dns. agenda dns basic zone delegation half class-c reverse lookup webmin tools 參考資料
TRANSCRIPT
DNSDNS
AgendaAgenda
DNS BasicDNS Basic Zone DelegationZone Delegation Half Class-C reverse lookupHalf Class-C reverse lookup WebminWebmin ToolsTools 參考資料參考資料
DNS BasicDNS Basic
One of the main goals of the design of the One of the main goals of the design of the Domain Name System was to decentralize Domain Name System was to decentralize administrationadministration
DNS BasicDNS Basic
Name Servers and Zones Name Servers and Zones The programs that store information about the The programs that store information about the
domain name space are called name servers. domain name space are called name servers. Name servers generally have complete Name servers generally have complete
information about some part of the domain information about some part of the domain name space, called a zone, which they load name space, called a zone, which they load from a file or from another name server. The from a file or from another name server. The name server is then said to have authority for name server is then said to have authority for that zone. that zone.
DNS BasicDNS Basic
The edu domain broken into zones
DNS BasicDNS Basic
The berkeley.edu domain broken into zones
DNS BasicDNS Basic
The Domain ca
The Zone ca
DNS BasicDNS Basic
DNS BasicDNS Basic
Name servers can be authoritative for multiple Name servers can be authoritative for multiple zones. zones.
DNS BasicDNS Basic
Root
arpa org edu gov com mil net tw uk jp cn …
in-addr mit nyu… nchu … nctu
eeapm www …www
www …
…
DNS BasicDNS Basic
TLD (Top-Level Domains)TLD (Top-Level Domains) The original top-level domains divided the Internet The original top-level domains divided the Internet
domain name space organizationally into seven domain name space organizationally into seven domains domains
comcomCommercial organizations, such as Hewlett-Packard Commercial organizations, such as Hewlett-Packard (hp.com), Sun Microsystems (sun.com), and IBM (hp.com), Sun Microsystems (sun.com), and IBM (ibm.com)(ibm.com)
edu edu Educational organizations, such as U.C. Berkeley Educational organizations, such as U.C. Berkeley (berkeley.edu) and Purdue University (purdue.edu) (berkeley.edu) and Purdue University (purdue.edu)
DNS BasicDNS Basic govgov
Government organizations, such as NASA (nasa.gov) Government organizations, such as NASA (nasa.gov) and the National Science Foundation (nsf.gov) and the National Science Foundation (nsf.gov)
mil mil Military organizations, such as the U.S. Army Military organizations, such as the U.S. Army (army.mil) and Navy (navy.mil) (army.mil) and Navy (navy.mil)
net net Networking organizations, such as NSFNET (nsf.net) Networking organizations, such as NSFNET (nsf.net)
org org Noncommercial organizations, such as the Electronic Noncommercial organizations, such as the Electronic Frontier Foundation (eff.org) Frontier Foundation (eff.org)
int int International organizations, such as NATO (nato.int) International organizations, such as NATO (nato.int)
DNS BasicDNS Basic
New Top Level DomainNew Top Level Domain ICANN is working to add seven new TLDs to the ICANN is working to add seven new TLDs to the
Internet's domain-name system. Internet's domain-name system. In November 2000, after extensive discussions In November 2000, after extensive discussions
throughout the global Internet community, the ICANN throughout the global Internet community, the ICANN Board selected seven TLD proposals to be included in Board selected seven TLD proposals to be included in the first addition of a global TLD to the Internet since the first addition of a global TLD to the Internet since the 1980s. the 1980s.
The selected TLDs are: The selected TLDs are: .aero.aero (for the air-transport (for the air-transport industry), industry), .biz.biz (for businesses), (for businesses), .coop.coop (for (for cooperatives), cooperatives), .info.info (for all uses), (for all uses), .museum.museum (for (for museums), museums), .name.name (for individuals), and (for individuals), and .pro.pro (for (for professions).professions).
