SlideShare a Scribd company logo
© Men & Mice http://menandmice.com
BIND 9.11
1
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
BIND 9.11
• Catalog Zones
• new rndc functions
• dnssec-keymgr
• CDS/CDNSKEY auto generation
• Negative Trust Anchor
• DNS cookies
• Minimal “any”
2
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
BIND 9.11 License change
•BIND 9.11 is now licensed under the Mozilla Public License
(MPL)

https://en.wikipedia.org/wiki/Mozilla_Public_License
•previous versions of BIND 9 are licensed under ISC License (a variation
of the BSD License)

https://en.wikipedia.org/wiki/ISC_license
•both licenses are "Open-Source" licenses
•this change does have no impact on users of BIND 9
(including users of the Men & Mice Suite)
•it has an impact of companies that include an adapted version
of BIND 9 into their product offerings
3
© Men & Mice http://menandmice.com
BIND 9 catalog zones
4
© Men & Mice http://menandmice.com
Catalog Zones
•catalog zones are a way to provision DNS zones
•catalog zones are an internet draft (RFC "work in
progress) in the IETF 

https://tools.ietf.org/html/draft-muks-dnsop-dns-catalog-zones
•a "proof-of-concept" implementation for PowerDNS
exists
5
© Men & Mice http://menandmice.com
Catalog Zones
•a catalog zone works like a normal DNS zone
•it contains the names and configuration metadata of
zones that should exist on a secondary server
•the catalog zone is maintained on the master server
• new zones added into the catalog zone on the
master are also created on the secondaries
receiving the same catalog zone
6
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
7
Server with
Master
zones
Server with
Slave
zones
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
8
Catalog Zone
(master)
empty
Server with
Master
zones
Server with
Slave
zones
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
9
Catalog Zone
(master)
empty
Server with
Master
zones
Server with
Slave
zones
Catalog Zone
(slave)
empty
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
10
Catalog Zone
(master)
empty
Server with
Master
zones
Server with
Slave
zones
Catalog Zone
(slave)
empty
Production Zone
(master)
example.com
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
11
Catalog Zone
(master)
example.com
Server with
Master
zones
Server with
Slave
zones
Catalog Zone
(slave)
empty
Production Zone
(master)
example.com
new production
zone added to the
catalog zone
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
12
Catalog Zone
(master)
example.com
Server with
Master
zones
Server with
Slave
zones
Catalog Zone
(slave)
example.com
Production Zone
(master)
example.com
zone
transfer
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
13
Catalog Zone
(master)
example.com
Server with
Master
zones
Server with
Slave
zones
Catalog Zone
(slave)
example.com
Production Zone
(master)
example.com
production
slave zone
configuration is
added by
BIND
Production Zone
(slave)
example.com
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
14
Catalog Zone
(master)
example.com
Server with
Master
zones
Server with
Slave
zones
Catalog Zone
(slave)
example.com
Production Zone
(master)
example.com
zone
transfer
Production Zone
(slave)
example.com
© Men & Mice http://menandmice.com
Catalog Zones
•empty catalog zone
$TTl 60

@ IN SOA authoritative.example.com. hostmaster (

1001 2h 20m 41d 1h )

IN NS authoritative.example.com.

IN NS secondary01.example.com.
15
names should be
resolvable via DNS for
notify to work
© Men & Mice http://menandmice.com
Catalog Zones
•BIND 9 named.conf with catalog zone on the master server
options {

directory "/etc/namedb";

recursion no;

};
logging {
channel transfer-log { file "transfer.log" size 200M versions 10; print-time yes; };

category xfer-in { transfer-log; };

category xfer-out { transfer-log; };

};
zone "catalog.example" {

type master;

file "catalog.example";

};
16
© Men & Mice http://menandmice.com
Catalog Zones
•start BIND 9 on the master
# named-checkconf -z

zone catalog.example/IN: loaded serial 1001
# named
# rndc status

version: BIND 9.11.0b3 <id:a23f742>

running on csmobile4.example.com: Linux x86_64 4.6.5-300.fc24.x86_64 #1 SMP Thu Jul 28 01:10:12 UTC 2016

boot time: Tue, 16 Aug 2016 07:29:05 GMT

last configured: Tue, 16 Aug 2016 07:30:49 GMT

configuration file: /etc/named.conf

CPUs found: 4

worker threads: 4

UDP listeners per interface: 3

number of zones: 2 (0 automatic)

debug level: 0

xfers running: 0

xfers deferred: 0

soa queries in progress: 0

query logging is OFF

recursive clients: 0/900/1000

tcp clients: 0/150

server is up and running
17
© Men & Mice http://menandmice.com
Catalog Zones
• BIND 9 configuration on the secondary
options {

directory "/etc/namedb";

recursion no;



allow-new-zones yes;

catalog-zones {

zone "catalog.example"

zone-directory "cat-zones"

in-memory no

default-masters { 172.22.1.196; };

};

};
logging {

channel transfer-log { file "transfer.log" size 200M versions 10; print-time yes; };

category xfer-in { transfer-log; };

category xfer-out { transfer-log; };

};



zone "catalog.example" {

type slave;

file "catalog.example";

masters { 172.22.1.196; };

};
18
allow
BIND 9 to
dynamically add
new zones
definition of
the catalog zone
directory for
storing new
slave zones
IP addresses of
the default
masters for new
slave zones
write slave
zone contents to
disk
catalog
zone definition
© Men & Mice http://menandmice.com
Catalog Zones
• adding the new zone to the BIND 9 server (Step 1)
# $EDITOR /etc/namedb/example.com
$ttl 1800

@ IN SOA authoritative.example.com. hostmaster 1001 2h 30m 41d 1h

IN NS authoritative.example.com.

