#DNS #BIND #dig #named #dnssec

bin+lib trust-dns-server

Trust-DNS is a safe and secure DNS server with DNSec support. Eventually this could be a replacement for BIND9. The DNSSec support allows for live signing of all records, in it does not currently support records signed offline. The server supports dynamic DNS with SIG0 authenticated requests. Trust-DNS is based on the Tokio and Futures libraries, which means it should be easily integrated into other software that also use those libraries.

20 releases

0.16.0 Apr 15, 2019
0.16.0-alpha.2 Jan 27, 2019
0.15.1 Jan 27, 2019
0.15.0 Nov 1, 2018
0.9.3 Dec 31, 2016

#288 in Network programming

Download history 127/week @ 2019-02-01 58/week @ 2019-02-08 31/week @ 2019-02-15 117/week @ 2019-02-22 99/week @ 2019-03-01 27/week @ 2019-03-08 43/week @ 2019-03-15 93/week @ 2019-03-22 30/week @ 2019-03-29 69/week @ 2019-04-05 42/week @ 2019-04-12 14/week @ 2019-04-19 60/week @ 2019-04-26 121/week @ 2019-05-03 91/week @ 2019-05-10

289 downloads per month
Used in 2 crates


30K SLoC


Trust-DNS Server is a library which implements the zone authoritory functionality.

This library contains basic implementations for DNS zone hosting. It is capable of performing signing all records in the zone for server DNSSec RRSIG records associated with all records in a zone. There is also a named binary that can be generated from the library with cargo install trust-dns-server. Dynamic updates are supported via SIG0 (an mTLS authentication method is under development).


  • Dynamic Update with sqlite journaling backend (SIG0)
  • DNSSEC online signing (NSEC not NSEC3)
  • DNS over TLS (DoT)
  • DNS over HTTPS (DoH)
  • Forwarding stub resolver
  • ANAME resolution, for zone mapping aliass to A and AAAA records
  • Additionals section generation for aliasing record types

Future goals

  • Distributed dynamic DNS updates, with consensus
  • mTLS based authorization for Dynamic Updates
  • Online NSEC creation for queries
  • Full hint based resolving
  • Maybe NSEC3 and/or NSEC5 support


Trust-DNS does it's best job to follow semver. Trust-DNS will be promoted to 1.0 upon stabilization of the publicly exposed APIs. This does not mean that Trust-DNS will necessarily break on upgrades between 0.x updates. Whenever possible, old APIs will be deprecated with notes on what replaced those deprecations. Trust-DNS will make a best effort to never break software which depends on it due to API changes, though this can not be guaranteed. Deprecated interfaces will be maintained for at minimum one major release after that in which they were deprecated (where possible), with the exception of the upgrade to 1.0 where all deprecated interfaces will be planned to be removed.


~409K SLoC