Professional Documents
Culture Documents
DNS (Domain Name System) Tutorial at IETF-70: Ólafur Guðmundsson Peter Koch
DNS (Domain Name System) Tutorial at IETF-70: Ólafur Guðmundsson Peter Koch
lafur Gumundsson
OGUD consulting
Peter Koch
DENIC eG
2007-12-02
Tutorial Overview
Goal:
Give the audience basic understanding of DNS to be able to facilitate new uses of DNS
2007-12-02
Data on wire is binary Domain names are case insensitive for [A-Z][a-z],
case sensitive for others ( exmple.com != exmple.com)
DNS tree
.
ORG
COM
DE
IS
UK
CAT
IETF
ogud
ISOC
DENIC
www
EDU
2007-12-02
DNS Terms
Domain name: any name represented in the DNS format
foo.bar.example. \0231br.example.
DNS label:
each string between two "." (unless the dot is prefixed by \) i.e. foo.bar is 2 labels foo\.bar is 1 label
DNS zone:
a set of names that are under the same authority example.com and ftp.example.com, www.example.com Zone can be deeper than one label, example .us, ENUM
Delegation:
Transfer of authority for/to a sub-domain
example.org is a delegation from org the terms parent and child will be used.
2007-12-02 DNS Tutorial @ IETF-70 ogud@ogud.com & pk@denic.de
Example:
- <name> <TTL> <Class> <RRtype> ogud.com. 13630 IN MX ogud.com. 13630 IN MX <data> 10 mail.ogud.com. 90 smtp.elistx.com.
DNS Elements
Resolver
stub: simple, only asks questions recursive: takes simple query and makes all necessary steps to assemble the full answer,
Server
authoritative: the servers that contain the zone file for a zone, one Primary, one or more Secondaries, caching: A recursive resolver that stores prior results and reuses them
Some perform both roles at the same time.
2007-12-02 DNS Tutorial @ IETF-70 ogud@ogud.com & pk@denic.de
Clean
Explicit transfer of authority
Parent is authoritative for existence of delegation, Child is authoritative for contents.
2007-12-02 DNS Tutorial @ IETF-70 ogud@ogud.com & pk@denic.de
EDNS0 (OPT RR) (RFC2671) expands UDP payload size by mutual agreement. TSIG (RFC2845) hop by hop authentication and integrity
Retransmission: built in
Resends timed-out-query
Possibly to a different server.
2007-12-02 DNS Tutorial @ IETF-70 ogud@ogud.com & pk@denic.de
Type : MX, A, AAAA, NS CLASS: IN (other classes exist, but none global) TTL: Time To Live in a cache RL: RD LENGTH: size of RDATA RDATA: The contents of the RR
Binary blob, no TLV (XXX Type Length Value).
2007-12-02
10
DNS query
QNAME: www.dnsop.org QCLASS: IN QTYPE: A Ask org NS
www.dnsop.org
Root Server
dnsop.org Server
2007-12-02
11
DNS Resolvers start at longest match on query name they have in cache when looking for data, and follow delegations until an answer or negative answer is received.
Longest match := if resolver has some of the right hand side delegations it will use them rather than start all queries at the root servers. DNS transactions are fast if servers are reachable.
2007-12-02 DNS Tutorial @ IETF-70 ogud@ogud.com & pk@denic.de
12
DNS data should reside in one place and one place only
at name, or at <prefix>.name zone wide defaults do not exist
the "zone" is an artificial boundary for management purpose
2007-12-02 DNS Tutorial @ IETF-70 ogud@ogud.com & pk@denic.de
13
FACTS
Is not a default but a provisioning aid match ONLY non existing names expansion is terminated by existing names
do not expand past zone boundaries
2007-12-02
14
MYTHS
Record: *.example MX 10 mail.example
matches any name, below the name example !! supplies RR type to names present, missing MX RRs.
Is added to MX RRSet at a name
15
Wildcard Match
Contents of a zone:
*.example. TXT "this is a wildcard" www.example. A 127.0.0.1 jon.doe.example. A 127.0.0.2
example
Name doe.example exists w/o any RRtypes empty nonterminal Name tina.doe.example. will not be expanded from wildcard Name: tina.eod.example. Matched.
2007-12-02
16
Lame delegations:
Parent and children must stay in sync about name servers.
When a zone changes name servers it should send new set to parents.
2007-12-02
17
used a lot.