IN NS secondary01.example.com.
authoritative IN A 172.22.1.196

secondary01 IN A 172.22.1.199
19
© Men & Mice http://menandmice.com
Catalog Zones
• adding the new zone to the BIND 9 server (Step 2)
# $EDITOR /etc/namedb/named.conf
options {

directory "/etc/namedb";

recursion no;

};
logging {

channel transfer-log { file "transfer.log" size 200M versions 10; print-time yes; };

category xfer-in { transfer-log; };

category xfer-out { transfer-log; };

};



zone "example.com" {

type master;

file "example.com";

};



zone "catalog.example" {

type master;

file "catalog.example";

};
20
new zone
configuration
© Men & Mice http://menandmice.com
Catalog Zones
• adding the new zone to the BIND 9 server (Step 3)
# named-checkconf -z

zone example.com/IN: loaded serial 1001

zone catalog.example/IN: loaded serial 1001
21
© Men & Mice http://menandmice.com
Catalog Zones
• adding the new zone to the catalog zone


# echo -n "example.com" | openssl sha1

(stdin)= 0caaf24ab1a0c33440c06afe99df986365b0781f

# $EDITOR /etc/namedb/catalog.example

$TTl 60

@ IN SOA authoritative.example.com. hostmaster 1002 (

2h 20m 41d 1h )

IN NS authoritative.example.com.

IN NS secondary01.example.com.

0caaf24ab1a0c33440c06afe99df986365b0781f.zones IN PTR example.com.
22
sha1 hash
identifying the
new zone
mapping
the hash to the
name of the
zone
increment
SOA serial
number
© Men & Mice http://menandmice.com
Catalog Zones
• BIND 9 log information shows the update of the
catalog zone followed by an transfer of the new zone:
named[157]: client 172.22.1.196#60914: received notify for zone 'catalog.example'

named[157]: zone catalog.example/IN: notify from 172.22.1.196#60914: serial 1002

named[157]: zone catalog.example/IN: Transfer started.

named[157]: catz: updating catalog zone 'catalog.example' with serial 1002

named[157]: zone catalog.example/IN: transferred serial 1002

named[157]: zone catalog.example/IN: sending notifies (serial 1002)

named[157]: catz: adding zone 'example.com' from catalog 'catalog.example' - success

named[157]: zone example.com/IN: Transfer started.

named[157]: zone example.com/IN: transferred serial 1001

named[157]: zone example.com/IN: sending notifies (serial 1001)
23
new
zone is now
available on the
secondary
© Men & Mice http://menandmice.com
Catalog Zones
• catalog zones can contain configuration information
for the new zone (Details in the BIND 9 ARM):
$TTl 60

@ IN SOA authoritative.catalog.example. hostmaster 1002 2h 20m 41d 1h

IN NS authoritative.example.com.

IN NS secondary01.example.com.
0caaf24ab1a0c33440c06afe99df986365b0781f.zones IN PTR example.com.

masters.0caaf24ab1a0c33440c06afe99df986365b0781f.zones IN A 172.22.1.196

allow-transfer.0caaf24ab1a0c33440c06afe99df986365b0781f.zones IN APL (

1:172.22.1.196/32 1:172.22.1.199/32 )
24
access
control list for
zone-transfer
definition
of the zones
master
server(s)
© Men & Mice http://menandmice.com
Catalog Zones
• rndc zonestatus on a zone added via catalog zone:
# rndc zonestatus example.com

name: example.com

type: slave

files: cat-zones/__catz___default_catalog.example_example.com.db

serial: 1001

nodes: 3

last loaded: Thu, 18 Aug 2016 07:29:58 GMT

next refresh: Thu, 18 Aug 2016 07:52:54 GMT

expires: Mon, 26 Sep 2016 07:54:36 GMT

secure: no

dynamic: no

reconfigurable via modzone: yes
25
zone expiry
information for
slave zones
backup file
© Men & Mice http://menandmice.com
rndc 

Remote Name Daemon
Control
26
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
read-only rndc
•a rndc control channel can be configured "read-only"
•all "destructive" rndc commands are blocked ("reload", "reconfigure", "stop",
"addzone", "delzone" etc)
•multiple control channels can be configured
•each should have a unique "tsig" key for authentication



key "rndc-key" {

algorithm hmac-md5;

secret "ikRtqFL52Inn+7wCE0Bb9A==";

};



controls {

inet 127.0.0.1 port 953

allow { 127.0.0.1; }

keys { "rndc-key"; }

read-only yes;

};
27
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
Zone provisioning with rndc
•in previous BIND 9 versions, it is possible to dynamically
add/remove zones to a running configuration with rndc
addzone and rndc delzone
•Zone configurations added with rndc addzone can now
be changed dynamically with rndc modzone
•rndc delzone can now also remove zones that are
configured in named.conf

# rndc delzone example.com

zone 'example.com' is no longer active and will be deleted.

