pro dns and bind 10 - springer978-1-4302-3049-6/1.pdf · pro dns and bind 10 ... cover designer:...
TRANSCRIPT
Pro DNS and BIND 10
■ ■ ■
Ron Aitchison
Pro DNS and BIND 10
Copyright © 2011 by Ron Aitchison
All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher.
ISBN 978-1-4302-3048-9
ISBN 978-1-4302-3049-6 (eBook)
Printed and bound in the United States of America (POD)
Trademarked names, logos, and images may appear in this book. Rather than use a trademark symbol with every occurrence of a trademarked name, logo, or image we use the names, logos, and images only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark.
The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights.
President and Publisher: Paul Manning Lead Editor: Michelle Lowman Technical Reviewer: Joe Topjian Editorial Board: Steve Anglin, Mark Beckner, Ewan Buckingham, Gary Cornell, Jonathan
Gennick, Jonathan Hassell, Michelle Lowman, Matthew Moodie, Jeff Olson, Jeffrey Pepper, Frank Pohlmann, Douglas Pundick, Ben Renow-Clarke, Dominic Shakeshaft, Matt Wade, Tom Welsh
Coordinating Editor: Laurin Becker Copy Editor: Mary Behr Compositor: MacPS, LLC. Indexer: Julie Grady Artist: April Milne Cover Designer: Anna Ishchenko
Distributed to the book trade worldwide by Springer Science+Business Media, LLC., 233 Spring Street, 6th Floor, New York, NY 10013. Phone 1-800-SPRINGER, fax (201) 348-4505, e-mail [email protected], or visit www.springeronline.com.
For information on translations, please e-mail [email protected], or visit www.apress.com.
Apress and friends of ED books may be purchased in bulk for academic, corporate, or promotional use. eBook versions and licenses are also available for most titles. For more information, reference our Special Bulk Sales–eBook Licensing web page at www.apress.com/info/bulksales.
The information in this book is distributed on an “as is” basis, without warranty. Although every precaution has been taken in the preparation of this work, neither the author(s) nor Apress shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in this work.
The source code for this book is available to readers at www.apress.com. You will need to answer questions pertaining to this book in order to successfully download the code.
To Jed and Cleo. Your arrival changed my life. Mostly for the better.
iv
Contents at a Glance
Contents ..................................................................................................................... v
About the Author ................................................................................................... xxiii About the Technical Reviewer ............................................................................... xxiv�
Acknowledgments .................................................................................................. xxv Introdcution ........................................................................................................... xxvi�
Part I: Principles and Overview .................................................................................. 1�
■Chapter 1: An Introduction to DNS .......................................................................... 3�
■Chapter 2: Zone Files and Resource Records ........................................................ 23�
■Chapter 3: DNS Operations .................................................................................... 41�
■Chapter 4: DNS Types ............................................................................................ 63�
■Chapter 5: DNS and IPv6 ....................................................................................... 77�
Part II: Get Something Running ................................................................................ 95�
■Chapter 6: Installing BIND ..................................................................................... 97�
■Chapter 7: BIND Type Samples ............................................................................ 129�
■Chapter 8: DNS Techniques ................................................................................. 163�
■Chapter 9: DNS Diagnostics and Tools ................................................................ 209�
Part III: DNS Security .............................................................................................. 271�
■Chapter 10: DNS Secure Configurations .............................................................. 273�
■Chapter 11: DNSSEC ............................................................................................ 317�
■Chapter 12: BIND 9 Configuration Reference ...................................................... 379�
■Chapter 13: Zone File Reference ......................................................................... 483�
Part IV: Programming ............................................................................................. 553�
■Chapter 14: BIND APIs and Resolver Libraries .................................................... 555�
■Chapter 15: DNS Messages and Records ............................................................ 587�
Part V: Appendixes ................................................................................................. 615�
■Appendix A: DNS Registration and Governance .................................................. 617�
■Appendix B: DNS RFCs ......................................................................................... 629 ■Index ................................................................................................................... 639
v
Contents
Contents at a Glance ................................................................................................. iv
About the Author ................................................................................................... xxiii
About the Technical Reviewer ............................................................................... xxiv�
Acknowledgments .................................................................................................. xxv
Introduction ........................................................................................................... xxvi�
Part I: Principles and Overview .................................................................................. 1�
■Chapter 1: An Introduction to DNS .......................................................................... 3�
A Brief History of Name Servers ........................................................................................ 3�
Name Server Basics ........................................................................................................... 4�
The Internet Domain Name System ................................................................................... 4�
Domains and Delegation ........................................................................................................................... 5�
Domain Authority ...................................................................................................................................... 6�
DNS Implementation and Structure ................................................................................... 8�
Root DNS Operations .......................................................................................................... 9�
Top-Level Domains ................................................................................................................................. 13�
DNS in Action ................................................................................................................... 16�
Zones and Zone Files .............................................................................................................................. 19�
Master and Slave DNS Servers ............................................................................................................... 20�
DNS Software ................................................................................................................... 21�
Summary .......................................................................................................................... 22�
■Chapter 2: Zone Files and Resource Records ........................................................ 23�
Zone File Format .............................................................................................................. 23�
■ CONTENTS
vi
Zone File Contents ........................................................................................................... 24�
An Example Zone File ....................................................................................................... 25�
The $TTL Directive ........................................................................................................... 27�
The $ORIGIN Directive ...................................................................................................... 28�
The SOA Resource Record ............................................................................................... 30�
The NS Resource Record ................................................................................................. 33�
The MX Resource Record ................................................................................................. 34�
The A Resource Record .................................................................................................... 35�
CNAME Resource Record ................................................................................................. 36�
When CNAME Records Must Be Used ..................................................................................................... 38�
Additional Resource Records ........................................................................................... 38�
PTR Resource Records ............................................................................................................................ 38�
TXT Resource Records ............................................................................................................................ 38�
AAAA Resource Records ......................................................................................................................... 39�
NSEC, RRSIG, DS, DNSKEY, and KEY Resource Records ......................................................................... 39�
SRV Resource Records ............................................................................................................................ 39�
Standard Configuration File Scenarios ............................................................................. 39�
Summary .......................................................................................................................... 39�
■Chapter 3: DNS Operations .................................................................................... 41�
The DNS Protocol ............................................................................................................. 41�
DNS Queries ..................................................................................................................... 42�
Recursive Queries ................................................................................................................................... 43�
Iterative (Nonrecursive) Queries ............................................................................................................. 45�
Inverse Queries ....................................................................................................................................... 47�
DNS Reverse Mapping ..................................................................................................... 47�
IN-ADDR.ARPA Reverse-Mapping Domain ............................................................................................. 48�
Zone Maintenance ............................................................................................................ 55�
Full Zone Transfer (AXFR) ........................................................................................................................ 56�
Incremental Zone Transfer (IXFR) .......................................................................................................... 57�
Notify (NOTIFY) ....................................................................................................................................... 58�
■ CONTENTS
vii
Dynamic Update ...................................................................................................................................... 58�
Alternative Dynamic DNS Approaches .................................................................................................... 59�
Security Overview ................................................................................................................................... 59�
Summary .......................................................................................................................... 62�
■Chapter 4: DNS Types ............................................................................................ 63�
Master (Primary) Name Servers ....................................................................................... 64�
Slave (Secondary) Name Servers ..................................................................................... 66�
Slave (Secondary) DNS Behavior ............................................................................................................ 67�
Caching Name Servers ..................................................................................................... 68�
Caching Implications ............................................................................................................................... 70�
Forwarding (Proxy) Name Servers ................................................................................... 70�
