DNS Security

2,210 views

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,210
On SlideShare
0
From Embeds
0
Number of Embeds
21
Actions
Shares
0
Downloads
168
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Information about APNIC Training courses can be found at: http://www.apnic.net/training/
  • In this section we will talk about the reverse dns concepts in details. Initially we will recap some of the fundamentals we covered in IRM1 and then we will go through how to create reverse zones and setting up name servers. We will also explain you the APNIC procedures wrt to creating reverse delegations. IPv6 reverse delegations are also covered in this section before we conclude with the current status.
  • Overview The aim of this section is to provide the reader with a sufficient knowledge of the procedures involved in making reverse address mapping possible for a /24 and longer prefixes , for assignments of size of multiple /24, and /16 allocations. Details about changing and deleting an existing delegation are provided and common errors are described . What is Forward and Reverse Delegation? Applications such as ftp, e-mail, and telnet allow users to specify an Internet destination host as a domain name, such as www.sparkynet.my , as names are easier to remember than numbers. However, before an application can send IP packets, the IP address of the destination host must be determined. The Domain Name System (DNS) was thus devised to obtain the IP address for a given domain name. The inverse procedure, which produces the domain name from the IP address, is called reverse address mapping, and is the focus of this section.
  • Why is Reverse Delegation Necessary? In this example FTP is used to illustrate the need for reverse delegation. Many FTP sites want to know which domain is requesting access. If reverse delegation is correctly set up by the domain sending the packet, the accessed domain may successfully trace back the packet to its origins. (Name-based virtual hosts are an exception). Hosts from address space which have not been reverse delegated may have problems accessing some FTP sites. Not setting reverse address mapping correctly may have the following consequences: (a) users are blocked from various services (ftp, mail); (b) troubleshooting becomes more difficult since lookups cannot find the name of a particular machine and the users cannot be identified; (c) more network traffic is generated as a result of failing lookup responses. It is the responsibility of the APNIC members to make sure that all their address space is reverse delegated.
  • IN-ADDR.ARPA Domain Tree Similar to the UNIX file system, the full name of an IP host is determined in a hierarchical fashion. For example, the administration of the top level domain my is performed by ccTLD administrative person. The subdomain sparkynet was delegated by them to the ‘Sparkynet’', which uses the name www to refer to one of the hosts in our network. After the name www has been properly specified in the name server for sparkynet.my , the domain name www.sparkynet.my can be used to find its corresponding Internet host. The IN-ADDR.ARPA Domain tree is described in more detail in Chapters 1 and 2 of O'Reilly's DNS and BIND , 4th Edition. Reverse Delegation is still very classful. It exclusively takes place on octet (/8, /16 and /24) boundaries. The same mechanism is used in reverse and forward delegation, but the authority of delegation is somewhat different. In order to use the same mechanism as forward DNS, a special domain "inaddr.arpa" is created. IP address has to be 'reversed' (written in reversed order) and suffixed by inaddr.arpa . E.g. in order to reverse map 202.64.22.1 , it must become 1.22.64.202.in-addr.arpa .
  • IN is optional.
  • “ file” statement is optional. It is just a back-up copy. And the back-up copy is being loaded first before it updates from the primary.
  • RFC 2317: This document describes a way to do IN-ADDR.ARPA delegation on non- octet boundaries for address spaces covering fewer than 256 addresses. The proposed method should thus remove one of the objections to subnet on non-octet boundaries but perhaps more significantly, make it possible to assign IP address space in smaller chunks than 24-bit prefixes, without losing the ability to delegate authority for the corresponding IN-ADDR.ARPA mappings.
  • Error messages “ *ERROR*. SOA on “ns.apnic.net” does not match SOA on “svc00.apnic.net”. All nservers must respond with the same SOA.” Some of the nameservers supplied could not be contacted, or some of them failed to respond appropriately (ie, is a nameserver running on these hosts, and do they know about the zone in question?) This message is also generated when the list of nameservers that you supply to the form, does not match the list of nameservers that you set up (on the nameservers in question). The comparisions is done on a textual basis (ie, supplying IP addresses won't work). *ERROR*. NS RR for ns.telstra.net found on svc00.apnic.net but not in supplied template. The machine abc.b.c.d is reported to be a nameserver for this domain by the machine xyz.b.c.d, but you did not list abc.b.c.d when submitting the form.
  • Problem caused by lame delegations Delays in service binding for clients using affected address ranges Refusal of service due to failures during DNS processing Increased DNS traffic Lame DNS reverse delegations affect The users of the network in question Unrelated third parties Lame delegation removal procedures Identify potential lameness. (two points of test, AU & JP) Test the DNS reverse delegation (15 day test period). Attempt to notify the domain holder (45 day notice period). Disable lame DNS reverse delegation. (If not corrected at end of notice period) Applicable to each nameserver entry listed in domain objects If all nserver entries in a particular domain object are disabled for persistent lameness the entire domain will be withdrawn from the DNS reverse DNS lookup will terminate in the APNIC nameservers with an NXDOMAIN response Details of all domains under test will be posted to the APNIC website Reports to the DNS SIG at APNIC open policy meeting, DNS SIG mailing list and other bodies such as IEPG and NANOG status of domain objects the rate of administrative disabling and re-enabling etc.
  • IN-ADDR.ARPA Domain Tree Similar to the UNIX file system, the full name of an IP host is determined in a hierarchical fashion. For example, the administration of the top level domain my is performed by ccTLD administrative person. The subdomain sparkynet was delegated by them to the ‘Sparkynet’', which uses the name www to refer to one of the hosts in our network. After the name www has been properly specified in the name server for sparkynet.my , the domain name www.sparkynet.my can be used to find its corresponding Internet host. The IN-ADDR.ARPA Domain tree is described in more detail in Chapters 1 and 2 of O'Reilly's DNS and BIND , 4th Edition. Reverse Delegation is still very classful. It exclusively takes place on octet (/8, /16 and /24) boundaries. The same mechanism is used in reverse and forward delegation, but the authority of delegation is somewhat different. In order to use the same mechanism as forward DNS, a special domain "inaddr.arpa" is created. IP address has to be 'reversed' (written in reversed order) and suffixed by inaddr.arpa . E.g. in order to reverse map 202.64.22.1 , it must become 1.22.64.202.in-addr.arpa .
  • Add that NATs make something break
  • 1. Resolver asks the question to the caching forwarder 2. Caching forwarded doesn not know the answer, and forwards the request to the root name server (“.”) 3. Root is answering with the name (and the address (glue)) of the gtld server (since it’s not recursive…) 4. Caching forwarder repeats the question (*) 5. … gets the next referral answer 6. … repeats the question (*) … until it gets the (authorative) answer 7. Ns.ripe.net gives the IP address 8. Caching forwarded gives the answer to the resolver 9. Caching forwarded stores the answer in cache (* actually, after steps 4 and 6 it does the same!) 10. TTL determines how long is data going to stay (valid) in the cache
  • DNS Security

    1. 1. DNS/DNS Security Tutorial 03 April 2008 Jakarta, Indonesia APJII Open Policy Meeting
    2. 2. Acknowledgements <ul><li>Bill Manning </li></ul><ul><li>Ed Lewis </li></ul><ul><li>Joe Abley </li></ul><ul><li>Olaf M. Kolkman </li></ul>
    3. 3. Introduction to DNS
    4. 4. Naming History <ul><li>1970’s ARPANET </li></ul><ul><ul><li>Host.txt maintained by the SRI-NIC </li></ul></ul><ul><ul><li>pulled from a single machine </li></ul></ul><ul><ul><li>Problems </li></ul></ul><ul><ul><ul><li>traffic and load </li></ul></ul></ul><ul><ul><ul><li>Name collisions </li></ul></ul></ul><ul><ul><ul><li>Consistency </li></ul></ul></ul><ul><li>DNS created in 1983 by Paul Mockapetris (RFCs 1034 and 1035), modified, updated, and enhanced by a myriad of subsequent RFCs </li></ul>
    5. 5. DNS <ul><li>A lookup mechanism for translating objects into other objects </li></ul><ul><li>A globally distributed, loosely coherent, scalable, reliable, dynamic database </li></ul><ul><li>Comprised of three components </li></ul><ul><ul><li>A “name space” </li></ul></ul><ul><ul><li>Servers making that name space available </li></ul></ul><ul><ul><li>Resolvers (clients) which query the servers about the name space </li></ul></ul>
    6. 6. DNS Features: Global Distribution <ul><li>Data is maintained locally, but retrievable globally </li></ul><ul><ul><li>No single computer has all DNS data </li></ul></ul><ul><li>DNS lookups can be performed by any device </li></ul><ul><li>Remote DNS data is locally cachable to improve performance </li></ul>
    7. 7. DNS Features: Loose Coherency <ul><li>The database is always internally consistent </li></ul><ul><ul><li>Each version of a subset of the database (a zone) has a serial number </li></ul></ul><ul><ul><ul><li>The serial number is incremented on each database change </li></ul></ul></ul><ul><li>Changes to the master copy of the database are replicated according to timing set by the zone administrator </li></ul><ul><li>Cached data expires according to timeout set by zone administrator </li></ul>