To keep it from returning when the server is restarted, it

must also be removed from named.conf.
28
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
rndc zonestatus
•rndc can now display detail information about a
configured zone



# rndc zonestatus example.com

name: example.com

type: master

files: example.com

serial: 1001

nodes: 3

last loaded: Thu, 18 Aug 2016 07:25:06 GMT

secure: no

dynamic: no

reconfigurable via modzone: no
29
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
python rndc
•BIND 9.11 contains a python library to access the
rndc control channel from within python programs
•python written applications can make use of rndc functions
(addzone, manage keys, sign zones etc)
30
© Men & Mice http://menandmice.com
DNSSEC
31
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
dnssec-keymgr
•dnssec-keymgr is a new tool written in Python to
manage DNSSEC keys (and the key-rollover)
•the tool will read a policy file (${SYSCONFDIR}/policy.conf)
and will create new ZSK/KSK based on the defined
policies
•Policies can be defined global, per algorithm and per
zone
•Policies can inherit settings from a global policy definition
32
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
dnssec-keymgr
•dnssec-keymgr example policy configuration



policy default-dnssec {

directory "/etc/namedb/keys";

algorithm rsasha256;

key-size zsk 2048;

key-size ksk 2560;

pre-publish zsk 1w;

post-publish zsk 2w;

roll-period zsk 2mo;

roll-period ksk 0;

coverage 364d;

};



zone example.com {

policy default-dnssec;

key-size zsk 1536;

};
33
inherit the "default-
dnssec" policy for the
zone
override a
setting inherited
from the global
policy
global policy
definition
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
dnssec-keymgr
•dnssec-keymgr is designed to be run from a cron-job
•it can be started manually:



# dnssec-keymgr example.com

# /usr/local/sbin/dnssec-keygen -q -K /etc/namedb/keys -L 3600 -a RSASHA256 -b 1536 example.com

# /usr/local/sbin/dnssec-keygen -q -K /etc/namedb/keys -L 3600 -fk -a RSASHA256 -b 2560 example.com

# /usr/local/sbin/dnssec-settime -K /etc/namedb/keys -I 20161017081131 -D 20161031081131 Kexample.com.+008+16143

# /usr/local/sbin/dnssec-keygen -q -K /etc/namedb/keys -S Kexample.com.+008+16143 -L 3600 -i 604800

# /usr/local/sbin/dnssec-settime -K /etc/namedb/keys -I 20161216081131 -D 20161230081131 Kexample.com.+008+45825

# /usr/local/sbin/dnssec-keygen -q -K /etc/namedb/keys -S Kexample.com.+008+45825 -L 3600 -i 604800

# /usr/local/sbin/dnssec-settime -K /etc/namedb/keys -I 20170214081131 -D 20170228081131 Kexample.com.+008+58464

# /usr/local/sbin/dnssec-keygen -q -K /etc/namedb/keys -S Kexample.com.+008+58464 -L 3600 -i 604800

# /usr/local/sbin/dnssec-settime -K /etc/namedb/keys -I 20170415081131 -D 20170429081131 Kexample.com.+008+59949

# /usr/local/sbin/dnssec-keygen -q -K /etc/namedb/keys -S Kexample.com.+008+59949 -L 3600 -i 604800

# /usr/local/sbin/dnssec-settime -K /etc/namedb/keys -I 20170614081131 -D 20170628081131 Kexample.com.+008+59589

# /usr/local/sbin/dnssec-keygen -q -K /etc/namedb/keys -S Kexample.com.+008+59589 -L 3600 -i 604800

# /usr/local/sbin/dnssec-settime -K /etc/namedb/keys -I 20170813081131 -D 20170827081131 Kexample.com.+008+47265

# /usr/local/sbin/dnssec-keygen -q -K /etc/namedb/keys -S Kexample.com.+008+47265 -L 3600 -i 604800
34
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
rndc managed-keys
•rndc can now be used to get information about the configured
DNSSEC trust-anchor(s)
•useful to track the automatic trust anchor update (RFC 5011) for the upcoming
KSK change in the root zone

https://www.icann.org/resources/pages/ksk-rollover
•Example:

# rndc managed-keys status

view: _default

next scheduled event: Fri, 19 Aug 2016 08:30:56 GMT



name: .

keyid: 19036

algorithm: RSASHA256

flags: SEP

next refresh: Fri, 19 Aug 2016 08:30:56 GMT

trusted since: Thu, 18 Aug 2016 08:30:53 GMT
35
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
DNSSEC trust-anchor telemetry
BIND 9 configured as a DNSSEC validating resolver will send specially-
formed queries once per day to domains for which trust anchors have
been configured via trusted-keys, managed-keys, dnssec-validation
auto, or dnssec-lookaside auto
• The query name used for these queries has the form "_ta-xxxx(-xxxx)(...)".<domain>,
where each "xxxx" is a group of four hexadecimal digits representing the key ID of a
trusted DNSSEC key
• this gives operators of trusted DNSSEC domains feedback on which active trust-
anchors are used for the domains they host
• this helps operators to decide when an old key can be removed from the DNSSEC
zone
• trust-anchor-telemetry no; will disable this function