DNS BasicDNS Basic
.biz is already fully operational and accepting live .biz is already fully operational and accepting live registrations. For more information on these .biz, please registrations. For more information on these .biz, please visit the website of NeuLevel, Inc., the company selected visit the website of NeuLevel, Inc., the company selected to operate this new TLD: <http://www.nic.biz/>.to operate this new TLD: <http://www.nic.biz/>.
.info is also fully operational and accepting live .info is also fully operational and accepting live registrations. More info on .info registration is availble at registrations. More info on .info registration is availble at the website of the .info registry operator, Afilias Limited, the website of the .info registry operator, Afilias Limited, at http://www.nic.info/>.at http://www.nic.info/>.
.name is fully operational and accepting live .name is fully operational and accepting live registrations. The company selected to operate .name, registrations. The company selected to operate .name, Global Name Registry, has posted an informational page Global Name Registry, has posted an informational page at <http://www.nic.name/>.at <http://www.nic.name/>.
DNS BasicDNS Basic
.museum is also operational. he .museum TLD is .museum is also operational. he .museum TLD is sponsored by Museum Domain Management sponsored by Museum Domain Management Association (MuseDoma). MuseDoma's informational Association (MuseDoma). MuseDoma's informational site can be ocated at <http://www.nic.museum/>.site can be ocated at <http://www.nic.museum/>.
.coop is operational. The .coop TLD is ponsored by the .coop is operational. The .coop TLD is ponsored by the National Cooperative Business ssociation (NCBA). An National Cooperative Business ssociation (NCBA). An informational site for .coop is available at informational site for .coop is available at <http://www.nic.coop/>.<http://www.nic.coop/>.
.aero is operational and is sponsored by Societe .aero is operational and is sponsored by Societe Internationale de Telecommunications Aeronautiques SC Internationale de Telecommunications Aeronautiques SC (SITA). For more information on .aero, please visit (SITA). For more information on .aero, please visit <http://www.nic.aero>.<http://www.nic.aero>.
DNS BasicDNS Basic
The .pro registry agreement is still under negotiation. The .pro registry agreement is still under negotiation. More information on .pro is available at the website of More information on .pro is available at the website of the registry operator, RegistryPro, Ltd., at the registry operator, RegistryPro, Ltd., at <http://www.registrypro.com>.<http://www.registrypro.com>.
DNS Basic - ResolverDNS Basic - Resolver
Resolvers are the clients that access name Resolvers are the clients that access name servers. Programs running on a host that need servers. Programs running on a host that need information from the domain name space use information from the domain name space use the resolver. The resolver handles:the resolver. The resolver handles: Querying a name serverQuerying a name server Interpreting responses (which may be resource Interpreting responses (which may be resource
records or an error)records or an error) Returning the information to the programs that Returning the information to the programs that
requested itrequested it In BIND, the resolver is just a set of library In BIND, the resolver is just a set of library
routines that is linked into programs such as routines that is linked into programs such as telnet and ftp. It's not even a separate process. telnet and ftp. It's not even a separate process.
DNS BasicDNS Basic
Resolution of girigiri.gbrmpa.gov.au on the Internet
DNS BasicDNS Basic
The resolution process
DNS BasicDNS Basic
addr.arpa domain
DNS Basic - CachingDNS Basic - Caching
Resolving baobab.cs.berkeley.edu
DNS Basic - TTLDNS Basic - TTL
TTL (Time To Life)TTL (Time To Life) Name servers can't cache data forever.Name servers can't cache data forever. The administrator of the zone that contains the data The administrator of the zone that contains the data
decides on a decides on a time to livetime to live, or , or TTLTTL, for the data., for the data. The time to live is the amount of time that any name The time to live is the amount of time that any name
server is allowed to cache the data. After the time to server is allowed to cache the data. After the time to live expires, the name server must discard the cached live expires, the name server must discard the cached data and get new data from the authoritative name data and get new data from the authoritative name servers. servers.
Deciding on a time to live for your data is essentially Deciding on a time to live for your data is essentially deciding on a trade-off between performance and deciding on a trade-off between performance and consistency. consistency.