    8. 8. DNS Features: Scalability <ul><li>No limit to the size of the database </li></ul><ul><ul><li>One server has over 20,000,000 names </li></ul></ul><ul><ul><ul><li>Not a particularly good idea </li></ul></ul></ul><ul><li>No limit to the number of queries </li></ul><ul><ul><li>24,000 queries per second handled easily </li></ul></ul><ul><li>Queries distributed among masters, slaves, and caches </li></ul>
    9. 9. DNS Features: Reliability <ul><li>Data is replicated </li></ul><ul><ul><li>Data from master is copied to multiple slaves </li></ul></ul><ul><li>Clients can query </li></ul><ul><ul><li>Master server </li></ul></ul><ul><ul><li>Any of the copies at slave servers </li></ul></ul><ul><li>Clients will typically query local caches </li></ul>
    10. 10. DNS Features: Dynamicity <ul><li>Database can be updated dynamically </li></ul><ul><ul><li>Add/delete/modify of any record </li></ul></ul><ul><li>Modification of the master database triggers replication </li></ul><ul><ul><li>Only master can be dynamically updated </li></ul></ul><ul><ul><ul><li>Creates a single point of failure </li></ul></ul></ul>
    11. 11. Concept: DNS Names <ul><li>How names appear in the DNS </li></ul><ul><ul><li>Fully Qualified Domain Name (FQDN) </li></ul></ul><ul><ul><ul><li>WWW.APNIC.NET. </li></ul></ul></ul><ul><ul><li>labels separated by dots </li></ul></ul><ul><li>DNS provides a mapping from FQDNs to resources of several types </li></ul><ul><li>Names are used as a key when fetching data in the DNS </li></ul>
    12. 12. Concept: DNS Names contd. <ul><li>Domain names can be mapped to a tree </li></ul><ul><li>New branches at the ‘dots’ </li></ul>whois Root DNS net com whois apnic ftp www iana org dots ccTLDs
    13. 13. Concept: Resource Records <ul><li>The DNS maps names into data using Resource Records. </li></ul><ul><li>More detail later </li></ul>www.apnic.net. … A 10.10.10.2 Address Resource Resource Record
    14. 14. Concept: Domains <ul><li>Domains are “namespaces” </li></ul><ul><li>Everything below .com is in the com domain </li></ul><ul><li>Everything below apnic.net is in the apnic.net domain and in the net domain </li></ul>
    15. 15. Concept: Domains net com apnic www www edu isi tislabs • training ns1 ns2 • • • • • ftp sun moon google • • net domain com domain apnic.net domain
    16. 16. Delegation <ul><li>Administrators can create subdomains to group hosts </li></ul><ul><ul><li>According to geography, organizational affiliation or any other criterion </li></ul></ul><ul><li>An administrator of a domain can delegate responsibility for managing a subdomain to someone else </li></ul><ul><ul><li>But this isn’t required </li></ul></ul><ul><li>The parent domain retains links to the delegated subdomain </li></ul><ul><ul><li>The parent domain “remembers” who it delegated the subdomain to </li></ul></ul>
    17. 17. Concept: Zones and Delegations <ul><li>Zones are “administrative spaces” </li></ul><ul><li>Zone administrators are responsible for portion of a domain’s name space </li></ul><ul><li>Authority is delegated from a parent and to a child </li></ul>
    18. 18. Concept: Zones and Delegations net domain net com apnic www www edu isi tislabs • training ns1 ns2 • • • • • • ftp sun moon google • apnic.net zone net zone training.apnic.net zone
    19. 19. Concept: Name Servers <ul><li>Name servers answer ‘DNS’ questions </li></ul><ul><li>Several types of name servers </li></ul><ul><ul><li>Authoritative servers </li></ul></ul><ul><ul><ul><li>master (primary) </li></ul></ul></ul><ul><ul><ul><li>slave (secondary) </li></ul></ul></ul><ul><ul><li>(Caching) recursive servers </li></ul></ul><ul><ul><ul><li>also caching forwarders </li></ul></ul></ul><ul><ul><li>Mixture of functionality </li></ul></ul>
    20. 20. Concept: Name Servers contd . <ul><li>Authoritative name server </li></ul><ul><ul><li>Give authoritative answers for one or more zones </li></ul></ul><ul><ul><li>The master server normally loads the data from a zone file </li></ul></ul><ul><ul><li>A slave server normally replicates the data from the master via a zone transfer </li></ul></ul>
    21. 21. Concept: Name Servers contd. master slave slave <ul><li>Authoritative name server </li></ul>
    22. 22. Concept: Name Servers contd. <ul><li>Recursive server </li></ul><ul><ul><li>Do the actual lookups; ask questions to the DNS on behalf of the clients </li></ul></ul><ul><ul><li>Answers are obtained from authoritative servers but the answers forwarded to the clients are marked as not authoritative </li></ul></ul><ul><ul><li>Answers are stored for future reference in the cache </li></ul></ul>
    23. 23. Concept: Resolvers <ul><li>Resolvers ask the questions to the DNS system on behalf of the application </li></ul><ul><li>Normally implemented in a system library (e.g, libc) </li></ul><ul><ul><li>gethostbyname(char *name); </li></ul></ul><ul><ul><li>gethostbyaddr(char *addr, int len, type); </li></ul></ul>
    24. 24. Concept: Resolving process & Cache Resolver Question: www.apnic.net A www.apnic.net A ? Caching forwarder (recursive ) root-server www.apnic.net A ? Ask net server @ X.gtld-servers.net (+ glue) gtld-server www.apnic.net A ? Ask apnic server @ ns.apnic.net (+ glue) apnic-server www.apnic.net A ? 192.168.5.10 192.168.5.10 Add to cache
    25. 25. Concept: Resource Records <ul><li>Resource records consist of it’s name, it’s TTL, it’s class, it’s type and it’s RDATA </li></ul><ul><li>TTL is a timing parameter </li></ul><ul><li>IN class is widest used </li></ul><ul><li>There are multiple types of RR records </li></ul><ul><li>Everything behind the type identifier is called rdata </li></ul>Label ttl class type rdata www.apnic.net. 3600 IN A 10.10.10.2
    26. 26. Example: RRs in a zone file <ul><li>apnic.net. 7200 IN SOA ns.apnic.net. admin.apnic.net. ( </li></ul><ul><li>2008022601 ; Serial </li></ul><ul><li>12H ; Refresh 12 hours </li></ul><ul><li>4H ; Retry 4 hours </li></ul><ul><li>4D ; Expire 4 days </li></ul><ul><li>2H ; Negative cache 2 hours ) </li></ul><ul><li>apnic.net. 7200 IN NS ns.apnic.net. </li></ul><ul><li>apnic.net. 7200 IN NS ns.ripe.net. </li></ul><ul><li>whois.apnic.net. 3600 IN A 193.0.1.162 </li></ul>host25.apnic.net. 2600 IN A 193.0.3.25 Label ttl class type rdata
    27. 27. Resource Record: SOA and NS <ul><li>The SOA and NS records are used to provide information about the zone itself </li></ul><ul><li>The NS indicates where information about a given zone can be found </li></ul><ul><ul><li>apnic.net. 7200 IN NS ns.apnic.net. </li></ul></ul><ul><ul><li>apnic.net. 7200 IN NS ns.ripe.net. </li></ul></ul><ul><li>The SOA record provides information about the start of authority, i.e. the top of the zone, also called the APEX </li></ul>
    28. 28. Concept: TTL and other Timers <ul><li>TTL is a timer used in caches </li></ul><ul><ul><li>An indication for how long the data may be reused </li></ul></ul><ul><ul><li>Data that is expected to be ‘stable’ can have high TTLs </li></ul></ul><ul><li>SOA timers are used for maintaining consistency between primary and secondary servers </li></ul>
    29. 29. Places where DNS data lives <ul><li>Changes do not propagate instantly </li></ul>Registry DB Master Slave server Slave Cache server Not going to net if TTL>0 Might take up to ‘refresh’ to get data from master Upload of zone data is local policy
    30. 30. To remember... <ul><li>Multiple authoritative servers to distribute load and risk: </li></ul><ul><ul><li>Put your name servers apart from each other </li></ul></ul><ul><li>Caches to reduce load to authoritative servers and reduce response times </li></ul><ul><li>SOA timers and TTL need to be tuned to needs of zone. Stable data: higher numbers </li></ul>
    31. 31. What have we learned so far <ul><li>We learned about the architectures of </li></ul><ul><ul><li>resolvers, </li></ul></ul><ul><ul><li>caching forwarders, </li></ul></ul><ul><ul><li>authoritative servers, </li></ul></ul><ul><ul><li>timing parameters </li></ul></ul><ul><li>We continue writing a zone file </li></ul>
    32. 32. Writing a zone file <ul><li>Zone file is written by the zone administrator </li></ul><ul><li>Zone file is read by the master server and it’s content is replicated to slave servers </li></ul><ul><li>What is in the zone file will end up in the database </li></ul><ul><li>Because of timing issues it might take some time before the data is actually visible at the client side </li></ul>
    33. 33. First attempt <ul><li>The ‘header’ of the zone file </li></ul><ul><ul><li>Start with a SOA record </li></ul></ul><ul><ul><li>Include authoritative name servers and, if needed, glue </li></ul></ul><ul><ul><li>Add other information </li></ul></ul><ul><li>Add other RRs </li></ul><ul><li>Delegate to other zones </li></ul>
    34. 34. Authoritative NS records and related A records <ul><li>NS record for all the authoritative servers </li></ul><ul><ul><li>They need to carry the zone at the moment you publish </li></ul></ul><ul><li>A records only for “in-zone” name servers </li></ul><ul><ul><li>Delegating NS records might have glue associated </li></ul></ul>apnic.net. 3600 IN NS NS1.apnic.net. apnic.net. 3600 IN NS NS2.apnic.net. NS1.apnic.net. 3600 IN A 203.0.0.4 NS2.apnic.net. 3600 IN A 193.0.0.202
    35. 35. Other ‘APEX’ data apnic.net. 3600 IN MX 50 mailhost.apnic.net. apnic.net. 3600 IN MX 150 mailhost2.apnic.net. apnic.net. 3600 IN TXT “Demonstration and test zone” <ul><li>SMTP uses MX records to find the destination mail server </li></ul><ul><li>If a mail is sent to admin@apnic.net the sending mail agent looks up ‘apnic.net MX’ </li></ul><ul><li>MX record contains mail relays with priority </li></ul><ul><ul><li>The lower the number the higher the priority </li></ul></ul><ul><li>Don’t add MX records without having a mail relay configured </li></ul>
    36. 36. Other data in the zone <ul><li>Add all the other data to your zone file </li></ul><ul><li>Some notes on notation </li></ul><ul><ul><li>Note the fully qualified domain name including trailing dot </li></ul></ul><ul><ul><li>Note TTL and CLASS </li></ul></ul>localhost.apnic.net. 3600 IN A 127.0.0.1 NS1.apnic.net. 4500 IN A 203.0.0.4 www.apnic.net. 3600 IN CNAME wasabi.apnic.net. apnic.net. 3600 IN MX 50 mail.apnic.net.
