Professional Documents
Culture Documents
DNS
DNS
lafur Gumundsson
OGUD consulting
Peter Koch
DENIC eG
2005-11-06 DNS Tutorial @ IETF-64 ogud@ogud.com & pk@denic.de
Tutorial Overview
Goal:
Give the audience basic understanding of DNS to be able to facilitate new uses of DNS
Location of slides:
http://stora.ogud.com/DNSTutorial.ppt
What is DNS?
DNS is one of the core Internet Protocols required for operation of the Internet Routing and DNS are the most important infrastructure protocols as without them nothing else will work DNS Provides:
Mapping from names to addresses Mechanism to store and retrieve information in a global data store
2005-11-06 DNS Tutorial @ IETF-64 ogud@ogud.com & pk@denic.de
Data on wire is binary Domain names are case insensitive for [A-Z][a-z],
case sensitive for others ( exmple.com != exmple.com)
DNS tree
.
ORG
COM
DE
IS
UK
XXX
IETF
ogud
ISOC
DENIC
www
EDU
2005-11-06
DNS Terms
Domain name: any name represented in the DNS format
foo.bar.example. \032br.example. (\032 ==
ASCII space binary value)
Presentation format
each string between two "." (unless the dot is prefixed by \) i.e. foo.bar is 2 labels foo\.bar is 1 label a set of names that are under the same authority example.com and ftp.example.com, www.example.com Zone can be deeper than one label, like: .us, ENUM
Delegation:
Transfer of authority for a domain
example.org is a delegation from org the terms parent and child will be used.
2005-11-06 DNS Tutorial @ IETF-64 ogud@ogud.com & pk@denic.de
TTL (Time To Live): The time an RRSet can be cached/reused by a non- authoritative server
2005-11-06 DNS Tutorial @ IETF-64 ogud@ogud.com & pk@denic.de
DNS Elements
Resolver
stub: simple, only asks questions recursive: takes simple query and makes all necessary steps to get the full answer,
Server
authoritative: the servers that contain the zone file for a zone, one Primary, one or more Secondaries, caching: A recursive resolver that stores prior results and reuses them
Some perform both roles at the same time.
2005-11-06 DNS Tutorial @ IETF-64 ogud@ogud.com & pk@denic.de
Clean
Explicit transfer of authority
Parent is authoritative for existence of delegation, Child is authoritative for contents.
2005-11-06 DNS Tutorial @ IETF-64 ogud@ogud.com & pk@denic.de
Retransmission: built in
Resends timed out query to a different server.
2005-11-06
10
Type : MX, A, AAAA, NS CLASS: IN (other classes exist but not global) TTL: Time To Live in a cache RL: RD LENGTH: size of RDATA RDATA: The contents of the RR
Binary blob, no TLV (Type Length Value). DNS Tutorial @ IETF-64 ogud@ogud.com & pk@denic.de
2005-11-06
11
OG4
Terminal RR:
Address records: A, AAAA, Informational: TXT, HINFO, KEY, SSHFP
carry information to applications
Non Terminal RR: MX, SRV, PTR, KX, A6, NAPTR, AFSDB
contain domain names that may lead to further queries.
2005-11-06 DNS Tutorial @ IETF-64 ogud@ogud.com & pk@denic.de
12
Slide 12 OG4 Moved slide up and split DNS Internal types into DNS and DNSSEC types. Color coded types and reorderd some more.
Olafur Gudmundsson, 11/6/2005
[jhc] Give example of longest match I presume this is most labels from mostsignificant end? Got rid of DNS packets are small to avoid arguments and we said that eariler Revist Longest match sentence.
DNS Recursive Resolvers start at longest match on query name they have when looking for data, and follow delegations until an answer or a negative answer is received.
DNS transactions are fast if servers are reachable.
2005-11-06 DNS Tutorial @ IETF-64 ogud@ogud.com & pk@denic.de
13
OG2
DNS query
QNAME: www.ietf.org QCLASS: IN QTYPE: A. Ask org NS
www.ietf.org
Root Server
Stub resolver
www.ietf.org A 65.256.255.51
Recursive Resolver
2005-11-06
14
Slide 14 OG2 Need to ungroup and rotate text, add question text and reformat some text boxes, realign lines and regroup.
Olafur Gudmundsson, 11/6/2005
FACTS
Match ONLY non existing names Expansion is terminated by existing names
Do not expand past zone boundaries Empty non-terminal name
No RRSets present at this name But the name exists
2005-11-06
15
16
Wildcard Match
Contents of a zone:
*.example. TXT "this is a wildcard" www.example. A 192.0.2.1 jon.doe.example. A 192.0.2.5
example
Name doe.example exists w/o any RRtypes empty nonterminal Name jane.doe.example. will not be expanded from wildcard Name: jane.eod.example. Matched.