Zone DelegationZone Delegation
edu.twedu.tw moesun.edu.twmoesun.edu.tw a.twnic.net.twa.twnic.net.tw b.twnic.net.twb.twnic.net.tw c.twnic.net.twc.twnic.net.tw
tc.edu.twtc.edu.tw nchud1.nchu.edu.twnchud1.nchu.edu.tw pds.nchu.edu.twpds.nchu.edu.tw
Zone DelegationZone Delegation
tcc.edu.twtcc.edu.tw dns.boe.tcc.edu.twdns.boe.tcc.edu.tw
chc.edu.twchc.edu.tw dns.chc.edu.twdns.chc.edu.tw
encntc.edu.twencntc.edu.tw ntcg.encntc.edu.twntcg.encntc.edu.tw
128.140.in-addr.arpa128.140.in-addr.arpa pds.nchu.edu.twpds.nchu.edu.tw nchud1.nchu.edu.twnchud1.nchu.edu.tw
Zone DelegationZone Delegation
17.163.in-addr.arpa17.163.in-addr.arpa pds.nchu.edu.twpds.nchu.edu.tw nchud1.nchu.edu.twnchud1.nchu.edu.tw
22.163.in-addr.arpa22.163.in-addr.arpa pds.nchu.edu.twpds.nchu.edu.tw nchud1.nchu.edu.twnchud1.nchu.edu.tw
23.163.in-addr.arpa23.163.in-addr.arpa dns.ncue.edu.twdns.ncue.edu.tw life.ncue.edu.twlife.ncue.edu.tw
Half Class-C Reverse LookupHalf Class-C Reverse Lookup
RFC 2317RFC 2317 Classless IN-ADDR.ARPA delegationClassless IN-ADDR.ARPA delegation
IN-ADDR.ARPA delegation on non-octet IN-ADDR.ARPA delegation on non-octet boundaries for address spaces covering boundaries for address spaces covering fewer than 256 addresses.fewer than 256 addresses.
The proposed method is fully compatible The proposed method is fully compatible with the original DNS lookup mechanisms.with the original DNS lookup mechanisms.
Half Class-C Reverse LookupHalf Class-C Reverse Lookup
Let us assume we have assigned the Let us assume we have assigned the address spaces to three different parties address spaces to three different parties as follows:as follows: 192.0.2.0/25 to organization A192.0.2.0/25 to organization A 192.0.2.128/26 to organization B192.0.2.128/26 to organization B 192.0.2.192/26 to organization C192.0.2.192/26 to organization C
Half Class-C Reverse LookupHalf Class-C Reverse Lookup
In the classical In the classical approach, this would approach, this would lead to a single zone lead to a single zone like this:like this:
$ORIGIN 2.0.192.in-addr.arpa.; 1 PTR host1.A.domain.2 PTR host2.A.domain.3 PTR host3.A.domain.; 129 PTR host1.B.domain.130 PTR host2.B.domain.131 PTR host3.B.domain.; 193 PTR host1.C.domain.194 PTR host2.C.domain.195 PTR host3.C.domain.
Half Class-C Reverse LookupHalf Class-C Reverse Lookup
by using the first address or the first by using the first address or the first address and the network mask length (as address and the network mask length (as shown below)in the corresponding shown below)in the corresponding address space to form the the first address space to form the the first component in the name for the zones.component in the name for the zones.
The following four zone files show how the The following four zone files show how the problem in the motivation section could be problem in the motivation section could be solved using this method.solved using this method.
Half Class-C Reverse LookupHalf Class-C Reverse Lookup$ORIGIN 2.0.192.in-addr.arpa.@ IN SOA my-ns.my.domain. hostmaster.my.domain. (...);...;<<0-127>>/250/25 NS ns.A.domain.0/25 NS some.other.name.server.; 1 CNAME 1.0/25.2.0.192.in-addr.arpa.2 CNAME 2.0/25.2.0.192.in-addr.arpa.3 CNAME 3.0/25.2.0.192.in-addr.arpa.;;<<128-191>>/26128/26 NS ns.B.domain.128/26 NS some.other.name.server.too.; 129 CNAME 129.128/26.2.0.192.in-addr.arpa.130 CNAME 130.128/26.2.0.192.in-addr.arpa.131 CNAME 131.128/26.2.0.192.in-addr.arpa.