    37. 37. Zone file format short cuts nice formatting apnic.net. 3600 IN SOA NS1.apnic.net. admin.email.apnic.net. ( 2008022601 ; serial 1h ; refresh 30M ; retry 1W ; expiry 3600 ) ; neg. answ. Ttl apnic.net. 3600 IN NS NS1.apnic.net. apnic.net. 3600 IN NS NS2.apnic.net. apnic.net. 3600 IN MX 50 mail.apnic.net. apnic.net. 3600 IN MX 150 mailhost2.apnic.net. apnic.net. 3600 IN TXT “Demonstration and test zone” NS1.apnic.net. 4500 IN A 203.0.0.4 NS2.apnic.net. 3600 IN A 193.0.0.202 localhost.apnic.net. 3600 IN A 127.0.0.1 www.apnic.net. 3600 IN CNAME IN.apnic.net.
    38. 38. Zone file short cuts: repeating last name apnic.net. 3600 IN SOA NS1.apnic.net. admin.email.apnic.net. ( 2008022601 ; serial 1h ; refresh 30M ; retry 1W ; expiry 3600 ) ; neg. answ. Ttl 3600 IN NS NS1.apnic.net. 3600 IN NS NS2.apnic.net. 3600 IN MX 50 mail.apnic.net. 3600 IN MX 150 mailhost2.apnic.net. 3600 IN TXT “Demonstration and test zone” NS1.apnic.net. 3600 IN A 203.0.0.4 NS2.apnic.net. 3600 IN A 193.0.0.202 localhost.apnic.net. 4500 IN A 127.0.0.1 www.apnic.net. 3600 IN CNAME IN.apnic.net.
    39. 39. Zone file short cuts: default TTL $TTL 3600 ; Default TTL directive apnic.net. IN SOA NS1.apnic.net. admin.email.apnic.net. ( 2008022601 ; serial 1h ; refresh 30M ; retry 1W ; expiry 3600 ) ; neg. answ. Ttl IN NS NS1.apnic.net. IN NS NS2.apnic.net. IN MX 50 mail.apnic.net. IN MX 150 mailhost2.apnic.net. IN TXT “Demonstration and test zone” NS1.apnic.net. IN A 203.0.0.4 NS2.apnic.net. IN A 193.0.0.202 localhost.apnic.net. 4500 IN A 127.0.0.1 www.apnic.net. IN CNAME NS1.apnic.net.
    40. 40. Zone file short cuts: ORIGIN $TTL 3600 ; Default TTL directive $ORIGIN apnic.net. @ IN SOA NS1 admin.email.apnic.net. ( 2008022601 ; serial 1h ; refresh 30M ; retry 1W ; expiry 3600 ) ; neg. answ. Ttl IN NS NS1 IN NS NS2 IN MX 50 mailhost IN MX 150 mailhost2 IN TXT “Demonstration and test zone” NS1 IN A 203.0.0.4 NS2 IN A 193.0.0.202 localhost 4500 IN A 127.0.0.1 www IN CNAME NS1
    41. 41. Zone file short cuts: Eliminate IN $TTL 3600 ; Default TTL directive $ORIGIN apnic.net. @ SOA NS1 admin.email.sanog.org. ( 2008022601 ; serial 1h ; refresh 30M ; retry 1W ; expiry 3600 ) ; neg. answ. Ttl NS NS1 NS NS2 MX 50 mailhost MX 150 mailhost2 TXT “Demonstration and test zone” NS1 A 203.0.0.4 NS2 A 193.0.0.202 localhost 4500 A 127.0.0.1 www CNAME NS1
    42. 42. Delegating a zone (becoming a parent) <ul><li>Delegate authority for a sub domain to another party (splitting of training.apnic.net from apnic.net ) </li></ul>net com apnic www www edu isi tislabs • training ns1 ns2 • • • • • • ftp sun moon google • apnic.net zone training.apnic.net zone
    43. 43. Concept: Glue <ul><li>Delegation is done by adding NS records: </li></ul><ul><ul><li>training.apnic.net. NS ns1.training.apnic.net. </li></ul></ul><ul><ul><li>training.apnic.net. NS ns2.training.apnic.net. </li></ul></ul><ul><ul><li>training.apnic.net. NS ns1.apnic.net. </li></ul></ul><ul><ul><li>training.apnic.net. NS ns2.apnic.net. </li></ul></ul><ul><li>How to get to ns1 and ns2… We need the addresses </li></ul><ul><li>Add glue records to so that resolvers can reach ns1 and ns2 </li></ul><ul><ul><li>ns1.training.apnic.net. A 10.0.0.1 </li></ul></ul><ul><ul><li>ns2.training.apnic.net. A 10.0.0.2 </li></ul></ul>
    44. 44. Concept: Glue contd. <ul><li>Glue is ‘non-authoritative’ data </li></ul><ul><li>Don’t include glue for servers that are not in sub zones </li></ul><ul><ul><li>training.apnic.net. NS ns1.training.apnic.net . </li></ul></ul><ul><ul><li>Training.apnic.net. NS ns2.training.apnic.net. </li></ul></ul><ul><ul><li>training.apnic.net. NS ns2.apnic.net. </li></ul></ul><ul><ul><li>training.apnic.net. NS ns1.apnic.net. </li></ul></ul><ul><ul><li>ns1.training.apnic.net. A 10.0.0.1 </li></ul></ul><ul><ul><li>Ns2.training.apnic.net. A 10.0.0.2 </li></ul></ul>Only this record needs glue
    45. 45. Delegating training.apnic.net. from apnic.net. training.apnic.net Setup minimum two servers Create zone file with NS records Add all training.apnic.net data apnic.net Add NS records and glue Make sure there is no other data from the training.apnic.net. zone in the zone file
    46. 46. Questions ?
    47. 47. BIND Installation
    48. 48. Overview <ul><li>Retrieving BIND </li></ul><ul><li>Building and Installing BIND </li></ul><ul><li>Mailing Lists </li></ul>
    49. 49. Retrieving BIND <ul><li>HTTP, FTP </li></ul><ul><ul><li>Internet Systems Consortium </li></ul></ul><ul><ul><ul><li>http://www.isc.org </li></ul></ul></ul><ul><li>Other packages </li></ul><ul><ul><li>OpenSSL </li></ul></ul><ul><ul><ul><li>Will be needed for DNSSEC </li></ul></ul></ul>
    50. 50. BIND <ul><li>Version 8 </li></ul><ul><ul><li>In use, available, obsolete </li></ul></ul><ul><ul><li>Don't start to use it </li></ul></ul><ul><ul><li>Migrate to Version 9 </li></ul></ul><ul><li>Version 9 </li></ul><ul><ul><li>Current version (9.4.2) </li></ul></ul><ul><ul><ul><li>Release </li></ul></ul></ul><ul><ul><ul><li>Release Candidate (Betas) </li></ul></ul></ul><ul><ul><ul><li>Snapshots (Alphas) </li></ul></ul></ul><ul><ul><li>Never Use Snapshots on production servers </li></ul></ul>
    51. 51. Getting BIND 9 <ul><li>HTTP </li></ul><ul><ul><li>http://www. isc .org/products/BIND/ </li></ul></ul><ul><ul><li>http://www. isc .org/products/BIND/bind9.html </li></ul></ul><ul><ul><ul><li>BIND 9.4.2 today </li></ul></ul></ul><ul><li>FTP </li></ul><ul><ul><li>ftp. isc .org - anonymous </li></ul></ul><ul><ul><li>Change Directory to /isc/bind9 </li></ul></ul><ul><ul><ul><li>cd 9.4.2 </li></ul></ul></ul><ul><ul><li>ftp://ftp.isc.org/isc/bind9/9.4.2/bind-9.4.2.tar.gz </li></ul></ul>
    52. 52. Overview <ul><li>Retrieving BIND </li></ul><ul><li>Building and Installing BIND </li></ul><ul><li>Mailing Lists </li></ul>
    53. 53. Unpacking BIND9 <ul><li>tar -xvfz bind-9.4.2.tar.gz </li></ul><ul><ul><li>Uncompresses and creates directory </li></ul></ul><ul><ul><li>bind-9.4.2 </li></ul></ul><ul><li>What's in there? </li></ul><ul><ul><li>A lot of stuff (dig, libraries etc) </li></ul></ul><ul><ul><li>./configure (script) </li></ul></ul><ul><ul><li>./doc/arm/Bv9ARM.html </li></ul></ul><ul><ul><ul><li>Administrator's Reference Manual </li></ul></ul></ul><ul><ul><ul><li>Good source!!! </li></ul></ul></ul>
    54. 54. Building BIND9 <ul><li>must be in the BIND 9.4.2 directory </li></ul><ul><li>>./configure (options) </li></ul><ul><ul><li>Determine the appropriate includes and compiler settings </li></ul></ul><ul><li>> make </li></ul><ul><ul><li>Build and compile </li></ul></ul><ul><li>> make install </li></ul><ul><ul><li>sudo (if not root) </li></ul></ul><ul><ul><li>Install BIND </li></ul></ul>
    55. 55. What happens <ul><li>Executables </li></ul><ul><ul><li>/usr/local/sbin </li></ul></ul><ul><ul><ul><li>dnssec-keygen, dnssec-makekeyset, dnssec-signkey, dnssec-signzone </li></ul></ul></ul><ul><ul><ul><li>lwresd, named-checkconf, named-checkzone </li></ul></ul></ul><ul><ul><ul><li>rndc, rndc-confgen </li></ul></ul></ul><ul><ul><ul><li>named </li></ul></ul></ul><ul><ul><li>/usr/local/bin </li></ul></ul><ul><ul><ul><li>dig </li></ul></ul></ul><ul><ul><ul><li>host, isc-config.sh, nslookup </li></ul></ul></ul><ul><ul><ul><li>nsupdate </li></ul></ul></ul><ul><li>And libraries included </li></ul>
    56. 56. Testing <ul><li>Make sure right version is now installed </li></ul><ul><ul><li>> named –v </li></ul></ul><ul><ul><li>> BIND 9.4.2 </li></ul></ul>
    57. 57. Overview <ul><li>Retrieving BIND </li></ul><ul><li>Building, Installing BIND </li></ul><ul><li>Mailing Lists </li></ul>
    58. 58. BIND 9 Mailing Lists <ul><li>Joining mail lists </li></ul><ul><ul><li>http://www. isc .org/services/public/lists/bind-lists.html </li></ul></ul><ul><ul><li>bind9-users, bind-announce </li></ul></ul><ul><ul><li>(bind-users is for bind8) </li></ul></ul><ul><li>Archives </li></ul><ul><ul><li>http://www.isc.org/ml-archives/ </li></ul></ul>
    59. 59. Questions?