Stealth (DMZ or Split) Name Server ................................................................................. 71�
Stealth Servers and the View Clause ...................................................................................................... 73�
Stealth Server Configuration ................................................................................................................... 73�
Authoritative-only Name Server ....................................................................................... 75�
Summary .......................................................................................................................... 76�
■Chapter 5: DNS and IPv6 ....................................................................................... 77�
IPv6 .................................................................................................................................. 79�
IPv6 Address Notation ............................................................................................................................. 80�
Prefix or Slash Notation .......................................................................................................................... 81�
IPv6 Address Types ................................................................................................................................. 81�
Global Unicast IPv6 Address Allocation ................................................................................................... 82�
IPv6 Global Unicast Address Format ....................................................................................................... 84�
Status of IPv6 DNS Support ............................................................................................. 85�
The AAAA vs. A6 Resource Record .......................................................................................................... 85�
Mixed IPv6 and IPv4 Network Support .................................................................................................... 85�
IPv6 Resource Records .................................................................................................... 86�
The AAAA Resource Record ............................................................................................. 88�
Reverse IPv6 Mapping ..................................................................................................... 89�
IPv6 Reverse Map Issues ........................................................................................................................ 91�
■ CONTENTS
viii
The IPv6 PTR Resource Record ........................................................................................ 92�
Summary .......................................................................................................................... 93�
Part II: Get Something Running ................................................................................ 95�
■Chapter 6: Installing BIND ..................................................................................... 97�
Ubuntu Server 10.04 Installation ...................................................................................... 98�
FreeBSD 8.1 Installation ................................................................................................. 101�
FreeBSD Considerations ....................................................................................................................... 106�
Building BIND from Source ............................................................................................ 107�
Windows Installation ...................................................................................................... 113�
Summary ........................................................................................................................ 128�
■Chapter 7: BIND Type Samples ............................................................................ 129�
Before You Start ............................................................................................................. 130�
Configuration Layout ............................................................................................................................. 130�
Configuration Conventions .................................................................................................................... 130�
Zone File Naming Convention ............................................................................................................... 131�
Required Zone Files .............................................................................................................................. 132�
BIND named.conf File Format and Style ............................................................................................... 137�
Standard Zone File ................................................................................................................................ 138�
Common Configuration Elements .......................................................................................................... 138�
Master DNS Server ......................................................................................................... 139�
Master Name Server Configuration ....................................................................................................... 139�
Slave DNS Server ........................................................................................................... 142�
Slave Name Server Configuration ......................................................................................................... 142�
Resolver (Caching-only) DNS Server .............................................................................. 144�
Caching-only Name Server Configuration ............................................................................................. 145�
Forwarding (a.k.a. Proxy, Client, Remote) DNS Server .................................................. 146�
Forwarding Name Server Configuration ................................................................................................ 147�
Stealth (a.k.a. Split or DMZ) DNS Server ........................................................................ 149�
Stealth Configuration ............................................................................................................................ 149�
■ CONTENTS
ix
Authoritative-only DNS Server ....................................................................................... 152�
Authoritative-only Name Server Configuration ..................................................................................... 152�
View-based Authoritative-only DNS Server ................................................................... 155�
View-based Authoritative-only Name Server Configuration .................................................................. 155�
Security and the view Section .............................................................................................................. 158�
Summary ........................................................................................................................ 161�
■Chapter 8: DNS Techniques ................................................................................. 163�
Delegate a Subdomain (Subzone) .................................................................................. 164�
Domain Name Server Configuration ...................................................................................................... 165�
Subdomain Name Server Configuration ................................................................................................ 167�
Virtual Subdomains ........................................................................................................ 168�
Domain Name Server Configuration ...................................................................................................... 168�
Configure Mail Servers Fail-Over ................................................................................... 169�
Delegate Reverse Subnet Maps ..................................................................................... 170�
Assignee Zone File ................................................................................................................................ 170�
Assignor (End User) Zone File ............................................................................................................... 171�
DNS Load Balancing ....................................................................................................... 172�
Balancing Mail ...................................................................................................................................... 172�
Balancing Other Services ...................................................................................................................... 173�
Balancing Services ................................................................................................................................ 174�
Controlling the RRset Order .................................................................................................................. 174�
Effectiveness of DNS Load Balancing ................................................................................................... 175�
Define an SPF Record .................................................................................................... 175�
SPF RR Format ...................................................................................................................................... 176�
SPF type Values ................................................................................................................................... 178�
SPF Record Examples ........................................................................................................................... 183�
Define a DKIM Record .................................................................................................... 186�
DKIM DNS TXT RR Format ..................................................................................................................... 187�
ADSP TXT RR Format ............................................................................................................................. 191�
Examples ............................................................................................................................................... 192�
Supporting http://example.com ............................................................................... 195�
■ CONTENTS
x
Apache Configuration ............................................................................................................................ 195�
Out-of-Sequence Serial Numbers .................................................................................. 196�
Use of Wildcards in Zone Files ....................................................................................... 197�
Zone File Construction ................................................................................................... 198�
Split Horizon DNS ........................................................................................................... 199�
DNSBL (DNS Blacklists) .................................................................................................. 201�
Example blacklist zone file ................................................................................................................... 202�
Blacklist Return Addresses ................................................................................................................... 202�
Additional Usage ................................................................................................................................... 204�
DNS TTLs and Time Values ............................................................................................ 204�
Summary ........................................................................................................................ 207�
■Chapter 9: DNS Diagnostics and Tools ................................................................ 209�
DNS Utilities ................................................................................................................... 209�
The nslookup Utility ........................................................................................................ 211�
nslookup Command Format .................................................................................................................. 211�
Quick Examples ..................................................................................................................................... 211�
Options .................................................................................................................................................. 213�
Examples: Command Line ..................................................................................................................... 215�
Example: Interactive Mode .................................................................................................................... 216�
BIND dig Utility ............................................................................................................... 217�
Quick Examples ..................................................................................................................................... 217�
dig Syntax ............................................................................................................................................. 218�
dig Options ............................................................................................................................................ 218�
dig Examples ......................................................................................................................................... 223�
dig Output ............................................................................................................................................. 225�
dig Response Values ............................................................................................................................. 226�
BIND named-compilezone Utility ................................................................................... 228�
BIND named-checkconf Utility ....................................................................................... 228�
named-checkconf Syntax ..................................................................................................................... 228�
named-checkconf Options .................................................................................................................... 228�
BIND named-checkzone/named-compilezone Utility ..................................................... 229�
■ CONTENTS
xi
named-checkzone/named-compilezone Syntax ................................................................................... 230�
named-checkzone/named-compilezone Arguments ............................................................................ 230�
named-checkzone/named-compilezone Examples .............................................................................. 232�
rndc ................................................................................................................................ 232�
rndc Syntax ........................................................................................................................................... 232�
rndc Options .......................................................................................................................................... 233�
rndc.conf Clauses and Statements ....................................................................................................... 233�
rndc Configuration Examples ................................................................................................................ 235�
rndc Commands .................................................................................................................................... 239�
rndc-confgen Utility ....................................................................................................... 242�
rndc-confgen Syntax ............................................................................................................................. 242�
rndc-confgen Options ........................................................................................................................... 242�
BIND nsupdate Utility ..................................................................................................... 243�
nsupdate Syntax ................................................................................................................................... 244�
nsupdate Options .................................................................................................................................. 244�
nsupdate Command Format .................................................................................................................. 245�
nsupdate Example ................................................................................................................................. 247�
nsupdate and DNSSEC Signed Zones ................................................................................................... 247�
dnssec-keygen Utility ..................................................................................................... 248�
BIND HSM Support (cryptoki) ................................................................................................................ 249�
dnssec-keygen Syntax .......................................................................................................................... 250�
dnssec-keygen Arguments ................................................................................................................... 250�
dnssec-keygen Examples ..................................................................................................................... 255�
dnssec-revoke Utility ..................................................................................................... 255�
dnssec-revoke Syntax ........................................................................................................................... 256�
dnssec-revoke Arguments .................................................................................................................... 256�
dnssec-revoke Example ........................................................................................................................ 256�
dnssec-settime Utility .................................................................................................... 256�
dnssec-settime Syntax ......................................................................................................................... 257�
dnssec-settime Arguments ................................................................................................................... 257�
dnssec-signzone Utility .................................................................................................. 258�
dnssec-signzone Syntax ....................................................................................................................... 259�
■ CONTENTS
xii
dnssec-signzone Arguments ................................................................................................................ 259�
dnssec-signzone Examples ................................................................................................................... 263�
Diagnosing DNS Problems ............................................................................................. 264�
Before the Problem Happens ................................................................................................................ 264�
When the Problem Occurs ..................................................................................................................... 266�
Summary ........................................................................................................................ 270�
Part III: DNS Security .............................................................................................. 271�
■Chapter 10: DNS Secure Configurations .............................................................. 273�
Security Overview and Audit .......................................................................................... 274�
DNS Normal Data Flow .......................................................................................................................... 274�
Security Classification ........................................................................................................................... 276�
Administrative Security .................................................................................................. 277�
Up-to-Date Software ............................................................................................................................. 277�
Limit Functionality ................................................................................................................................. 278�
Limit Permissions .................................................................................................................................. 279�
Running BIND 9 As Nonroot .................................................................................................................. 284�
BIND 9 in a Chroot Jail .......................................................................................................................... 288�
Stream the Log ...................................................................................................................................... 293�
Software Diversity ................................................................................................................................. 294�
A Cryptographic Overview .............................................................................................. 294�
Symmetric Cryptography ...................................................................................................................... 295�
Asymmetric Cryptography ..................................................................................................................... 296�
Message Digests ................................................................................................................................... 297�
Message Authentication Codes ............................................................................................................. 297�
Digital Signatures .................................................................................................................................. 298�
DNS Cryptographic Use ......................................................................................................................... 299�
Securing Zone Transfers ................................................................................................ 300�
Authentication and Integrity of Zone Transfers ..................................................................................... 301�
TSIG Configuration ................................................................................................................................ 302�
Securing Dynamic Updates ............................................................................................ 307�
TSIG DDNS Configuration ...................................................................................................................... 308�
■ CONTENTS
xiii
SIG(0) Configuration .............................................................................................................................. 312�
Summary ........................................................................................................................ 316�
■Chapter 11: DNSSEC ............................................................................................ 317�
Base DNSSEC Theory ..................................................................................................... 318�
Islands of Security ................................................................................................................................ 318�
Chains of Trust ...................................................................................................................................... 321�
Securing or Signing the Zone ................................................................................................................ 322�
Secure Zone Maintenance .................................................................................................................... 329�
Secure Delegation ................................................................................................................................. 333�
Dynamic DNS and DNSSEC ................................................................................................................... 334�
DNSSEC and Performance .................................................................................................................... 335�
DNSSEC Base Examples ................................................................................................. 335�
Securing the example.com Zone ......................................................................................................... 335�
Establishing a Trusted Anchor .............................................................................................................. 344�
Signing the sub.example.com Zone ................................................................................................... 347�
Creating the Chain of Trust ................................................................................................................... 349�
Key Rollover .......................................................................................................................................... 350�
DNSSEC Enhancements ................................................................................................. 355�
NSEC3/Opt-Out ...................................................................................................................................... 356�
Validating Resolvers .............................................................................................................................. 359�
Key Handling Automation ...................................................................................................................... 360�
DNSSEC Lookaside Validation ........................................................................................ 363�
DLV Service ........................................................................................................................................... 365�
DNSSEC Implementation ................................................................................................ 367�
DNSSEC Algorithms and Keys ............................................................................................................... 368�
BIND Signing Models ............................................................................................................................. 374�
DNSSEC Implementation - A Plan ......................................................................................................... 376�
Summary ........................................................................................................................ 376�
■Chapter 12: BIND 9 Configuration Reference ...................................................... 379�
BIND Command Line ...................................................................................................... 379�
BIND Debug Levels ................................................................................................................................ 381�
■ CONTENTS
xiv
BIND Signals ......................................................................................................................................... 382�
BIND Configuration Overview ......................................................................................... 383�
Layout Styles ......................................................................................................................................... 384�
named-checkconf Is Your Friend ........................................................................................................ 385�
BIND Clauses .................................................................................................................. 385�
BIND address_match_list Definition ............................................................................................... 388�
BIND acl Clause ................................................................................................................................... 390�
BIND controls Clause ......................................................................................................................... 391�
BIND include Statement .................................................................................................................... 392�
BIND key Clause .................................................................................................................................. 393�
BIND logging Clause .......................................................................................................................... 394�
BIND lwres Clause ............................................................................................................................. 395�
BIND managed-keys Clause .............................................................................................................. 395�
BIND masters Clause ......................................................................................................................... 397�
BIND options Clause ......................................................................................................................... 398�
BIND server Clause ............................................................................................................................ 399�
BIND statistics-channels Clause ................................................................................................. 399�
BIND trusted-keys Clause ............................................................................................................... 400�
BIND view Clause ................................................................................................................................ 401�
BIND zone Clause ................................................................................................................................ 402�
BIND Statements ............................................................................................................ 403�
BIND controls Statements ........................................................................................ 426�
inet Statement ................................................................................................................................... 427�
BIND logging Statements .......................................................................................... 428�
channel Statement ............................................................................................................................. 428�
category Statement ........................................................................................................................... 431�
BIND lwres Statements ................................................................................................ 434�
view ...................................................................................................................................................... 434�
search ................................................................................................................................................. 435�
ndots .................................................................................................................................................... 435�
BIND Transfer Statements ............................................................................................. 435�
■ CONTENTS
xv
allow-notify ..................................................................................................................................... 435�
allow-transfer ................................................................................................................................. 436�
allow-update-forwarding .............................................................................................................. 436�
also-notify ....................................................................................................................................... 437�
alt-transfer-source, alt-transfer-source-v6 .................................................................... 437�
ixfr-from-differences .................................................................................................................. 438�
max-journal-size ............................................................................................................................. 438�
max-refresh-time, min-refresh-time ....................................................................................... 438�
max-retry-time, min-retry-time ............................................................................................... 439�
max-transfer-idle-in .................................................................................................................... 439�
max-transfer-idle-out .................................................................................................................. 439�
max-transfer-time-in .................................................................................................................... 439�
max-transfer-time-out .................................................................................................................. 439�
multi-master ..................................................................................................................................... 440�
notify ................................................................................................................................................. 440�
notify-delay ..................................................................................................................................... 441�
notify-source, notify-source-v6 ............................................................................................. 441�
notify-to-soa ................................................................................................................................... 441�
provide-ixfr ..................................................................................................................................... 442�
request-ixfr ..................................................................................................................................... 442�
serial-query-rate ........................................................................................................................... 442�
transfer-format ............................................................................................................................... 442�
transfer-source, transfer-source-v6 ..................................................................................... 442�
transfers-in ..................................................................................................................................... 443�
transfers-per-ns ............................................................................................................................. 443�
transfers-out ................................................................................................................................... 443�
use-alt-transfer-source .............................................................................................................. 444�
BIND Operations Statements .......................................................................................... 444�
avoid-v4-udp-ports, avoid-v6-udp-ports ............................................................................... 444�
check-names ....................................................................................................................................... 444�
check-dup-records, check-mx, check-wildcard .................................................................... 444�
check-integrity, check-mx-cname, check-sibling, check-srv-cname ........................... 445�
■ CONTENTS
xvi
cleaning-interval ........................................................................................................................... 445�
coresize ............................................................................................................................................. 446�
database ............................................................................................................................................. 446�
datasize ............................................................................................................................................. 446�
dialup ................................................................................................................................................. 446�
directory ........................................................................................................................................... 447�
disable-empty-zone, empty-contact, empty-server, empty-zones-enable .................. 447�
dual-stack-server ........................................................................................................................... 448�
dump-file ........................................................................................................................................... 448�
files .................................................................................................................................................... 449�
flush-zones-on-shutdown .............................................................................................................. 449�
heartbeat-interval ........................................................................................................................ 449�
hostname ............................................................................................................................................. 449�
interface-interval ........................................................................................................................ 450�
journal ............................................................................................................................................... 450�
lame-ttl ............................................................................................................................................. 450�
listen-on ........................................................................................................................................... 450�
listen-on-v6 ..................................................................................................................................... 451�
match-mapped-addresses ................................................................................................................ 451�
max-cache-size ................................................................................................................................. 451�
max-cache-ttl ................................................................................................................................... 452�
max-journal-size ............................................................................................................................. 452�
max-ncache-ttl ................................................................................................................................. 452�
memstatistics ................................................................................................................................... 452�
memstatistics-file ........................................................................................................................ 452�
pid-file ............................................................................................................................................. 453�
port ...................................................................................................................................................... 453�
preferred-glue ................................................................................................................................. 453�
querylog ............................................................................................................................................. 453�
recursing-file ................................................................................................................................. 453�
request-nsid ..................................................................................................................................... 454�
reserved-sockets ............................................................................................................................. 454�
■ CONTENTS
xvii
server-id ........................................................................................................................................... 454�
stacksize ........................................................................................................................................... 454�
statistics-file ............................................................................................................................... 455�
tcp-clients ....................................................................................................................................... 455�
tcp-listen-queue ............................................................................................................................. 455�
try-tcp-refresh ............................................................................................................................... 455�
version ............................................................................................................................................... 455�
zone-statistics ............................................................................................................................... 456�
zero-nosoa-ttl, zero-no-soa-ttl-cache ................................................................................. 456�
BIND Performance Statements ...................................................................................... 456�
acache-cleaning-interval, acache-enable, max-acache-size ......................................... 456�
attach-cache ..................................................................................................................................... 457�
edns-udp-size ................................................................................................................................... 458�
max-udp-size ..................................................................................................................................... 458�
minimal-responses ........................................................................................................................... 458�
BIND Query Statements .................................................................................................. 459�
additional-from-auth, additional-from-cache .................................................................... 459�
allow-query, allow-query-on ...................................................................................................... 460�
allow-query-cache, allow-query-cache-on ............................................................................. 460�
allow-recursion, allow-recursion-on ..................................................................................... 461�
auth-nxdomain ................................................................................................................................... 461�
blackhole ........................................................................................................................................... 462�
clients-per-query, max-clients-per-query ........................................................................... 462�
delegation-only ............................................................................................................................... 462�
forward ............................................................................................................................................... 462�
forwarders ......................................................................................................................................... 462�
query-source, query-source-v6 .................................................................................................. 463�
recursion ........................................................................................................................................... 463�
recursive-clients ........................................................................................................................... 463�
root-delegation-only .................................................................................................................... 463�
rrset-order ....................................................................................................................................... 464�
sortlist ............................................................................................................................................. 464�
■ CONTENTS
xviii
BIND Security Statements .............................................................................................. 466�
algorithm ........................................................................................................................................... 466�
allow-update ..................................................................................................................................... 466�
auto-dnssec ....................................................................................................................................... 467�
bindkeys-file ................................................................................................................................... 467�
deny-answer-addresses, deny-answer-aliases ...................................................................... 467�
disable-algorithms ........................................................................................................................ 468�
dnssec-accept-expired .................................................................................................................. 468�
dnssec-dnskey-kskonly .................................................................................................................. 468�
dnssec-enable ................................................................................................................................... 469�
dnssec-lookaside ............................................................................................................................. 469�
dnssec-must-be-secure .................................................................................................................. 470�
dnssec-secure-to-insecure .......................................................................................................... 470�
dnssec-validation ........................................................................................................................... 470�
key-directory ................................................................................................................................... 470�
managed-keys-directory ................................................................................................................ 471�
random-device ................................................................................................................................... 471�
secret ................................................................................................................................................. 471�
secroots-file ................................................................................................................................... 471�
session-keyfile, session-keyname, session-keyalg .......................................................... 472�
sig-signing-nodes, sig-signing-signatures ......................................................................... 472�
sig-signing-type ............................................................................................................................. 472�
sig-validity-interval .................................................................................................................. 473�
tkey-dhkey ......................................................................................................................................... 473�
tkey-domain ....................................................................................................................................... 473�
tkey-gssapi-credential ................................................................................................................ 474�
update-check-ksk ............................................................................................................................. 474�
use-v4-udp-ports, use-v6-udp-ports ....................................................................................... 474�
update-policy ................................................................................................................................... 474�
BIND server Statements .............................................................................................. 477�
bogus .................................................................................................................................................... 477�
edns ...................................................................................................................................................... 477�
■ CONTENTS
xix
keys ...................................................................................................................................................... 478�
transfers ........................................................................................................................................... 478�
BIND view Statements ................................................................................................... 478�
match-clients ................................................................................................................................... 478�
match-destinations ........................................................................................................................ 478�
match-recursive-only .................................................................................................................... 479�
BIND zone Statements ................................................................................................... 479�
check-names ....................................................................................................................................... 479�
file ...................................................................................................................................................... 479�
masterfile-format ........................................................................................................................... 480�
masters ............................................................................................................................................... 480�
type ...................................................................................................................................................... 481�
Summary ........................................................................................................................ 482�
■Chapter 13: Zone File Reference ......................................................................... 483�
DNS Zone File Structure ................................................................................................. 483�
DNS Directives ............................................................................................................... 484�
The $ORIGIN Directive ......................................................................................................................... 484�
The $INCLUDE Directive ....................................................................................................................... 485�
The $TTL Directive ................................................................................................................................ 487�
The $GENERATE Directive ..................................................................................................................... 488�
DNS Resource Records .................................................................................................. 488�
Resource Record Common Format ....................................................................................................... 494�
RRsets ................................................................................................................................................... 499�
Resource Record Descriptions ....................................................................................... 499�
IPv4 Address (A) Record ........................................................................................................................ 500�
Experimental IPv6 Address (A6) Record ................................................................................................ 501�
IPv6 Address (AAAA) Record ................................................................................................................. 502�
AFS Database (AFSDB) Record .............................................................................................................. 504�
Address Prefix List (APL) Record ........................................................................................................... 504�
ATM Address (ATMA) Record ................................................................................................................ 505�
Certificate (CERT) Record ...................................................................................................................... 505�
■ CONTENTS
xx
Canonical Name (CNAME) Record ......................................................................................................... 507�
Delegation of Reverse Names (DNAME) Record .................................................................................... 508�
DHCID Record ........................................................................................................................................ 509�
DLV Record ............................................................................................................................................ 509�
DNSKEY Record ..................................................................................................................................... 510�
Delegation Signer (DS) Record .............................................................................................................. 511�
System Information (HINFO) Record ..................................................................................................... 512�
Host Identity Protocol (HIP) Record ....................................................................................................... 512�
Integrated Services Digital Network (ISDN) Record .............................................................................. 514�
IPSEC Key (IPSECKEY) Record ............................................................................................................... 514�
Public Key (KEY) Record ........................................................................................................................ 515�
Key Exchanger (KX) Record ................................................................................................................... 516�
Location (LOC) Record ........................................................................................................................... 516�
Mailbox (MB) Record ............................................................................................................................. 518�
Mail Group (MG) Record ........................................................................................................................ 519�
Mailbox Renamed (MR) Record ............................................................................................................. 520�
Mailbox Mail List Information (MINFO) Record ...................................................................................... 521�
Mail Exchange (MX) Record .................................................................................................................. 521�
Naming Authority Pointer (NAPTR) Record ............................................................................................ 524�
Name Server (NS) Record ..................................................................................................................... 527�
Network Service Access Point (NSAP) Record ...................................................................................... 530�
Next Secure (NSEC) Record .................................................................................................................. 531�
Next Secure 3 (NSEC3) RR .................................................................................................................... 532�
Next Secure 3 Parameter (NECS3PARAM) RR ....................................................................................... 533�
Pointer (PTR) Record ............................................................................................................................. 534�
X.400 to RFC 822 E-mail (PX) Record .................................................................................................... 535�
Responsible Person (RP) Record ........................................................................................................... 536�
Resource Record Signature (RRSIG) Record ......................................................................................... 537�
Route Through (RT) Record ................................................................................................................... 539�
Signature (SIG) Record .......................................................................................................................... 539�
Start of Authority (SOA) Record ............................................................................................................. 540�
Sender Policy Framework (SPF) Record ............................................................................................... 543�
Services (SRV) Record ........................................................................................................................... 544�
■ CONTENTS
xxi
SSH Key Fingerprint (SSHFP) Record .................................................................................................... 546�
Text (TXT) Record .................................................................................................................................. 547�
Well-Known Service (WKS) Record ....................................................................................................... 548�
X.25 Address (X25) Record ................................................................................................................... 548�
Alternative Cryptographic Algorithms ................................................................................................... 549�
User-Defined RRs ........................................................................................................... 550�
Summary ........................................................................................................................ 550�
Part IV: Programming ............................................................................................. 553�
■Chapter 14: BIND APIs and Resolver Libraries .................................................... 555�
DNS Libraries and APIs .................................................................................................. 555�
POSIX Library ................................................................................................................. 556�
BIND 9 DNS Libraries ..................................................................................................... 556�
Building BIND 9 Libraries ...................................................................................................................... 557�
DNSSEC Aware getaddrinfo() and getnameinfo() .................................................................................. 558�
DNSSEC POSIX enhanced Calls ............................................................................................................. 559�
Configuring for DNSSEC Validation ....................................................................................................... 561�
Including Enhanced POSIX Functions in Applications ........................................................................... 561�
BIND Library Functions ......................................................................................................................... 563�
BIND API Overview ......................................................................................................... 564�
Advanced Database API (adb) ............................................................................................................... 564�
Simple Database API (sdb) .................................................................................................................... 564�
The Simple Database API (sdb) ...................................................................................... 565�
Callback Overview ................................................................................................................................. 565�
Registering the Callbacks ..................................................................................................................... 567�
Adding the Driver to BIND ..................................................................................................................... 570�
The Callback Functions ......................................................................................................................... 571�
Returning RRs ....................................................................................................................................... 576�
Memory Management for Drivers ......................................................................................................... 578�
Logging for Drivers ................................................................................................................................ 579�
Testing the Driver .................................................................................................................................. 580�
sdb Sample Driver ................................................................................................................................. 581�
■ CONTENTS
xxii
Summary ........................................................................................................................ 585�
■Chapter 15: DNS Messages and Records ............................................................ 587�
DNS Message Formats ................................................................................................... 589�
DNS Message Overview ........................................................................................................................ 591�
DNS Message Format ........................................................................................................................... 592�
DNS Message Header ........................................................................................................................... 593�
DNS QUESTION SECTION ....................................................................................................................... 596�
DNS ANSWER, AUTHORITY, and ADDITIONAL SECTIONS ....................................................................... 597�
EDNS0 Transactions .............................................................................................................................. 600�
OPT Pseudo RR Format ......................................................................................................................... 601�
DNS Binary RR Format ................................................................................................... 603�
Security Algorithm Formats .................................................................................................................. 611�
NSEC/NSEC3 Bitmap Format ................................................................................................................. 612�
Summary ........................................................................................................................ 613�
Part V: Appendixes ................................................................................................. 615�
■Appendix A: DNS Registration and Governance .................................................. 617�
Answers ......................................................................................................................... 618�
■Appendix B: DNS RFCs ......................................................................................... 629�
■Index: .................................................................................................................. 639�
xxiii
About the Author
■ Ronald (Ron) Aitchison is the President of Zytrax, Inc., a Montreal-based company that specializes in wireless and wire-line IP communications. Zytrax develops its own products as well as undertaking specialized consulting, training, system design, and development for clients. Zytrax supports its own and customer-hosted DNS, web, e-mail, and LDAP services on a mixed network of Windows, Linux, and, increasingly, FreeBSD systems, and has been an Open Source user since 1998. The company maintains www.zytrax.com/tech, a collection of more than 5,000 pages of technical information on an eclectic variety of technical subjects as a service to the community.
Prior to founding Zytrax in 1994, Ron worked in senior roles in development, sales, and marketing in both Europe and the US. He started his computer career in 1973 as a grunt systems programmer developing communications software for mainframes in a nineteenth-century palace outside of Edinburgh, Scotland. His major achievement in those years was, as cofounder of the local micro-club, persuading Intel to ship the UK’s second 8086 system for club use ahead of minor competition such as IBM and others. He moved into sales and marketing for a number of years before returning to real—technical—work when he established Zytrax. He was educated in mechanical engineering at the University of Strathclyde in Glasgow, Scotland, a long time ago.
xxiv
About the Technical Reviewer
■ Joe Topjian has been working in ISP environments for more than 10 years. He currently runs Terrarum IT Services, which provides system administration services specializing in infrastructure support and automation. He lives in Calgary, Alberta, with his wife, Meghan.
xxv
Acknowledgments
The author would like to gratefully acknowledge the patience and forbearance of a number of individuals during the writing of this book:
The Apress team of Laurin Becker, Debra Kelly, and Mary Behr, who struggled valiantly with my complete inability to keep to a writing schedule and, since I am someone for whom split infinitives tend to stay split, who edited my writing so that it more closely resembles the English language. The contributions of Michelle Lowman and Joe Topjian were invaluable. My admiration for their diligence and perceptive comments is unbounded. Frank Pohlmann was a constant source of support and creative ideas when all seemed, frequently, to be doom and gloom.