2005-11-06
17
OG3
Lame delegations:
Parent and children must stay in sync about name servers. Secondary servers must keep up-to date with Primary.
problems areas: permissions, transfer protocol not getting through, clock synchronization, old/renumbered primary/secondary, etc.
18
Slide 18 OG3 This slide is in the wrong place should be with Operational problems I think
Olafur Gudmundsson, 11/6/2005
2005-11-06
Solution:
RFC3597 defines that all DNS servers and resolvers MUST
support unknown RR types and rules for defining them. suggests a common encoding in presentation format for them.
Deployment:
BIND-9, BIND-8.2.2, ANS, CNS, MS DNS-2003, DNSCache, NSD, PowerDNS, Net::DNS, DNSJava, DNSPython.
2005-11-06
20
21
Bad delegations:
NS out of date in parent NS contains random data to overcome registry requirements
22
2005-11-06
23
OG1
DNS data should reside in one place and one place only
at name, or at <prefix>.name zone wide defaults
there are no zone wide defaults, since the "zone" is an artificial boundary for management purpose
Some applications have said that if RR does not exist at name then look for zone default at apex,
Zone cut is hard to find by stub resolvers, hierarchy in naming does not necessarily imply hierarchy in network administration. Data at apex are also bad due to "apex overload
24
Slide 24 OG1 Not sure what tree climbing means in this context. Usually it refers to looking up z.y.x b.a from the least-significant end, with one label stripped off at each attempt (z then y then x ). This uses a lot of queries and will cause a long turn-around time for the query (from the end user s point of view). Few applications does this mean Some applications ? Or is the meaning that this is a Good Thing? Last bullet needs . or - after zone? Define apex overload . I think this needs to be spread over a couple of slides.
Olafur Gudmundsson, 11/6/2005
2005-11-06
25
Applications (or specialized API) will have to select their RRs from the response, potentially dumping larger parts of the RRSet, depending on one or more secondary qualifiers buried within RDATA
2005-11-06 DNS Tutorial @ IETF-64 ogud@ogud.com & pk@denic.de
26
Method of choice depends on number and nature of subtypes expected and the necessity to deal with wildcards
2005-11-06 DNS Tutorial @ IETF-64 ogud@ogud.com & pk@denic.de
27
28
Existence proof:
Chain of NSEC records lists all names in a zone and their RR types. (authentic proof/denial of existence)
29
DNSSEC: impacts
Zones
become larger need periodic maintenance have to deal with key management
2005-11-06
30
2005-11-06
31
32
20 20 40
2005-11-06
33
34
NAPTR
Other common task: Map name to URL SRV doesnt help
No local part No variable scheme
2005-11-06
35
2005-11-06
36
S-NAPTR
SRV and NAPTR combined (RFC 3958) Avoids application specific DDDS overhead NAPTR leads to more NAPTR or SRV SRVs lead to A (or AAAA)
2005-11-06
37
38
39
40
2005-11-06
41
42
2005-11-06
43
Provide tools to
convert new RR type from textual format to RFC3597 portable format for zone inclusion, Use dynamic update to provision new type RRSets
Good tools: Perl NET::DNS, DNSJava,
Modern Servers:
BIND-9, MS DNSServer2003, NSD, PowerDNS, ANS, CNS
2005-11-06 DNS Tutorial @ IETF-64 ogud@ogud.com & pk@denic.de
44
Facts:
1. Additional section processing is done in servers 2. Before updated servers are deployed RR type aware resolvers need to do all work. 3. Not all authoritative servers may have the necessary additional records 4. Additional records may not fit 5. Recursive resolver may have data already 6. Roundtrips are cheap, 7. Lasy resolver writer will ASSUME additional section processing is done
Result:
Recursive Resolver has to be able to do work forever,
45
Important ones
1034, 1035 Original specification 4033, 4034, 4035 DNSSEC 1123, 2181 Clarifications 3597, 2136, 1996, 1995, 3007 Major protocol enhancements 3833 Threat Analysis for DNS
2005-11-06 DNS Tutorial @ IETF-64 ogud@ogud.com & pk@denic.de
46
Individual sites
http://www.dns.net/dnsrd http://www.dnssec.net
2005-11-06
47
More resources
DNS book list
http://www.networkingbooks.org/dns
2005-11-06
48