    60. 60. Recursive Server
    61. 61. Overview <ul><li>Recursive Service </li></ul><ul><li>Root server list </li></ul><ul><li>localhost </li></ul><ul><li>0.0.127.in-addr.arpa </li></ul><ul><li>named.conf </li></ul>
    62. 62. Recursive Server <ul><li>Used to lookup data by applications </li></ul><ul><li>Needs to know how to reach top of DNS </li></ul><ul><li>Also should stop some queries </li></ul><ul><ul><li>localhost, 127.0.0.1 </li></ul></ul><ul><li>Files </li></ul><ul><ul><li>named.conf </li></ul></ul><ul><ul><li>root.hints </li></ul></ul><ul><ul><li>localhost zone </li></ul></ul><ul><ul><li>0.0.127.in-addr.arpa zone </li></ul></ul><ul><li>We'll do named.conf last </li></ul>
    63. 63. Root server list <ul><li>List of the 13 root server records </li></ul><ul><li>Where to get it </li></ul><ul><ul><li>ftp rs.internic.net </li></ul></ul><ul><ul><ul><li>anonymous login </li></ul></ul></ul><ul><ul><ul><li>cd domain </li></ul></ul></ul><ul><ul><ul><li>get one of these files (they are [nearly] the same) </li></ul></ul></ul><ul><ul><ul><ul><li>db.cache </li></ul></ul></ul></ul><ul><ul><ul><ul><li>named.root </li></ul></ul></ul></ul><ul><ul><ul><ul><li>named.cache </li></ul></ul></ul></ul>
    64. 64. What it looks like <ul><li>; This file holds the information on root name servers needed to </li></ul><ul><li>; initialize cache of Internet domain name servers </li></ul><ul><li>; (e.g. reference this file in the &quot;cache . <file>&quot; </li></ul><ul><li>; configuration file of BIND domain name servers). </li></ul><ul><li>; </li></ul><ul><li>; This file is made available by InterNIC </li></ul><ul><li>; under anonymous FTP as </li></ul><ul><li>; file /domain/named.cache </li></ul><ul><li>; on server FTP.INTERNIC.NET </li></ul><ul><li>; </li></ul><ul><li>; last update: Nov 5, 2002 </li></ul><ul><li>; related version of root zone: 2002110501 </li></ul><ul><li>; </li></ul><ul><li>; </li></ul><ul><li>; formerly NS.INTERNIC.NET </li></ul><ul><li>; </li></ul><ul><li>. 3600000 IN NS A.ROOT-SERVERS.NET. </li></ul><ul><li>A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 </li></ul><ul><li>; </li></ul><ul><li>................. </li></ul><ul><li>; housed in Japan, operated by WIDE </li></ul><ul><li>; </li></ul><ul><li>. 3600000 NS M.ROOT-SERVERS.NET. </li></ul><ul><li>M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 </li></ul><ul><li>; End of File </li></ul>
    65. 65. What you do to this file (hints file) <ul><li>Nothing </li></ul><ul><li>You will refer to it in named.conf using a zone statement </li></ul><ul><li>In real networks, don't change it </li></ul><ul><ul><li>But for learning, we will change it </li></ul></ul>
    66. 66. localhost <ul><li>Loopback name in operating systems </li></ul><ul><li>Means 127.0.0.1 </li></ul><ul><li>Queries for this shouldn't use recursion </li></ul><ul><li>So we will configure a file to define the localhost. zone </li></ul><ul><ul><li>Note the &quot;.&quot; </li></ul></ul>
    67. 67. localhost file <ul><li>$TTL 86400 </li></ul><ul><li>@ IN SOA localhost. root.localhost. ( </li></ul><ul><li>1 ; serial </li></ul><ul><li>1800 ; refresh </li></ul><ul><li>900 ; retry </li></ul><ul><li>69120 ; expire </li></ul><ul><li>1080 ; negative cache ttl </li></ul><ul><li>) </li></ul><ul><li>NS localhost. </li></ul><ul><li>A 127.0.0.1 </li></ul>
    68. 68. Reverse for localhost <ul><li>Since we want &quot;localhost -> 127.0.0.1&quot; we want to have &quot;127.0.0.1 -> localhost&quot; </li></ul><ul><li>We need a zone called 0.0.127.in-addr.arpa. </li></ul>
    69. 69. 0.0.127.in-addr.arpa file <ul><li>$TTL 86400 </li></ul><ul><li>@ IN SOA localhost. root.localhost. ( </li></ul><ul><li>1 ; serial </li></ul><ul><li>1800 ;refresh </li></ul><ul><li>900 ;retry </li></ul><ul><li>69120 ;expire </li></ul><ul><li>1080 ;negative cache ttl </li></ul><ul><li>) </li></ul><ul><li>NS localhost. </li></ul><ul><li>1 PTR localhost. </li></ul>
    70. 70. Assembling the files <ul><li>Here's my directory: </li></ul><ul><ul><li>[/var/named/recursive] % ls </li></ul></ul><ul><ul><li>0.0.127.in-addr.arpa localhost named.root </li></ul></ul><ul><li>The directory name and file names will be in named.conf </li></ul><ul><li>Now I create a named.conf file in the same directory </li></ul>
    71. 71. named.conf <ul><li>options { </li></ul><ul><li>directory &quot;/var/named/recursive&quot;; </li></ul><ul><li> recursion yes; // by default recursion is on </li></ul><ul><li>}; </li></ul><ul><li>zone &quot;.&quot; { </li></ul><ul><li>type hint; </li></ul><ul><li>file &quot;named.root&quot;; </li></ul><ul><li>}; </li></ul><ul><li>zone &quot;localhost.&quot; { </li></ul><ul><li>type master; </li></ul><ul><li>file &quot;localhost&quot;; </li></ul><ul><li>}; </li></ul><ul><li>zone &quot;0.0.127.in-addr.arpa.&quot; { </li></ul><ul><li>type master; </li></ul><ul><li>file &quot;0.0.127.in-addr.arpa&quot;; </li></ul><ul><li>}; </li></ul>
    72. 72. Running the server <ul><li>From the directory </li></ul><ul><ul><li>% named -g -c named.conf </li></ul></ul>
    73. 73. Testing the server <ul><li>Just to show it is alive </li></ul><ul><ul><li>% dig @127.0.0.1 www. arin .net </li></ul></ul><ul><ul><li>; <<>> DiG 9.2.2rc1 <<>> @127.0.0.1 www.arin.net </li></ul></ul><ul><ul><li>;; global options: printcmd </li></ul></ul><ul><ul><li>;; Got answer: </li></ul></ul><ul><ul><li>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16580 </li></ul></ul><ul><ul><li>;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 10, ADDITIONAL: 0 </li></ul></ul><ul><ul><li>;; QUESTION SECTION: </li></ul></ul><ul><ul><li>;www.arin.net. IN A </li></ul></ul><ul><ul><li>;; ANSWER SECTION: </li></ul></ul><ul><ul><li>www.arin.net. 10800 IN A 192.149.252.17 </li></ul></ul><ul><ul><li>www.arin.net. 10800 IN A 192.149.252.16 </li></ul></ul><ul><ul><li>;; AUTHORITY SECTION: </li></ul></ul><ul><ul><li>arin.net. 10800 IN NS arrowroot.arin.net. </li></ul></ul><ul><ul><li>(and so on) </li></ul></ul><ul><ul><li>;; Query time: 3066 msec </li></ul></ul><ul><ul><li>;; SERVER: 127.0.0.1#53(127.0.0.1) </li></ul></ul><ul><ul><li>;; WHEN: Wed Feb 19 11:07:05 2003 </li></ul></ul><ul><ul><li>;; MSG SIZE rcvd: 251 </li></ul></ul>
    74. 74. Congratulations - Your First Server! <ul><li>It's just the beginning... </li></ul>
    75. 75. Questions ?