36
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
Automating DNSSEC Delegation Trust
Maintenance (RFC 7344)
BIND 9.11 supports the CDS and CDNSKEY
resource records
BIND 9.11 can publish new DS via CDS, or new
DNSKEY via CDNSKEY, whenever a new KSK is
being created
parent zone operator can monitor the child

zone and imports new DS and DNSKEY 

data from the CDS or CDNSKEY records
37
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
Automating DNSSEC Delegation Trust
Maintenance
38
Parent DNS
Child DNS
child.tld. IN SOA …
child.tld. IN NS …
child.tld. IN DNSKEY …
tld. IN SOA …
tld. IN NS …
tld. IN DNSKEY …
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
Automating DNSSEC Delegation Trust
Maintenance
39
Parent DNS
Child DNS
child.tld. IN SOA …
child.tld. IN NS …
child.tld. IN DNSKEY …
tld. IN SOA …
tld. IN NS …
tld. IN DNSKEY …
child.tld. IN DS …
child.tld. IN DS …
Updating DNSSEC Trust chain today
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
Automating DNSSEC Delegation Trust
Maintenance
40
Parent DNS
Child DNS
child.tld. IN SOA …
child.tld. IN NS …
child.tld. IN DNSKEY …
tld. IN SOA …
tld. IN NS …
tld. IN DNSKEY …
child.tld. IN CDS …
child.tld. IN DS …
Updating DNSSEC Trust chain 

with CDS / CDNSKEY
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
Automating DNSSEC Delegation Trust
Maintenance (RFC 7344)
dnssec-keygen and dnssec-settime now support additional
timing information SYNC Publish (when to publish CDS/
CDNSKEY) and SYNC Delete (when to remove CDS/CDNSKEY)



# dnssec-settime -Psync +3mo /etc/namedb/keys/Kexample.com.+008+58464.key

# dnssec-settime -p all /etc/namedb/keys/Kexample.com.+008+58464.key
Created: Thu Aug 18 10:11:31 2016

Publish: Fri Dec 9 09:11:31 2016

Activate: Fri Dec 16 09:11:31 2016

Revoke: UNSET

Inactive: Tue Feb 14 09:11:31 2017

Delete: Tue Feb 28 09:11:31 2017

SYNC Publish: Wed Nov 16 09:47:45 2016

SYNC Delete: UNSET
41
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
DNSSEC negative trust anchors
negative trust anchors (nta) disable DNSSEC validation for a
specific domain for a certain amount of time
• can be used by operators in case a misconfiguration for a remote
DNSSEC signed zone is detected. Care should be take to check that the
DNSSEC validation failure is indeed a misconfiguration and not attack
• domains with an NTA are processed as if there is no trust-anchor for
that domain
• NTAs are stored and are persistent across BIND 9 restarts
• BIND 9 checks the domain periodically. Once the domain starts
validating again, the NTA for the domain is removed
• NTAs have a lifetime (maximum one week) and expire automatically
42
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
DNSSEC negative trust anchors
adding an NTA (for 60 seconds):



# rndc nta -l 60 fail01.dnssec.works
Negative trust anchor added: fail01.dnssec.works/_default,
expires 18-Aug-2016 13:52:19.000
# rndc nta -dump

fail01.dnssec.works: expired 18-Aug-2016 13:52:19.000
# ls -l /etc/namedb/_default.nta

-rw-r--r--. 1 root root 44 Aug 18 13:51 /etc/namedb/_default.nta
# cat /etc/namedb/_default.nta

fail01.dnssec.works. regular 20160818115219
43
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
DNSSEC negative trust anchors
removing an NTA:



# rndc nta -l 86400 fail02.dnssec.works

Negative trust anchor added: fail02.dnssec.works/_default,
expires 19-Aug-2016 13:56:22.000
# rndc nta -dump

fail02.dnssec.works: expiry 19-Aug-2016 13:56:22.000
# rndc nta -r fail02.dnssec.works

Negative trust anchor removed: fail02.dnssec.works/_default
# rndc nta -dump

#
44
NTA for one
day
NTA removed
© Men & Mice http://menandmice.com
DNS Cookies
45
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
DNS Cookies
DNS Cookies, defined in RFC 7873, create a
lightweight session over UDP between a DNS client
(can be a DNS resolver) and DNS server
DNS cookies
• can mitigate cache poisoning attacks
• make DNS amplification attacks harder
46
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
47
DNS cookie
secret configured
BIND 9.11
DNS Resolver
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
48
DNS query

Client Cookie Hash: a56f341

Server Cookie Hash: empty
BIND 9.11
DNS Resolver
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
49
DNS query

Client Cookie Hash: a56f341

Server Cookie Hash: empty
BIND 9.11
DNS Resolver
Error
Response:
BADCOOKIE
includes 

Server Cookie Hash
b761a22
Client can
cache server
cookie
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
50
DNS query

Client Cookie Hash: a56f341

Server Cookie Hash: b761a22
BIND 9.11
DNS Resolver
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
51
DNS query

Client Cookie Hash: a56f341

Server Cookie Hash: b761a22
BIND 9.11
DNS Resolver
NOERROR
Response

includes 

Server Cookie Hash
b761a22
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
DNS Cookies
DNS cookies are enabled in BIND 9.11 by default (including the dig tool)



# dig @localhost menandmice.com



; <<>> DiG 9.11.0b3 <<>> @localhost menandmice.com

; (2 servers found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6448

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 7



;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

; COOKIE: d22bde1a43ccf88213b35b4257b59343163def237257e622 (good)

;; QUESTION SECTION:

;menandmice.com. IN A



;; ANSWER SECTION:

menandmice.com. 300 IN A 72.10.32.220
52
DNS
cookie
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
DNS Cookies
Configuration options for DNS cookies in BIND 9.11:
• require-server-cookie - (authoritative server or resolver)
Require a valid server cookie before sending a full response
to a UDP request from a cookie aware client. BADCOOKIE
is sent if there is a bad or no existent server cookie.
• send-cookie - (resolver) If yes, then a COOKIE EDNS
option is sent along with the query. If the resolver has
previously talked to the server, the COOKIE returned in the
previous transaction is sent.
53
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
DNS Cookies
Configuration options for DNS cookies in BIND 9.11:
• nocookie-udp-size - (authoritative or resolver) 

Sets the maximum size of UDP responses that will be sent to
queries without a valid server COOKIE.
• cookie-algorithm - (authoritative or resolver) 

Set the algorithm to be used when generating the server cookie.
One of "aes", "sha1" or "sha256".
• cookie-secret - (authoritative or resolver) 

If set, this is a shared secret used for generating and verifying
DNS cookies within an anycast cluster. If not set, the system will
generate a random secret at startup.
54
© Men & Mice http://menandmice.com
Misc
55
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
new resource record types
BIND 9 now supports the following resource record types:
• OPENPGPKEY - stores PGP public keys for email-addresses
• AVC - stores metadata about applications (Cisco DNS-AS - "DNS Authoritative
Source")
• TA - DNSSEC Trust Authorities
• TALINK - used by applications that maintain trust anchors for DNS validators
• NINFO - a mechanism in the DNS to publish descriptive information about the
status of the zone
• RKEY - publishing arbitrary application keys that could be used to encrypt DNS
resource records
• SINK - Kitchen Sink Resource Record 

(https://tools.ietf.org/html/draft-eastlake-kitchen-sink)
56
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
Minimal ANY
•a BIND 9 server getting an query with type ANY
(QTYPE 255) will answer with all records matching
the requested domain name and class
•this can create large UDP DNS answer packets
;; QUESTION SECTION:

;menandmice.com. IN ANY



;; ANSWER SECTION:

menandmice.com. 86400 IN SOA dns1.menandmice.com. hostmaster.menandmice.com. 2016052701 900 300 604800 900

menandmice.com. 3600 IN TXT "HhnTdT3K"

menandmice.com. 3600 IN TXT "MS=ms81797768"

menandmice.com. 3600 IN TXT "v=spf1 include:spf.protection.outlook.com a:smtp.menandmice.is a:support.menandmice.com a:otrs.menandmice.com
a:imap2.skyrr.is a:mx.hysing.is ~all"

ns2.c.is. 84985 IN A 213.176.143.102

dns1.menandmice.com. 171385 IN A 217.151.171.7

dns2.menandmice.com. 171385 IN A 217.151.171.21

dns3.menandmice.com. 171385 IN A 45.79.153.125

[…]

;; Query time: 97 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)

;; WHEN: Mon Aug 15 10:49:15 CEST 2016

;; MSG SIZE rcvd: 719
57
DNS
answer
size
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
Minimal ANY
•starting with BIND 9.11, BIND 9 can be configured
to only return the first entry of an matching ANY
query
•this mitigates the problem without causing (too
much) breakage of older software (qmail etc)
options {

minimal-any yes;

};
58
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
Minimal ANY
•same query as before with minimal-any enabled:
# dig menandmice.com any
; <<>> DiG 9.11.0b3 <<>> menandmice.com any

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32396

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

; COOKIE: f0a6921ce7023ebc646d789357b1837a0962c60d534b251e (good)

;; QUESTION SECTION:

;menandmice.com. IN ANY

;; ANSWER SECTION:

menandmice.com. 86033 IN SOA dns1.menandmice.com. hostmaster.menandmice.com. 2016052701 900 300
604800 900

;; Query time: 0 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)

;; WHEN: Mon Aug 15 10:55:22 CEST 2016

;; MSG SIZE rcvd: 123
59
DNS answer size
123 < 719 Byte
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
adaptive preferred glue
BIND 9.11 now fills the additional section with glue
records matching the transport protocol the query
was received
• query received over IPv4 - A-Record glue data is preferred
• query received over IPv6 - AAAA-Record glue data is
preferred
60
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
nslookup resolves IPv6 AAAA
nslookup got updated (WHOOO!)
nslookup will now lookup IPv4 and IPv6 information for a
hostname
# nslookup

> menandmice.com

Server: 172.22.1.22

Address: 172.22.1.22#53



Non-authoritative answer:

Name: menandmice.com

Address: 72.10.32.220

Name: menandmice.com

Address: 2a01:7e00::f03c:91ff:fe89:ed54
61
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
SERVFAIL Caching
DNS answers with the return code of SERVFAIL are
now cached (Default 1 sec)
This reduces the frequency of retries when a query is
persistently failing, which can be a burden on
recursive servers
Cache-Time for SERVFAIL answers can be configured
with the servfail-ttl statement, maximum is 30
seconds
62
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
new mdig query tool
the new tool mdig (multi-dig) can be used to send
multiple queries at once to an DNS server
answers will be printed in order of arrival
63
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
new mdig query tool
# mdig @8.8.8.8 menandmice.com www.menandmice.com info.menandmice.com

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26843

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1



;; QUESTION SECTION:

;www.menandmice.com. IN A



;; ANSWER SECTION:

www.menandmice.com. 4m59s IN A 72.10.32.220



;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61756

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1



;; QUESTION SECTION:

;menandmice.com. IN A



;; ANSWER SECTION:

menandmice.com. 4m59s IN A 72.10.32.220



;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23068

;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1



;; QUESTION SECTION:

;info.menandmice.com. IN A



;; ANSWER SECTION:

info.menandmice.com. 4m59s IN CNAME 77026.group26.sites.hubspot.net.