2007-12-02
18
Solution:
RFC3597 defines that all DNS servers and resolvers MUST
support unknown RR types and rules for defining them. suggests a common encoding in presentation format for them.
2007-12-02
19
2007-12-02
20
21
Existence proof:
Chain of NSEC or NSEC3 records lists all names in a zone and their RR types. (authentic proof/denial of existence)
22
spoof proof service location No need for protocol specific keying infrastructure other...
DNS Tutorial @ IETF-70 ogud@ogud.com & pk@denic.de
23
24
2007-12-02
25
26
Service location (see above) and also depends on if accessed via local resource or more global one.
Enterprise vs site location No search
Distributed databases
2007-12-02 DNS Tutorial @ IETF-70 ogud@ogud.com & pk@denic.de
27
28
SRV Record
mostly used in MS Active Directory and other OS specific applications
Also used by some IM application like Jabber.
2007-12-02
29
20 20 40
2007-12-02
30
31
NAPTR
Role: map name to set of services represented by URI SRV doesnt help
No local part No variable scheme
2007-12-02
32
NAPTR frameworks
NAPTR record does not stand on its own DDDS == Dynamic Delegation Discovery System
Used in ENUM and ONS (the RFID name space)
These create their own name spaces RFC 3401-3405
2007-12-02
33
34
Indirect RR:
CNAME, DNAME
Indirect DNS RR cause Resolver to change direction of search
Server must have special processing code
Terminal RR:
Address records
A, AAAA,
Informational
TXT, HINFO, KEY, SSHFP
carry information to applications
META:
OPT, TSIG, TKEY, SIG(0)
Not stored in DNS zones, only appear on wire
2007-12-02
35
36
37
2007-12-02
38
OLD Process:
1. 2. 3. 4. 5. Write an ID, get review by people that understand your protocol, update draft. Ask DNS experts (WG chairs) for quick review, update ID Ask WG(s) for review Submit to IESG, you get type code from IANA after IESG processes Advertise new type code
2007-12-02
39
Be compact, binary fields are fine Ask the experts for help early
DNSEXT and DNSOP chairs will help
2007-12-02
40
41
Individual sites
http://www.dns.net/dnsrd http://www.dnssec.net
2007-12-02
42
2007-12-02
43
Important ones
1034, 1035 Original specification 4033, 4034, 4035 DNSSEC 1123, 2181 Clarifications 3597, 2136, 1996, 1995, 3007 Major protocol enhancements 3833 Threat Analysis for DNS
2007-12-02 DNS Tutorial @ IETF-70 ogud@ogud.com & pk@denic.de
44
End of talk
Extra information provided in background slides Questions & Comments
2007-12-02
45
Middle boxes have old DNS software or their own implementation that is non-compliant
Some Load balancers do stupid things, Applications interfaces refuse to ask for unknown types Assume world is still RFC1034/5 (i.e. 1987),
NO: AD bit, TSIG, OPT, NAPTR,
46
Bad delegations:
Timeouts may happen due to no reachable name servers
47
48
I.e. you cannot ask for, say, at most eight address records (A RRs) for a given name or for only those MX RRs with priority 10 or all TXT RRs containing "money". Some RR types are "containers", e.g.
KEY NAPTR TXT (the original) (with the RFC1464 convention)
Subtyping means that the application will have to select their RRs from the response, potentially dumping larger parts of the RRSet, depending on one or more secondary qualifiers buried within RDATA ENUM NAPTR overload
DNS Tutorial @ IETF-70 ogud@ogud.com & pk@denic.de
2007-12-02
49
Subtyping should be avoided when designing new types Subtyping can be avoided by
dedicated types instead of type/subtype selector prefixes (cf SRV)
Method of choice depends on number and nature of subtypes expected and the necessity to deal with wildcards
2007-12-02
50
51
Facts:
1. Additional section processing is done in servers 2. Before updated servers are deployed RRtype aware resolvers need to do all work. 3. Not all authoritative servers may have the necessary glue 4. Glue may not fit 5. Recursive resolver may have data already 6. Roundtrips are cheap, 7. Lacy resolver writer will ASSUME additional section processing is done
Result:
Recursive Resolver has to be able to do work forever,
Moral: Do not attempt to optimize DNS, it causes more problems than you can imagine.
2007-12-02 DNS Tutorial @ IETF-70 ogud@ogud.com & pk@denic.de
52
2007-12-02
53
DNSSEC: impacts
Zones
become larger need periodic maintenance have to deal with key management
54