive. put.CamelCase.style.kv.sslip.io sets the TXT record to "CamelCase".
• put requests will return the TXT record being put; i.e. put.hello.world.kv.sslip.io returns one TXT record of one string, hello.
• delete requests will return the TXT record being deleted; i.e. delete.world.kv.sslip.io returns one TXT record of one string, hello. If the TXT record does not exist, no TXT records will be returned.
• Values are limited to 63 bytes to mitigate using the sslip.io servers in a DNS amplification attack.
• Values are not persistent: if the server is restarted, all values disappear. Poof.
• Values are not consistent. If a value is set in ns-aws.sslip.io, it does not propagate to ns-gce.sslip.io nor ns-azure.sslip.io.

2.2.4

When querying for NS records, the nono.io records are no longer returned; only the sslip.io records.

2.2.3

Add NS servers in sslip.io domain

We currently use three nameservers in the nono.io domain, but that's confusing--why not have the nameservers in the sslip.io domain?

This commit starts the ball rolling to convert to the sslip.io. We'll have a brief period where we have both nono.io and sslip.io nameservers.

At which point we'll add the sslip.io nameservers to our registrar, Namecheap.com.

Once they've been added to our registrar, we'll wait a day or two to propagate, and then we'll delete references to the nono.io nameservers.

2.2.2

ip.sslip.io TXT returns origin IP

Our documentation was wrong; our homepage said to get the origin IP address by querying the TXT record of the root, i.e. dig @ns-aws.nono.io txt . +short; however, our code worked differently: it returned the origin IP when the .ip TLD was queried.

The new behavior is that it returns the origin IP when ip.sslip.io. is queried, and the documentation now reflects that behavior.

Also, that behavior is marked "experimental" to give us leeway to change.

2.2.1

TXT record for version.sslip.io returns version information

dig txt version.sslip.io returns version information of the sslip.io DNS server. This can be helpful when troubleshooting.

The TXT record consists of three distinct strings: version, compile date, and git hash.

dig @ns-aws.nono.io txt version.sslip.io +short
  "2.2.1"
  "2021/10/06-05:17:18-0700"
  "7bef649"

The three servers should always have the same semantic version (e.g. "2.2.1"), but their compile date & git hash may differ for technical reasons.

Full Changelog: 2.2.0...2.2.1