77026.group26.sites.hubspot.net. 29m59s IN CNAME cos2mdc.hubspot.net.mdc.edgesuite.net.

cos2mdc.hubspot.net.mdc.edgesuite.net. 5h57m44s IN CNAME a1711.b.akamai.net.

a1711.b.akamai.net. 19s IN A 95.101.90.26

a1711.b.akamai.net. 19s IN A 95.101.90.82
64
three queries
Answer for #2
Answer for #1
Answer for #3
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
dig switches
dig +ttlunits causes dig to print TTL values with time-unit suffixes: w, d, h, m, s for weeks, days, hours,
minutes, and seconds:



# dig +ttlunits menandmice.com



; <<>> DiG 9.11.0b3 <<>> +ttlunits menandmice.com

;; global options: +cmd

;; Got answer:

[…]



;; ANSWER SECTION:

menandmice.com. 4m54s IN A 72.10.32.220


;; AUTHORITY SECTION:

menandmice.com. 20h52m59s IN NS ns2.c.is.

menandmice.com. 20h52m59s IN NS dns1.menandmice.com.

menandmice.com. 20h52m59s IN NS ns0.c.is.

menandmice.com. 20h52m59s IN NS dns3.menandmice.com.

menandmice.com. 20h52m59s IN NS ns1.c.is.

menandmice.com. 20h52m59s IN NS dns2.menandmice.com.



;; ADDITIONAL SECTION:

dns1.menandmice.com. 21h9m22s IN A 217.151.171.7

dns2.menandmice.com. 20h52m59s IN A 217.151.171.21

dns3.menandmice.com. 1h29m39s IN A 45.79.153.125
65
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
multiple named processes
BIND 9.11 prevents the named process to start
accidentally more than once
named refuses to start if
• it cannot bind to any network interface
• if the Lock-File /var/run/named/named.lock already exists
66
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
multiple named processes
# named -g

18-Aug-2016 13:31:16.929 starting BIND 9.11.0b3 <id:a23f742>

18-Aug-2016 13:31:16.929 running on Linux x86_64 4.6.6-300.fc24.x86_64 #1 SMP Wed Aug 10 21:07:35 UTC 2016

18-Aug-2016 13:31:16.929 built with '--sysconfdir=/etc/namedb'

18-Aug-2016 13:31:16.929 running as: named -g

18-Aug-2016 13:31:16.929 ----------------------------------------------------

18-Aug-2016 13:31:16.929 BIND 9 is maintained by Internet Systems Consortium,

18-Aug-2016 13:31:16.929 Inc. (ISC), a non-profit 501(c)(3) public-benefit

18-Aug-2016 13:31:16.929 corporation. Support and training for BIND 9 are

18-Aug-2016 13:31:16.929 available at https://www.isc.org/support

18-Aug-2016 13:31:16.929 ----------------------------------------------------

18-Aug-2016 13:31:16.929 adjusted limit on open files from 65536 to 1048576

18-Aug-2016 13:31:16.929 found 4 CPUs, using 4 worker threads

18-Aug-2016 13:31:16.929 using 3 UDP listeners per interface

18-Aug-2016 13:31:16.929 using up to 4096 sockets

18-Aug-2016 13:31:16.938 loading configuration from '/etc/namedb/named.conf'

18-Aug-2016 13:31:16.939 reading built-in trusted keys from file '/etc/namedb/bind.keys'

18-Aug-2016 13:31:16.939 using default UDP/IPv4 port range: [32768, 60999]

18-Aug-2016 13:31:16.939 using default UDP/IPv6 port range: [32768, 60999]

18-Aug-2016 13:31:16.941 listening on IPv6 interfaces, port 53

18-Aug-2016 13:31:16.948 binding TCP socket: address in use

18-Aug-2016 13:31:16.948 listening on IPv4 interface lo, 127.0.0.1#53

18-Aug-2016 13:31:16.949 binding TCP socket: address in use

18-Aug-2016 13:31:16.949 listening on IPv4 interface mv-p3p1, 172.22.1.129#53

18-Aug-2016 13:31:16.950 binding TCP socket: address in use

18-Aug-2016 13:31:16.950 unable to listen on any configured interfaces

18-Aug-2016 13:31:16.950 loading configuration: failure

18-Aug-2016 13:31:16.950 exiting (due to fatal error)
67
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
more changes
The BIND 9.11 change log file has additional
information on all the changes
http://ftp.isc.org/isc/bind9/9.11.0b3/RELEASE-NOTES-bind-9.11.0b3.txt
68
© Men & Mice http://menandmice.com
Upcoming training classes
KEA-DHCP
October 13 – 14, 2016 - West Coast, USA
October 17 – 18, 2016 - East Coast, USA
November 21 – 22, 2016 - Amsterdam, The Netherlands
Two days - Hands-On training
US$ 1795
69
https://www.menandmice.com/support-training/training/kea-dhcp-training/
© Men & Mice http://menandmice.com
more training
•October 3 – 5, 2016 Introduction to DNS & BIND
Hands-On class Arlington (VA), USA
•October 3 – 7, 2016 Introduction & Advanced DNS
and BIND Topics Hands-on class Arlington (VA), USA
•October 5 – 7, 2016 DNSSEC Technical Workshop –
Implementation and Deployment Arlington (VA), USA
•October 10-14, 2014 "DNS und BIND / DNS
Sicherheit" (German) @ Linuxhotel, Essen, Germany
70
https://www.menandmice.com/support-training/training/
© Men & Mice http://menandmice.com
our next webinar 