One of the sad things about e-mail is that one never meets the individuals who took the time from busy lives to respond to questions and provide insight and information on numerous obscure topics. I would like to thank, in no particular order, Paul Vixie, Shane Kerr, Michael Richardson, Jeremy C. Reed, Michael Graff, Doug Barton, Bert Hubert and Jakob Schlyter. In spite of all the help, any errors are entirely the responsibility of the author.
xxvi
Introduction
Every time you get e-mail, every time you access a web page, you use the Domain Name System (DNS). In fact, over 2 billion such requests hit the DNS root-servers alone every day. Every one of those 2 billion requests originate from a DNS that supports a group of local users, and every one of them is finally answered by a DNS server that may support a high-volume commercial web site or a modest, but much loved, family web site. This book is about understanding, configuring, diagnosing, and securing the DNS servers that do the vital work. Many years ago when I set up my first pair of DNS servers, I wasted my time looking for some practical advice and some sensible description of the theory involved. I found neither. I completed the DNS rite-of-passage—this book was born from that experience.
DNS is a complex subject, but it is also unnecessarily cloaked in mystery and mythology. This book, I hope, is a sensible blend of practical advice and theory. You can treat it as a simple paint-by-numbers guide to everything from a simple caching DNS to the most complex secure DNS (DNSSEC) implementations. But the background information is there for those times when you not only need to know what to do, but you also need to know why you are doing it, and how you can modify the process to meet your unique needs.
When the first edition of the book was written, we were on the cusp of a major change in DNS technology—the paint had not quite dried yet on the newly published DNSSEC standards. It is no exaggeration to say that even we who live in close proximity to DNS have been staggered by just how radical a change was brought about by those standards. In part this derives from the increasing focus on general Internet security, but it also comes from the recognition of the fundamental role DNS plays in enabling the Internet.
Among many unanswered questions for the future is, once the DNS is secure, what form and type of information may be safely added to DNS zones? The obvious follow-up question that immediately springs from such speculation is what functionality will be demanded of DNS software? We have already seen increasing specialization, clear separation of the roles of authoritative DNS and resolvers, to name one development, and alternative data sources for zone data such as databases and IP provisioning systems, to name another. But all continue to provide classic DNS look-up functionality. In this respect BIND 10 represents a new and radical approach, not just to the issues of functional separation and alternative data source, though these are provided, but in employing a modular and component-like architecture BIND 10 allows us to contemplate a very different way in which DNS may be used within a rapidly evolving Internet.
Introduction to the Second Edition The second edition of this book represents a major expansion of material in both depth and breadth. On the theoretical side of the DNS equation a more rigorous separation of the roles of authoritative DNS servers and resolvers (caching name servers) is present throughout the book in keeping with the move to specialized software. A complete update of the material on zone files and BIND 9 statements and clauses means that once again the material provided represents a complete and detailed reference work on BIND 9. New sections now cover a wider range of specialized DNS Techniques under the renamed Chapter 8. The DNSSEC chapter has been significantly expanded to reflect both the additional standards involved as well as the wealth of operational possibilities offered by BIND 9. Significant new material has
■ INTRODUCTION
xxvii
been provided to illustrate usage and implementation of the BIND extended POSIX library functions, which can provide secure last-mile solutions.
While one of the original objectives of the book was to introduce BIND 10 with all its radical changes, it rapidly became apparent that to commit to a paper version at this stage in the evolution of BIND 10 would be to short-change readers. Consequently, a downloaded version of the BIND 10 material is provided. This method allows the material to be updated as necessary to reflect the increasing functionality of BIND 10 as it moves through its development cycle.
Who This Book Is For This book is about running DNS systems based on BIND 9.7 and BIND 10. If you run or administer a DNS system, are thinking about running a DNS system, need to upgrade to support IPv6 DNS, need to secure a DNS for zone transfer, dynamic update, or other reasons, need to implement DNSSEC, or simply want to understand the DNS system, then this book is designed to provide you with a single point of reference. The book progressively builds up from simple concepts to full security-aware DNSSEC configurations. The various features, parameters, and Resource Records that you will need are all described and in the majority of cases illustrated with one or more examples. The book contains a complete reference on zone files, Resource Records, and BIND 9’s named.conf configuration file parameters. Programmers and the insatiably curious will find BIND 9’s Simple Database API, resolver library interfaces, and the gory details of DNS wire-format messages compelling reading.
How This Book Is Structured This book is about the Domain Name System. Most of the examples used throughout the book are based on the Berkeley Internet Name Domain, universally known as BIND, which is the most widely deployed name server software in current use. BIND version 9.7.1-P2was used as the baseline version for all the examples. During the course of writing the book, version 9.7.2-P2—a bug clearance–only version—was released. The majority of, but not all, tests were rerun on the new version—no functional differences were noted between the releases. Readers are advised to always obtain and use the latest stable BIND version.
Like most technical books, this is a mixture of descriptive text, reference material, and samples. For those completely unfamiliar with the subject, Part 1 (Chapters 1 to 5) is designed to introduce DNS in a progressive manner and could be read as a classic text on the subject. For those of a hands-on disposition, Part 2 provides an alternative entry point, with the various earlier chapters to be read as needed. Experienced readers would typically head straight for the meat in either Parts 3, 4, or 5, depending on their area of interest. As well as providing help and guidance during your initial endeavors, it is my fervent hope that this book will also provide you with an indispensable reference work for years to come.