    76. 76. Reverse DNS
    77. 77. Overview <ul><li>Principles </li></ul><ul><li>Creating reverse zones </li></ul><ul><li>Setting up nameservers </li></ul><ul><li>Reverse delegation procedures </li></ul>
    78. 78. What is ‘Reverse DNS’? <ul><li>‘ Forward DNS’ maps names to numbers </li></ul><ul><ul><li>svc00.apnic.net -> 202.12.28.131 </li></ul></ul><ul><li>‘ Reverse DNS’ maps numbers to names </li></ul><ul><ul><li>202.12.28.131 -> svc00.apnic.net </li></ul></ul>
    79. 79. Reverse DNS - why bother? <ul><li>Service denial </li></ul><ul><ul><ul><li>That only allow access when fully reverse delegated eg. anonymous ftp </li></ul></ul></ul><ul><li>Diagnostics </li></ul><ul><ul><ul><li>Assisting in trace routes etc </li></ul></ul></ul><ul><li>SPAM identifications </li></ul><ul><li>Registration responsibilities </li></ul>
    80. 80. Principles – DNS tree whois Root DNS net edu com au whois apnic 22 .64 .in-addr .202 .arpa - Mapping numbers to names - ‘reverse DNS’ arpa 202 203 210 211.. 202 RIR 64 64 ISP 22 22 Customer in-addr
    81. 81. Creating reverse zones <ul><li>Same as creating a forward zone file </li></ul><ul><ul><li>SOA and initial NS records are the same as normal zone </li></ul></ul><ul><ul><li>Main difference </li></ul></ul><ul><ul><ul><li>need to create additional PTR records </li></ul></ul></ul><ul><li>Can use BIND or other DNS software to create and manage reverse zones </li></ul><ul><ul><li>Details can be different </li></ul></ul>
    82. 82. Creating reverse zones - contd <ul><li>Files involved </li></ul><ul><ul><li>Zone files </li></ul></ul><ul><ul><ul><li>Forward zone file </li></ul></ul></ul><ul><ul><ul><ul><li>e.g. db.domain.net </li></ul></ul></ul></ul><ul><ul><ul><li>Reverse zone file </li></ul></ul></ul><ul><ul><ul><ul><li>e.g. db.192.168.254 </li></ul></ul></ul></ul><ul><ul><li>Config files </li></ul></ul><ul><ul><ul><li><named.conf> </li></ul></ul></ul><ul><ul><li>Other </li></ul></ul><ul><ul><ul><li>Hints files etc. </li></ul></ul></ul><ul><ul><ul><ul><li>Root.hints </li></ul></ul></ul></ul>
    83. 83. Start of Authority (SOA) record <domain.name.> CLASS SOA <hostname.domain.name.> <mailbox.domain.name> ( <serial-number> <refresh> <retry> <expire> <negative-caching> ) 253.253.192.in-addr.arpa.
    84. 84. Pointer (PTR) records <ul><li>Create pointer (PTR) records for each IP address </li></ul><ul><li> or </li></ul>131.28.12.202.in-addr.arpa. IN PTR svc00.apnic.net. 131 IN PTR svc00.apnic.net.
    85. 85. A reverse zone example $ORIGIN 1.168.192.in-addr.arpa. @ 3600 IN SOA test.company.org. ( sys.admin.company.org. 2002021301 ; serial 1h ; refresh 30M ; retry 1W ; expiry 3600 ) ; neg. answ. ttl NS ns.company.org. NS ns2.company.org. 1 PTR gw.company.org 2 PTR ns.company.org. ;auto generate: 65 PTR host65.company.org $GENERATE 65-127 $ PTR host$.company.org. Note trailing dots
    86. 86. Setting up the primary nameserver <ul><li>Add an entry specifying the primary server to the named.conf file </li></ul><ul><li><domain-name> </li></ul><ul><ul><li>Ex: 28.12.202.in-addr.arpa. </li></ul></ul><ul><li><type master> </li></ul><ul><ul><li>Define the name server as the primary </li></ul></ul><ul><li><path-name> </li></ul><ul><ul><li>location of the file that contains the zone records </li></ul></ul>zone &quot;<domain-name>&quot; in { type master; file &quot;<path-name>&quot;; };
    87. 87. Setting up the secondary nameserver <ul><li>Add an entry specifying the primary server to the named.conf file </li></ul><ul><li><type slave> defines the name server as the secondary </li></ul><ul><li><ip address> is the IP address of the primary name server </li></ul><ul><li><domain-name> is same as before </li></ul><ul><li><path-name> is where the back-up file is </li></ul>zone &quot;<domain-name>&quot; in { type slave; file &quot;<path-name>&quot;; Masters { <IP address> ; }; };
    88. 88. Reverse delegation requirements <ul><li>/24 Delegations </li></ul><ul><ul><ul><li>Address blocks should be assigned/allocated </li></ul></ul></ul><ul><ul><ul><li>At least two name servers </li></ul></ul></ul><ul><li>/16 Delegations </li></ul><ul><ul><ul><li>Same as /24 delegations </li></ul></ul></ul><ul><ul><ul><li>APNIC delegates entire zone to member </li></ul></ul></ul><ul><ul><ul><li>Recommend APNIC secondary zone </li></ul></ul></ul><ul><li>< /24 Delegations </li></ul><ul><ul><ul><li>Read “classless in-addr.arpa delegation” </li></ul></ul></ul>RFC 2317
    89. 89. APNIC & ISPs responsibilities <ul><li>APNIC </li></ul><ul><ul><li>Manage reverse delegations of address block distributed by APNIC </li></ul></ul><ul><ul><li>Process organisations requests for reverse delegations of network allocations </li></ul></ul><ul><li>Organisations </li></ul><ul><ul><li>Be familiar with APNIC procedures </li></ul></ul><ul><ul><li>Ensure that addresses are reverse-mapped </li></ul></ul><ul><ul><li>Maintain nameservers for allocations </li></ul></ul><ul><ul><ul><li>Minimise pollution of DNS </li></ul></ul></ul>
    90. 90. Subdomains of in-addr.arpa domain <ul><li>Example: an organisation given a /16 </li></ul><ul><ul><li>192.168.0.0/16 (one zone file and further delegations to downstreams) </li></ul></ul><ul><ul><li>168.192.in-addr.arpa zone file should have: </li></ul></ul><ul><ul><li>0.168.192.in-addr.arpa. NS ns1.organisation0.com. </li></ul></ul><ul><ul><li>0.168.192.in-addr.arpa. NS ns2.organisation0.com. </li></ul></ul><ul><ul><li>1.168.192.in-addr.arpa. NS ns1.organisation1.com. </li></ul></ul><ul><ul><li>1.168.192.in-addr.arpa. NS ns2.organisation1.com. </li></ul></ul><ul><ul><li>2.168.192.in-addr.arpa. NS ns1.organisation2.com. </li></ul></ul><ul><ul><li>2.168.192.in-addr.arpa. NS ns2.organisation2.com. </li></ul></ul><ul><ul><li>: </li></ul></ul><ul><ul><li>: </li></ul></ul>
    91. 91. Subdomains of in-addr.arpa domain <ul><li>Example: an organisation given a /20 </li></ul><ul><ul><li>192.168.0.0/20 (a lot of zone files!) – have to do it per /24) </li></ul></ul><ul><ul><li>Zone files </li></ul></ul><ul><ul><li>0.168.192.in-addr.arpa. </li></ul></ul><ul><ul><li>1.168.192.in-addr.arpa. </li></ul></ul><ul><ul><li>2.168.192.in-addr.arpa. </li></ul></ul><ul><ul><li>: </li></ul></ul><ul><ul><li>: </li></ul></ul><ul><ul><li>15.168.192.in-addr.arpa. </li></ul></ul>
    92. 92. Subdomains of in-addr.arpa domain <ul><li>Example: case of a /24 subnetted with the mask 255.255.255.192 </li></ul><ul><ul><li>In-addr zone – 254.253.192.in-addr.arpa </li></ul></ul><ul><ul><li>Subnets </li></ul></ul><ul><ul><ul><li>192.253.254.0/26 </li></ul></ul></ul><ul><ul><ul><li>192.253.254.64/26 </li></ul></ul></ul><ul><ul><ul><li>192.253.254.128/26 </li></ul></ul></ul><ul><ul><ul><li>192.253.254.192/26 </li></ul></ul></ul><ul><ul><li>If different organisations has to manage the reverse-mapping for each subnet </li></ul></ul><ul><ul><ul><li>Solution to follow… </li></ul></ul></ul>
    93. 93. Classless in-addr for 192.253.254/24 <ul><li>CNAME records for each of the domain names in the zone </li></ul><ul><ul><li>Pointing to domain names in the new subdomains </li></ul></ul>$ORIGIN 254.253.192.in-addr.arpa. 0-63 NS ns1.organisation1.com. 0-63 NS ns2.organisation1.com. 1 CNAME 1.0-63 2 CNAME 2.0-63 64-127 NS ns1.organisation2.com. 64-127 NS ns2.organisation2.com. 65 CNAME 65.64-127 66 CNAME 66.64-127
    94. 94. Classless in-addr for 192.253.254/24 <ul><li>Using $GENERATE (db.192.253.254 file) </li></ul>$ORIGIN 254.253.192.in-addr.arpa. 0-63 NS ns1.organisation1.com. 0-63 NS ns2.organisation1.com. $GENERATE 1-63$ CNAME $.0-63 64-127 NS ns1.organisation2.com. 64-127 NS ns2.organisation2.com. $GENERATE 65-127$ CNAME $.64-127
    95. 95. Classless in-addr for 192.253.254.0/26 <ul><li>Now, the zone data file for 0-63.254.253.192.in-addr.arpa can contain just PTR records for IP addresses 192.253.254.1 through 192.253.154.63 </li></ul>$ORIGIN 0-63.254.253.192.in-addr.arpa. $TTL 1d @ SOA ns1.organisation1.com. Root.ns1.organisation1.com. ( 1 ; Serial 3h ; Refresh 1h ; Retry 1w ; Expire 1h ) ; Negative caching TTL NS ns1.organisation1.com. NS ns2.organisation1.com. 1 PTR org1-name1.organisation1.com. 2 PTR org1-name2.organisation1.com. 3 PTR org1-name3.organisation1.com.