A secure BIND 9 – best practices
When operating a DNS server, a secure configuration is
paramount. BIND 9 experts from the Men & Mice team will
answer questions about BIND 9 security.
Learn more on:
• “chroot” vs. “container”
• separating resolving and authoritative services for security
• BIND 9 configuration hardening
• monitoring BIND 9 for security issues
August 31st, 2016 4:00pm CEST/ 2:00pm GMT/ 10:00am EDT/ 7:00am PDT
71
https://www.menandmice.com/resources/educational-resources/webinars/a-secure-bind-9-best-practices/
© Men & Mice http://menandmice,com
Thank you!
Questions? Comments?
72

More Related Content

What's hot

ルータコンフィグのGit管理のススメ 〜Git管理以外を自動化してみた〜
ルータコンフィグのGit管理のススメ 〜Git管理以外を自動化してみた〜ルータコンフィグのGit管理のススメ 〜Git管理以外を自動化してみた〜
ルータコンフィグのGit管理のススメ 〜Git管理以外を自動化してみた〜
Taiji Tsuchiya
 
High-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uringHigh-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uring
ScyllaDB
 
Stargz Snapshotter: イメージのpullを省略しcontainerdでコンテナを高速に起動する
Stargz Snapshotter: イメージのpullを省略しcontainerdでコンテナを高速に起動するStargz Snapshotter: イメージのpullを省略しcontainerdでコンテナを高速に起動する
Stargz Snapshotter: イメージのpullを省略しcontainerdでコンテナを高速に起動する
Kohei Tokunaga
 
クラウドオーケストレーション「OpenStack Heat」に迫る!
クラウドオーケストレーション「OpenStack Heat」に迫る!クラウドオーケストレーション「OpenStack Heat」に迫る!
クラウドオーケストレーション「OpenStack Heat」に迫る!
Etsuji Nakai
 
Getting Started GraalVM / GraalVM超入門 #jjug_ccc #ccc_c2
Getting Started GraalVM / GraalVM超入門 #jjug_ccc #ccc_c2Getting Started GraalVM / GraalVM超入門 #jjug_ccc #ccc_c2
Getting Started GraalVM / GraalVM超入門 #jjug_ccc #ccc_c2
tamtam180
 
The overview of lazypull with containerd Remote Snapshotter & Stargz Snapshotter
The overview of lazypull with containerd Remote Snapshotter & Stargz SnapshotterThe overview of lazypull with containerd Remote Snapshotter & Stargz Snapshotter
The overview of lazypull with containerd Remote Snapshotter & Stargz Snapshotter
Kohei Tokunaga
 
BigtopでHadoopをビルドする(Open Source Conference 2021 Online/Spring 発表資料)
BigtopでHadoopをビルドする(Open Source Conference 2021 Online/Spring 発表資料)BigtopでHadoopをビルドする(Open Source Conference 2021 Online/Spring 発表資料)
BigtopでHadoopをビルドする(Open Source Conference 2021 Online/Spring 発表資料)
NTT DATA Technology & Innovation
 
GMOインターネット様 発表「OpenStackのモデルの最適化とConoHa, Z.comとGMOアプリクラウドへの適用」 - OpenStack最新情...
GMOインターネット様 発表「OpenStackのモデルの最適化とConoHa, Z.comとGMOアプリクラウドへの適用」 - OpenStack最新情...GMOインターネット様 発表「OpenStackのモデルの最適化とConoHa, Z.comとGMOアプリクラウドへの適用」 - OpenStack最新情...
GMOインターネット様 発表「OpenStackのモデルの最適化とConoHa, Z.comとGMOアプリクラウドへの適用」 - OpenStack最新情...
VirtualTech Japan Inc.
 
Introduction to Initramfs - Initramfs-tools and Dracut
Introduction to Initramfs - Initramfs-tools and DracutIntroduction to Initramfs - Initramfs-tools and Dracut
Introduction to Initramfs - Initramfs-tools and Dracut
Taisuke Yamada
 
Linux Training For Beginners | Linux Administration Tutorial | Introduction T...
Linux Training For Beginners | Linux Administration Tutorial | Introduction T...Linux Training For Beginners | Linux Administration Tutorial | Introduction T...
Linux Training For Beginners | Linux Administration Tutorial | Introduction T...
Edureka!
 