Half Class-C Reverse LookupHalf Class-C Reverse Lookup;;<<192-255>>/26192/26 NS ns.C.domain.192/26 NS ome.other.third.name.server.; 193 CNAME 193.192/26.2.0.192.in-addr.arpa.194 CNAME 194.192/26.2.0.192.in-addr.arpa.195 CNAME 195.192/26.2.0.192.in-addr.arpa.
$ORIGIN 0/25.2.0.192.in-addr.arpa.@ N SOA ns.A.domain. hostmaster.A.domain. (...)@ NS ns.A.domain.@ N S some.other.name.server.;1 PTR host1.A.domain.2 PTR host2.A.domain.3 PTR h ost3.A.domain.
Half Class-C Reverse LookupHalf Class-C Reverse Lookup$ORIGIN 128/26.2.0.192.in-addr.arpa.@ IN SOA ns.B.domain. hostmaster.B.domain. (...)@ NS ns.B.domain.@ NS some.other.name.server.too.;129 PTR host1.B.domain.130 PTR host2.B.domain.131 PTR host3.B.domain.
$ORIGIN 192/26.2.0.192.in-addr.arpa.@ IN SOA ns.C.domain. hostmaster.C.domain. (...)@ NS ns.C.domain.@ NS some.other.third.name.server.;193 PTR host1.C.domain.194 PTR host2.C.domain.195 PTR host3.C.domain.
Dynamic UpdateDynamic Update
BIND 8 also supports the dynamic update facility BIND 8 also supports the dynamic update facility described in RFC 2136. This permits authorized described in RFC 2136. This permits authorized updaters to add and delete resource records from a zone updaters to add and delete resource records from a zone for which the server is authoritative. An updater can find for which the server is authoritative. An updater can find the authoritative name servers for a zone by retrieving the authoritative name servers for a zone by retrieving the zone's NS records. If the server receiving an the zone's NS records. If the server receiving an authorized update message is not the primary master for authorized update message is not the primary master for the zone, it will forward the update "upstream" to its the zone, it will forward the update "upstream" to its master server(s). If they, in turn, are slaves for the zone, master server(s). If they, in turn, are slaves for the zone, they will also forward the update upstream. they will also forward the update upstream.
command : nsupdate command : nsupdate
WebminWebmin
WebminWebmin
WebminWebminURL : http://www.webmin.com
ToolsTools
NslookupNslookup DigDig hosthost
參考資料參考資料 http://www.isc.orghttp://www.isc.org RFC 2317 RFC 2317
Classless IN-ADDR.ARPA delegationClassless IN-ADDR.ARPA delegation
http://www.internic.net/faqs/new-tlds.htmlhttp://www.internic.net/faqs/new-tlds.html Some of the important features of BIND 9Some of the important features of BIND 9
DNS Security DNS Security DNSSEC (signed zones)DNSSEC (signed zones) TSIG (signed DNS requests) TSIG (signed DNS requests)
IP version 6 IP version 6 Answers DNS queries on IPv6 sockets Answers DNS queries on IPv6 sockets IPv6 resource records (A6, DNAME, etc.) IPv6 resource records (A6, DNAME, etc.) Bitstring Labels Bitstring Labels Experimental IPv6 Resolver Library Experimental IPv6 Resolver Library
參考資料參考資料 DNS Protocol Enhancements DNS Protocol Enhancements
IXFR, DDNS, Notify, EDNS0 IXFR, DDNS, Notify, EDNS0 Improved standards conformanceImproved standards conformance
Views Views One server process can provide multiple "views" of One server process can provide multiple "views" of
the DNS namespace, e.g. an "inside" view to the DNS namespace, e.g. an "inside" view to certain clients, and an "outside" view to others. certain clients, and an "outside" view to others.
Multiprocessor Support Multiprocessor Support Improved Portability ArchitectureImproved Portability Architecture