    96. 96. Reverse delegation procedures <ul><li>Upon allocation, member is asked if they want /24 place holder domain objects with member maintainer </li></ul><ul><ul><li>Gives member direct control </li></ul></ul><ul><li>Standard APNIC database object, </li></ul><ul><ul><li>can be updated through myAPNIC, Online form or via email. </li></ul></ul><ul><li>Nameserver/domain set up verified before being submitted to the database. </li></ul><ul><li>Protection by maintainer object </li></ul><ul><ul><li>(current auths: CRYPT-PW, PGP). </li></ul></ul><ul><li>Zone file updated 2-hourly </li></ul>
    97. 97. Reverse delegation procedures <ul><li>Use MyAPNIC to create ‘domain’ objects </li></ul><ul><ul><li>Highly recommended </li></ul></ul><ul><li>Or use the web form </li></ul><ul><ul><ul><li>http://www.apnic.net/db/domain.html </li></ul></ul></ul><ul><li>On-line form interface </li></ul><ul><ul><li>Real time feedback </li></ul></ul><ul><ul><li>Gives errors, warnings in zone configuration </li></ul></ul><ul><ul><ul><li>serial number of zone consistent across nameservers </li></ul></ul></ul><ul><ul><ul><li>nameservers listed in zone consistent </li></ul></ul></ul>
    98. 98. Evaluation procedures <ul><li>Parser checks for </li></ul><ul><ul><li>‘ whois’ database </li></ul></ul><ul><ul><ul><li>IP address range is assigned or allocated </li></ul></ul></ul><ul><ul><ul><li>Must be in APNIC database </li></ul></ul></ul><ul><ul><li>Maintainer object </li></ul></ul><ul><ul><ul><li>Mandatory field of domain object </li></ul></ul></ul><ul><ul><li>Nic-handles </li></ul></ul><ul><ul><ul><li>zone-c, tech-c, admin-c </li></ul></ul></ul>
    99. 99. Online errors (also via email)
    100. 100. Request submission error Update failed Authorisation failed
    101. 101. Successful update Update ok!
    102. 102. Creation of domain objects <ul><li>If you opt to create the domain objects yourself </li></ul><ul><ul><li>Either you can use MyAPNIC </li></ul></ul><ul><ul><li>Or use web/email templates </li></ul></ul><ul><li>Using web/email templates will result in initial errors </li></ul><ul><ul><li>As the /8 is hierarchically maintained by MAINT-AP-DNS </li></ul></ul><ul><ul><li>Contact <helpdesk@apnic.net> </li></ul></ul>
    103. 103. Whois domain object domain: 28.12.202.in-addr.arpa descr: in-addr.arpa zone for 28.12.202.in-addr.arpa admin-c: DNS3-AP tech-c: DNS3-AP zone-c: DNS3-AP nserver: ns.telstra.net nserver: rs.arin.net nserver: ns.myapnic.net nserver: svc00.apnic.net nserver: ns.apnic.net mnt-by: MAINT-APNIC-AP mnt-lower: MAINT-DNS-AP changed: inaddr@apnic.net 19990810 source: APNIC Reverse Zone Contacts Name Servers Maintainers (protection)
    104. 104. Removing lame delegations <ul><li>Objective </li></ul><ul><ul><li>To repair or remove persistently lame DNS delegations </li></ul></ul><ul><li>DNS delegations are lame if: </li></ul><ul><ul><li>Some or all of the registered DNS nameservers are unreachable or badly configured </li></ul></ul><ul><li>APNIC commenced formal implementation of the lame DNS reverse delegation procedures </li></ul>
    105. 105. IPv6 Reverse delegations
    106. 106. IPv6 representation in the DNS <ul><li>Forward lookup support: Multiple RR records for name to number </li></ul><ul><ul><li>AAAA (Similar to A RR for IPv4 ) </li></ul></ul><ul><li>Reverse lookup support: </li></ul><ul><ul><li>Reverse nibble format for zone ip6.arpa </li></ul></ul>
    107. 107. IPv6 forward and reverse mappings <ul><li>Existing A record will not accommodate IPv6’s 128 bit addresses </li></ul><ul><li>BIND expects an A record’s record-specific data to be a 32-bit address (in dotted-octet format) </li></ul><ul><li>An address record </li></ul><ul><ul><li>AAAA (RFC 1886) </li></ul></ul><ul><li>A reverse-mapping domain </li></ul><ul><ul><li>ip6.arpa </li></ul></ul>
    108. 108. The reverse DNS tree – with IPv6 whois Root DNS net edu com int whois apnic in-addr RIR ISP Customer IP6 IPv6 Addresses arpa 202 203 210 202 22 22 64 64
    109. 109. b.a.9.8.7.6.5.0.4.0.0.0.3.0.0.0.2.0.0.0.1.0.0.0.0.0.0.0.1.2.3.4.ip6.arpa. 64 H1 H10 H8 H12 H32 ISP /32 Downstream ISP /40 Customer /48 Devices /128 int arpa IP6 Root DNS
    110. 110. Sample forward lookup file ;; domain.edu $TTL 86400 @ IN SOA ns1.domain.edu. root.domain.edu. ( 2002093000 ; serial - YYYYMMDDXX 21600 ; refresh - 6 hours 1200 ; retry - 20 minutes 3600000 ; expire - long time 86400) ; minimum TTL - 24 hours ;; Nameservers IN NS ns1.domain.edu. IN NS ns2.domain.edu. ;; Hosts with just A records host1 IN A 1.0.0.1 ;; Hosts with both A and AAAA records host2 IN A 1.0.0.2 IN AAAA 2001:468:100::2
    111. 111. IPv6 reverse lookups <ul><li>IETF decided to restandardize IPv6 PTR RRs </li></ul><ul><ul><li>They will be found in the IP6.ARPA namespace </li></ul></ul><ul><li>The ip6.int domains has been deprecated </li></ul><ul><ul><li>Now using ip6.arpa for reverse </li></ul></ul>
    112. 112. IPv6 reverse lookups - PTR records <ul><li>Similar to the in-addr.arpa </li></ul><ul><li>Example: reverse name lookup for a host with address 3ffe:8050:201:1860:42::1 </li></ul>b.a.9.8.7.6.5.0.4.0.0.0.3.0.0.0.2.0.0.0.1.0.0.0.0.0.0.0.1.2.3.4.ip6.arpa. IN PTR test.ip6.example.com. $ORIGIN 0.6.8.1.1.0.2.0.0.5.0.8.e.f.f.3.ip6.arpa. 1.0.0.0.0.0.0.0.0.0.0.0.2.4.0.0 14400 IN PTR host.example.com.
    113. 113. Sample reverse lookup file ;; 0.0.0.0.0.0.1.0.8.6.4.0.1.0.0.2.rev ;; These are reverses for 2001:468:100::/64) ;; File can be used for both ip6.arpa and ip6.int. $TTL 86400 @ IN SOA ns1.domain.edu. root.domain.edu. ( 2002093000 ; serial - YYYYMMDDXX 21600 ; refresh - 6 hours 1200 ; retry - 20 minutes 3600000 ; expire - long time 86400) ; minimum TTL - 24 hours ;; Nameservers IN NS ns1.domain.edu. IN NS ns2.domain.edu. 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR host1.ip6.domain.edu 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR host2.domain.edu ;; ;; Can delegate to other nameservers in the usual way ;;
    114. 114. Questions ?