Chapter 1, “An Introduction to DNS” Chapter 1 provides introductory and background material to the DNS as a specific implementation of the general name server concept. The key concepts introduced are the domain name hierarchy, delegation, DNS operational organization, the role of ICANN, and the various components that comprise a DNS eco-system. A clear separation between the roles of authoritative name servers and resolvers (a.k.a. caching name servers) is introduced, and this terminology is used rigorously throughout the book. This chapter is for those who are unfamiliar with the topic or the changes that have occurred in the recent past.
■ INTRODUCTION
xxviii
Chapter 2, “Zone Files and Resource Records” Here you are introduced to the basic Resource Records and directives used to construct zone files. An example forward-mapping zone file is introduced that is used throughout the book and illustrates key DNS operational concepts such as resilience and location diversity. Those with little or no knowledge of zone files and their construction will find this chapter a gentle introduction to the topic.
Chapter 3, “DNS Operations” This chapter describes the basic operation of a DNS system, including queries, referrals, reverse mapping, zone transfers, and dynamic updates. A brief overview of DNS security is presented to familiarize readers with the potential threats posed when running DNS systems. This chapter is intended to give the reader a thorough grounding in the theory and background to these topics.
Chapter 4, “DNS Types” The text in this chapter breaks down configuring a DNS into a number of types such as master, slave, resolver (caching only name server), forwarding, Stealth, and authoritative only with the objective of giving the reader a set of building blocks from which more complex configurations can be constructed. This chapter will be useful to those unfamiliar with the range of possibilities offered by the DNS and its BIND implementation, including the view clause introduced with the BIND 9 series.
Chapter 5, “DNS and IPv6” Chapter 5 focuses on IPv6 and the DNS features that support this increasingly widespread protocol. A brief overview of IPv6 address structure and notation is provided for those currently unfamiliar with this topic.
Chapter 6, “Installing BIND” This chapter covers the installation of BIND on Linux (Ubuntu Server 10.04), FreeBSD (8.1), and Windows 7 from binary packages. For those cases where a package is not available, building from a source tarball is also described. An increasingly wide range of software configuration options offered by BIND especially means that building from source tarballs may become increasingly common.
Chapter 7, “BIND Type Samples” The zone and named.conf sample files for each of the DNS types introduced in Chapter 4 are provided. While these samples can be used as simple paint-by-number implementations, explanations are included to allow the configurations to be tailored to user requirements.
Chapter 8, “DNS Techniques” A number of DNS configurations are described and illustrated with sample files and implementation notes. The items covered include delegation of subdomains, load balancing, fixing sequence errors, delegation of reverse subnets, SPF and DKIM records, DNSBL, split horizon systems, and the use of wildcards.
■ INTRODUCTION
xxix
Chapter 9, “DNS Diagnostics and Tools” The major utilities supplied with a BIND distribution, including those used for security operations, are covered with multiple use examples. The reader, however, is encouraged—especially with dig and nslookup—to get out and explore the Internet using these tools. A practical example is used to illustrate to some diagnostics techniques and procedures.
Chapter 10, “DNS Secure Configurations” DNS security within this book is broken into four parts: administrative security, securing zone transfers, securing dynamic update, and DNSSEC. An overview of general cryptographic processes including symmetric and asymmetric encryption, digital signatures, and MACs, which form the basis of DNS security implementations, is provided for readers unfamiliar with this topic.
Chapter 11, “DNSSEC” This chapter deals exclusively with the DNSSEC security standards and covers both the theory and practical implementation. Zone signing, chains of trust, Zone Signing Keys and Key Signing Keys, DNSSEC Lookaside Validation (DLV), and key-rollover procedures are all covered with practical examples. BIND 9 provides a bewildering variety of DNSSEC implementation options—the final section in this chapter provides some advice and worked examples from which an intelligent choice can be made.
Chapter 12, “BIND Configuration Reference” As suggested by the title, this is purely a reference section, and it catalogues and describes with one or more examples all the clauses and statements used in BIND’s named.conf file. The chapter is organized in a manner that allows the reader to easily find appropriate statements to control specific BIND behaviors.
Chapter 13, “Zone File Reference” This is purely a reference section that describes each Resource Record in the current IANA list—normally with one or more examples to illustrate usage.
Chapter 14, “BIND APIs and Resolver Libraries” Designed more for programmers and designers, you will need a reasonable understanding of C to make sense of this chapter. The new BIND Simple Database API and the newly released BIND extended POSIX interfaces from which secure last-mile DNS solutions can be created.
Chapter 15, “DNS Messages and Records” This chapter covers the gory details of DNS wire-format messages and RR formats. A reasonable working knowledge of decimal, hex, and binary notations are required to make sense of the chapter. Essential reading if you are developing DNS applications, when RRs are not supported by your sniffer application or you are insatiably curious about how this stuff works.
■ INTRODUCTION
xxx
Appendix A, “Domain Name Registration” This appendix is a collection of material, presented in FAQ format, that may help to answer questions about registering domains in a variety of situations.
Appendix B, “DNS RFCs” This appendix presents a list of RFCs that define the DNS and DNS-related topics.
Additional Material In addition, the author maintains a web site about the book (www.netwidget.net/books/apress/dns) that covers additional material, including links to alternative DNS software, resolver language bindings, and background reading on various topics covered in the book, which may be of use to the reader.
Conventions The following conventions are used throughout the book:
• The # (hash or pound) symbol is used to denote a command prompt and always precedes a command to be entered. The command to be entered starts after this symbol.
• The \ (back slash) is used to denote where lines that are contiguous have been split purely for presentational reasons. When added to a file or entered on a command line the \ should not be present.
• Lines consisting of four dots (....) in zone and configuration files are used to denote that other lines may or may not be present in these files. The dot sequence should not be entered in the actual files.
• When describing command syntax, the following convention is used throughout:
command argument [option1] keyword [option2 [optional3] ...]
where all items in bold, which include command and keywords, must be entered as is. Optional values are enclosed in square brackets and may be nested. Where repeated options are allowed, a sequence of three dots is used to indicate this.
Contacting the Author The author may be contacted at [email protected], and he maintains links and other information relating to this book at www.netwidget.net/books/apress/dns.