    115. 115. DNS Security
    116. 116. DNS Secure Configurations <ul><li>Administrative Security </li></ul><ul><ul><li>Server configurations, BIND configuration, File permissions etc. </li></ul></ul><ul><li>Zone transfers </li></ul><ul><ul><li>Limiting and controlling source and destination of zone transfer operations </li></ul></ul><ul><ul><li>Secure authentication of source and destination </li></ul></ul><ul><li>Dynamic Updates </li></ul><ul><ul><li>Possible corruption/poison of master zone </li></ul></ul><ul><ul><li>Limit access and secure authentication needed </li></ul></ul><ul><li>Zone Integrity </li></ul><ul><ul><li>Zone data is correct </li></ul></ul>
    117. 117. RNDC & TSIG
    118. 118. What is RNDC? <ul><li>Remote Name Daemon Controller </li></ul><ul><li>Command-line control of named daemon </li></ul><ul><li>Usually on same host, can be across hosts </li></ul><ul><ul><li>Locally or remotely </li></ul></ul>
    119. 119. Configuring RNDC <ul><li>&quot;rndc-confgen&quot; generates lines to be added to two files </li></ul><ul><ul><li>rndc.conf </li></ul></ul><ul><ul><li>named.conf </li></ul></ul>
    120. 120. Generating the lines: > rndc-confgen key “rndc-key” { algorith hmac-md5; secret “rXxroiejf8937Bjf_+-532ktj/==“; }; Options { default-key “rndc-key”; default-server 127.0.0.1; default-port 953; #End of rndc.conf # User with the followign in named.conf, adjusting the # allow list as needed # key “rndc-key” { # algorithm hmac-md5; # secret “rXxroiejf8937Bjf_+-532ktj/==“; # }; # controls { # inet 127.0.0.1 port 953 # allow { 127.0.0.1; } keys { “rndc-key” }; # };
    121. 121. Using an rndc.conf file <ul><li>/etc/rndc.conf specifies defaults for rndc </li></ul><ul><li>E.g., </li></ul><ul><ul><li>key &quot;rndc-key&quot; { </li></ul></ul><ul><ul><li>algorithm hmac-md5; </li></ul></ul><ul><ul><li>secret &quot;dY7/uIiR0fKGvi5z50+Q==&quot;; </li></ul></ul><ul><ul><li>}; </li></ul></ul><ul><ul><li>options { </li></ul></ul><ul><ul><li>default-key &quot;rndc-key&quot;; </li></ul></ul><ul><ul><li>default-server 127.0.0.1; </li></ul></ul><ul><ul><li>default-port 953; </li></ul></ul><ul><ul><li>}; </li></ul></ul>
    122. 122. Enabling RNDC in the server – named.conf <ul><li>key definition </li></ul><ul><ul><li>key rndc-key { </li></ul></ul><ul><ul><li>secret &quot; dY7/uIiR0fKGvi5z50+Q== &quot;; algorithm hmac-md5; </li></ul></ul><ul><ul><li>}; </li></ul></ul><ul><ul><li>Warning: example secret looks good but is invalid (don't copy it!) </li></ul></ul><ul><li>controls statement </li></ul><ul><ul><li>controls { </li></ul></ul><ul><ul><li>inet 127.0.0.1 port 953 // for remote host, use </li></ul></ul><ul><ul><li>allow { 127.0.0.1; } // actual IP </li></ul></ul><ul><ul><li>keys { &quot;rndc-key&quot;; }; </li></ul></ul><ul><ul><li>}; </li></ul></ul>
    123. 123. What can be done with RNDC <ul><li>> rndc stop - kills server </li></ul><ul><li>> rndc status - prints some information </li></ul><ul><li>> rndc stats - generates stat file (named.stats) </li></ul><ul><li>> rndc reload - refresh zone(s), with variations </li></ul><ul><li>> rndc trace - increases debug level </li></ul><ul><li>> rndc flush - removes cached data </li></ul><ul><li>other commands in the ARM </li></ul>
    124. 124. TSIG
    125. 125. What is TSIG - Transaction Signature? <ul><li>A mechanism for protecting a message from a primary to secondary and vice versa </li></ul><ul><li>A keyed-hash is applied (like a digital signature) so recipient can verify message </li></ul><ul><ul><li>DNS question or answer </li></ul></ul><ul><ul><li>& the timestamp </li></ul></ul><ul><li>Based on a shared secret - both sender and receiver are configured with it </li></ul>
    126. 126. What is TSIG - Transaction Signature? <ul><li>TSIG (RFC 2845) </li></ul><ul><ul><li>authorizing dynamic updates & zone transfers </li></ul></ul><ul><ul><li>authentication of caching forwarders </li></ul></ul><ul><li>Used in server configuration, not in zone file </li></ul>
    127. 127. Names and Secrets <ul><li>TSIG name </li></ul><ul><ul><li>A name is given to the key, the name is what is transmitted in the message (so receiver knows what key the sender used) </li></ul></ul><ul><li>TSIG secret value </li></ul><ul><ul><li>A value determined during key generation </li></ul></ul><ul><ul><li>Usually seen in Base64 encoding </li></ul></ul>
    128. 128. Using TSIG to protect AXFR <ul><li>Deriving a secret </li></ul><ul><ul><li>> dnssec-keygen -a <algorithm> -b <bits> -n host <name of the key> </li></ul></ul><ul><ul><li>e.g. </li></ul></ul><ul><ul><li>> dnssec-keygen –a HMAC-MD5 –b 128 –n HOST ns1-ns2.pcx.net </li></ul></ul><ul><ul><li>This will generate the key </li></ul></ul><ul><ul><li>> Kns1-ns2.pcx.net.+157+15921 </li></ul></ul><ul><ul><li>>ls </li></ul></ul><ul><ul><li>Kns1-ns2.pcx.net.+157+15921.key </li></ul></ul><ul><ul><li>Kns1-ns2.pcx.net.+157+15921.private </li></ul></ul>
    129. 129. Using TSIG to protect AXFR <ul><li>Configuring the key </li></ul><ul><ul><li>in named.conf file, same syntax as for rndc </li></ul></ul><ul><ul><li>key { algorithm ...; secret ...;} </li></ul></ul><ul><li>Making use of the key </li></ul><ul><ul><li>in named.conf file </li></ul></ul><ul><ul><li>server x { key ...; } </li></ul></ul><ul><ul><li>where 'x' is an IP number of the other server </li></ul></ul>
    130. 130. TSIG keys <ul><li>Issue: Naming the key </li></ul><ul><ul><li>Name is arbitrary, but must be consistent between the named.conf and client </li></ul></ul><ul><ul><li>There is an advantage to making it the same as a domain in the zone </li></ul></ul><ul><li>To test the keys, turn on key-based authorization of AXFR - just for testing </li></ul>
    131. 131. Making TSIG keys <ul><li>dnssec-keygen -a HMAC-MD5 -b 128 -n host slave1.dynamic.myzone.example. </li></ul><ul><li>dnssec-keygen -a HMAC-MD5 -b 128 -n host slave2.dynamic.myzone.example. </li></ul><ul><li>ls: </li></ul><ul><li>Kslave1.dynamic.myzone.example.+157+42488.key </li></ul><ul><li>Kslave1.dynamic.myzone.example.+157+42488.private </li></ul><ul><li>Kslave2.dynamic.myzone.example.+157+57806.key </li></ul><ul><li>Kslave2.dynamic.myzone.example.+157+57806.private </li></ul>
    132. 132. Configuration Example – named.conf Primary server 10.33.40.46 key ns1-ns2.pcx. net { algorithm hmac-md5; secret &quot;APlaceToBe&quot;; }; server 10.33.50.35 { keys {ns1-ns2.pcx.net;}; }; zone &quot;my.zone.test.&quot; { type master; file “db.myzone”; allow-transfer { key ns1-ns2..pcx.net ;}; }; Secondary server 10.33.50.35 key ns1-ns2.pcx.net { algorithm hmac-md5; secret &quot;APlaceToBe&quot;; }; server 10.33.40.46 { keys {ns1-ns2.pcx.net;}; }; zone &quot;my.zone.test.&quot; { type slave; file “myzone.backup”; masters {10.33.40.46;}; allow-transfer { key ns1-ns2.pcx.net;}; }; You can save this in a file and refer to it in the named.conf using ‘include’ statement : include “/var/named/master/tsig-key-ns1-ns2”;
    133. 133. TIME!!! <ul><li>TSIG is time sensitive - to stop replays </li></ul><ul><ul><li>Message protection expires in 5 minutes </li></ul></ul><ul><ul><li>Make sure time is synchronized </li></ul></ul><ul><ul><li>For testing, set the time </li></ul></ul><ul><ul><li>In operations, (secure) NTP is needed </li></ul></ul>
    134. 134. Address Match Lists
    135. 135. Elements in an address match list <ul><li>Individual IP addresses </li></ul><ul><li>Addresses/netmask pairs </li></ul><ul><li>Names of other ACLs </li></ul><ul><li>In some contexts, key names </li></ul>
    136. 136. Purposes in Bind <ul><li>Restricting queries & zone xfer </li></ul><ul><li>Authorizing dynamic updates </li></ul><ul><li>Selecting interfaces to listen on </li></ul><ul><li>Sorting responses </li></ul><ul><ul><li>*Address match lists are always enclosed in curly braces. </li></ul></ul>
    137. 137. Notes on Address Match list <ul><li>Elements must be separated by “ ; ” </li></ul><ul><li>The list must be terminated with a “ ; ” </li></ul><ul><li>Elements of the address match list are checked sequentially. </li></ul><ul><li>To negate elements of the address match list prepend them with “!” </li></ul><ul><li>Use acl statement to name an address match list. </li></ul><ul><li>acl must be define before it can be used elsewhere. </li></ul>
    138. 138. Example: Address match lists <ul><li>For network 192.168.0.0 255.255.255.0 </li></ul><ul><ul><li>{ 192.168.0.0/24; } </li></ul></ul><ul><li>For network plus loopback </li></ul><ul><ul><li>{ 192.168.0.0/24; 127.0.0.1; } </li></ul></ul><ul><li>Addresses plus key name </li></ul><ul><ul><li>{ 192.168.0.0/24; 127.0.0.1; tequila.apnic.net;} </li></ul></ul>
    139. 139. The acl Statement <ul><li>Syntax: </li></ul><ul><li>acl <acl name> { address match list>}; </li></ul><ul><li>Example: </li></ul><ul><li>acl internal { 127.0.0.1; 192.168.0/24; }; </li></ul><ul><li>acl dynamic-update { key dhcp.apnic.net; }; </li></ul>
    140. 140. Notes on the acl Statement <ul><li>The acl name need not be quoted. </li></ul><ul><li>There are four predefined ACLs: </li></ul><ul><ul><ul><li>any (Any IP address) </li></ul></ul></ul><ul><ul><ul><li>none (No IP address) </li></ul></ul></ul><ul><ul><ul><li>localhost (loopback, 127.0.0.1) </li></ul></ul></ul><ul><ul><ul><li>localnets (all networks the name server is directly connected to) </li></ul></ul></ul>
    141. 141. Blackhole <ul><li>options { </li></ul><ul><li> blackhole { ACL-name or itemized list; }; </li></ul><ul><li>}; </li></ul>
    142. 142. Allow-transfer <ul><li>zone &quot;myzone.example.&quot; { </li></ul><ul><li>type master; </li></ul><ul><li>file &quot;myzone.example.&quot;; </li></ul><ul><li>allow-transfer { ACL-name or </li></ul><ul><li>itemized list; }; </li></ul><ul><li>}; </li></ul>
    143. 143. Allow-Query <ul><li>zone &quot;myzone.example.&quot; { </li></ul><ul><li>type master; </li></ul><ul><li>file &quot;myzone.example.&quot;; </li></ul><ul><li>allow-query { ACL-name or </li></ul><ul><li>itemized list; }; </li></ul><ul><li>}; </li></ul>
    144. 144. Listen-on <ul><li>options { </li></ul><ul><li>listen-on port # { ACL- </li></ul><ul><li>name or itemized list;}; </li></ul><ul><li>}; </li></ul>
    145. 145. Summary <ul><li>ACLs and Configuration options can be used to create simple split DNS. </li></ul><ul><li>It is cumbersome and difficult to maintain. </li></ul><ul><li>Good operational practice suggests that ACLs and configuration options be reviewed regularly to ensure that they accurately reflect desired behaviour </li></ul>
    146. 146. Views <ul><li>The view statement is a powerful new feature of BIND 9 that lets a name server answer a DNS query differently depending on who is asking. It is particularly useful for implementing split DNS setups without having to run multiple servers. </li></ul>
    147. 147. Syntax <ul><li>view view_name [class] { match-clients { address_match_list } ; match-destinations { </li></ul><ul><li>address_match_list } ; match-recursive-only yes_or_no ; [ view_option; ...] [ zone_statement; ...] }; </li></ul>
    148. 148. Example Config <ul><li>view &quot;internal&quot; { // This should match our internal networks. match-clients { 10.0.0.0/8; }; // Provide recursive service to internal clients only. recursion yes; // Provide a complete view of the example.com zone // including addresses of internal hosts. zone &quot;example.com&quot; { type master; file &quot;example-internal.db&quot;; }; }; </li></ul>
    149. 149. Continued <ul><li>view &quot;external&quot; { // Match all clients not matched by the previous view. match-clients { any; }; // Refuse recursive service to external clients. recursion no; // Provide a restricted view of the example.com zone // containing only publicly accessible hosts. zone &quot;example.com&quot; { type master; file &quot;example-external.db&quot;; }; }; </li></ul>
    150. 150. DNSSEC
    151. 151. Background <ul><li>The original DNS protocol wasn’t designed with security in mind </li></ul><ul><li>It has very few built-in security mechanism </li></ul><ul><li>As the Internet grew wilder & wollier, IETF realized this would be a problem </li></ul><ul><ul><li>For example DNS spoofing was to easy </li></ul></ul><ul><li>DNSSEC and TSIG were develop to help address this problem </li></ul>
    152. 152. Why DNSSEC? <ul><li>DNS is not secure </li></ul><ul><ul><li>Applications depend on DNS </li></ul></ul><ul><ul><ul><li>Known vulnerabilities </li></ul></ul></ul><ul><li>DNSSEC protects against data spoofing and corruption </li></ul>
    153. 153. Overview <ul><li>Introduction </li></ul><ul><li>DNSSEC mechanisms </li></ul><ul><ul><li>To authenticate servers (TSIG ) </li></ul></ul><ul><ul><li>To establish authenticity and integrity of data </li></ul></ul><ul><ul><ul><li>Quick overview </li></ul></ul></ul><ul><ul><ul><li>New RRs </li></ul></ul></ul><ul><ul><ul><li>Using public key cryptography to sign a single zone </li></ul></ul></ul><ul><ul><ul><li>Delegating signing authority ; building chains of trust </li></ul></ul></ul><ul><ul><ul><li>Key exchange and rollovers </li></ul></ul></ul><ul><li>Conclusions </li></ul>
    154. 154. Reminder: DNS Resolving Resolver Question: www.apnic.net A www.apnic.net A ? www.apnic.net A ? “ go ask net server @ X.gtld-servers.net” (+ glue) gtld-server www.apnic.net A ? “ go ask ripe server @ ns.apnic.net” (+ glue) apnic-server www.apnic.net A ? “ 192.168.5.10” 192.168.5.10 root-server Caching forwarder (recursive ) 1 2 3 4 5 6 7 Add to cache 9 8 10 TTL
    155. 155. DNS: Data Flow master Caching forwarder Dynamic updates resolver Zone administrator Zone file 1 2 slaves 3 4 5
    156. 156. DNS Vulnerabilities master Caching forwarder Dynamic updates resolver Server protection Data protection Corrupting data Impersonating master Unauthorized updates Cache impersonation Cache pollution by Data spoofing Zone administrator Zone file 1 2 slaves 3 4 5
    157. 157. TSIG Protected Vulnerabilities master Caching forwarder Dynamic updates slaves resolver Zone administrator Zone file Impersonating master Unauthorized updates
    158. 158. Vulnerabilities protected by DNSKEY / RRSIG / NSEC master Caching forwarder Dynamic updates slaves resolver Zone administrator Zone file Cache impersonation Cache pollution by Data spoofing
    159. 159. Difference Between TSIG and DNSSEC <ul><li>TSIG secures transaction </li></ul><ul><ul><li>Making sure DNS messages come from the right place and aren't modified in transit </li></ul></ul><ul><li>DNSSEC secures (signs) zone data </li></ul><ul><ul><li>Making sure resource records are those signed by the administrator of the zone </li></ul></ul><ul><li>Only endpoints that share a key can use TSIG to verify DNS messages </li></ul><ul><li>Any endpoints that support DNSSEC can use it to verify signed zone data </li></ul>
    160. 160. Enable dnssec <ul><li>In the named.conf, </li></ul><ul><ul><li>Options { </li></ul></ul><ul><ul><li>directory “….” </li></ul></ul><ul><ul><li>dnssec-enable yes; </li></ul></ul><ul><ul><li>}; </li></ul></ul>
    161. 161. Create key pairs <ul><li>To create ZSK </li></ul><ul><ul><li>> dnssec-keygen -a rsasha1 -b 1024 -n zone champika.net </li></ul></ul><ul><li>To create KSK </li></ul><ul><ul><li>> dnssec-keygen -a rsasha1 -b 1400 -f KSK -n zone champika.net </li></ul></ul>
    162. 162. What will be created? <ul><li>After key generations (ZSK & KSK) you will see 2 files have been created </li></ul><ul><ul><li>Files with .key and .private extensions </li></ul></ul><ul><ul><li>. key file contains your public key where as .private file contains your private key </li></ul></ul>
    163. 163. Publishing your public key <ul><li>Using $INCLUDE you can call the public key (DNSKEY RR) inside the zone file </li></ul><ul><ul><li>$INCLUDE /path/Kchampika.net.+005+57163.key ; ZSK </li></ul></ul><ul><ul><li>$INCLUDE /path/Kchampika.net.+005+40485.key ; KSK </li></ul></ul><ul><li>You can also manually enter the DNSKEY RR in the zone file </li></ul>
    164. 164. Signing the zone <ul><li>> dnssec-signzone -o champika.net -t -k Kchampika.net.+005+57163 db.champika.net Kchampika.net.+005+40485 </li></ul><ul><li>Once you sign the zone a file with a .signed extension will be created </li></ul><ul><ul><li>- db.champika.net.signed </li></ul></ul>
    165. 165. Signed Zone <ul><li>Observe the signed zone file </li></ul><ul><li>Resource Records </li></ul><ul><ul><li>DNSKEY </li></ul></ul><ul><ul><li>RRSIG </li></ul></ul><ul><ul><li>NSEC </li></ul></ul><ul><li>Difference in the file size </li></ul><ul><ul><li>db.champika.net Vs db.champika.net.signed </li></ul></ul>
    166. 166. Updates to the config file <ul><li>Modify the zone statement </li></ul><ul><li>Replace the previous zone file with the signed zone file </li></ul>
    167. 167. Testing the server <ul><li>Ask a dnssec enabled question from the server and see whether the answer contains dnssec-enabled data </li></ul><ul><ul><li>Basically the answers are signed </li></ul></ul><ul><li>> dig @localhost www.champika.net +dnssec +multiline </li></ul>
    168. 168. Questions ?

    ×