第 1 回 Jetson ユーザー勉強会
第 1 回 Jetson ユーザー勉強会第 1 回 Jetson ユーザー勉強会
第 1 回 Jetson ユーザー勉強会
NVIDIA Japan
 
SSHパケットの復号ツールを作ろう_v1(Decrypt SSH .pcap File)
SSHパケットの復号ツールを作ろう_v1(Decrypt SSH .pcap File)SSHパケットの復号ツールを作ろう_v1(Decrypt SSH .pcap File)
SSHパケットの復号ツールを作ろう_v1(Decrypt SSH .pcap File)
Tetsuya Hasegawa
 
次世代Webコンテナ Undertowについて
次世代Webコンテナ Undertowについて次世代Webコンテナ Undertowについて
次世代Webコンテナ Undertowについて
Yoshimasa Tanabe
 
Linux女子部 iptables復習編
Linux女子部 iptables復習編Linux女子部 iptables復習編
Linux女子部 iptables復習編
Etsuji Nakai
 
Linux女子部 systemd徹底入門
Linux女子部 systemd徹底入門Linux女子部 systemd徹底入門
Linux女子部 systemd徹底入門
Etsuji Nakai
 
ConfD で Linux にNetconfを喋らせてみた
ConfD で Linux にNetconfを喋らせてみたConfD で Linux にNetconfを喋らせてみた
ConfD で Linux にNetconfを喋らせてみた
Akira Iwamoto
 
Android起動周りのノウハウ
Android起動周りのノウハウAndroid起動周りのノウハウ
Android起動周りのノウハウ
chancelab
 
Docker Compose 徹底解説
Docker Compose 徹底解説Docker Compose 徹底解説
Docker Compose 徹底解説
Masahito Zembutsu
 
コンテナネットワーキング(CNI)最前線
コンテナネットワーキング(CNI)最前線コンテナネットワーキング(CNI)最前線
コンテナネットワーキング(CNI)最前線
Motonori Shindo
 
Diving into SWUpdate: adding new platform support in 30minutes with Yocto/OE !
Diving into SWUpdate: adding new platform support in 30minutes with Yocto/OE !Diving into SWUpdate: adding new platform support in 30minutes with Yocto/OE !
Diving into SWUpdate: adding new platform support in 30minutes with Yocto/OE !
Pierre-jean Texier
 

What's hot (20)

ルータコンフィグのGit管理のススメ 〜Git管理以外を自動化してみた〜
ルータコンフィグのGit管理のススメ 〜Git管理以外を自動化してみた〜ルータコンフィグのGit管理のススメ 〜Git管理以外を自動化してみた〜
ルータコンフィグのGit管理のススメ 〜Git管理以外を自動化してみた〜
 
High-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uringHigh-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uring
 
Stargz Snapshotter: イメージのpullを省略しcontainerdでコンテナを高速に起動する
Stargz Snapshotter: イメージのpullを省略しcontainerdでコンテナを高速に起動するStargz Snapshotter: イメージのpullを省略しcontainerdでコンテナを高速に起動する
Stargz Snapshotter: イメージのpullを省略しcontainerdでコンテナを高速に起動する
 
クラウドオーケストレーション「OpenStack Heat」に迫る!
クラウドオーケストレーション「OpenStack Heat」に迫る!クラウドオーケストレーション「OpenStack Heat」に迫る!
クラウドオーケストレーション「OpenStack Heat」に迫る!
 
Getting Started GraalVM / GraalVM超入門 #jjug_ccc #ccc_c2
Getting Started GraalVM / GraalVM超入門 #jjug_ccc #ccc_c2Getting Started GraalVM / GraalVM超入門 #jjug_ccc #ccc_c2
Getting Started GraalVM / GraalVM超入門 #jjug_ccc #ccc_c2
 
The overview of lazypull with containerd Remote Snapshotter & Stargz Snapshotter
The overview of lazypull with containerd Remote Snapshotter & Stargz SnapshotterThe overview of lazypull with containerd Remote Snapshotter & Stargz Snapshotter
The overview of lazypull with containerd Remote Snapshotter & Stargz Snapshotter
 
BigtopでHadoopをビルドする(Open Source Conference 2021 Online/Spring 発表資料)
BigtopでHadoopをビルドする(Open Source Conference 2021 Online/Spring 発表資料)BigtopでHadoopをビルドする(Open Source Conference 2021 Online/Spring 発表資料)
BigtopでHadoopをビルドする(Open Source Conference 2021 Online/Spring 発表資料)
 
GMOインターネット様 発表「OpenStackのモデルの最適化とConoHa, Z.comとGMOアプリクラウドへの適用」 - OpenStack最新情...
GMOインターネット様 発表「OpenStackのモデルの最適化とConoHa, Z.comとGMOアプリクラウドへの適用」 - OpenStack最新情...GMOインターネット様 発表「OpenStackのモデルの最適化とConoHa, Z.comとGMOアプリクラウドへの適用」 - OpenStack最新情...
GMOインターネット様 発表「OpenStackのモデルの最適化とConoHa, Z.comとGMOアプリクラウドへの適用」 - OpenStack最新情...
 
Introduction to Initramfs - Initramfs-tools and Dracut
Introduction to Initramfs - Initramfs-tools and DracutIntroduction to Initramfs - Initramfs-tools and Dracut
Introduction to Initramfs - Initramfs-tools and Dracut
 
Linux Training For Beginners | Linux Administration Tutorial | Introduction T...
Linux Training For Beginners | Linux Administration Tutorial | Introduction T...Linux Training For Beginners | Linux Administration Tutorial | Introduction T...
Linux Training For Beginners | Linux Administration Tutorial | Introduction T...
 
第 1 回 Jetson ユーザー勉強会
第 1 回 Jetson ユーザー勉強会第 1 回 Jetson ユーザー勉強会
第 1 回 Jetson ユーザー勉強会
 
SSHパケットの復号ツールを作ろう_v1(Decrypt SSH .pcap File)
SSHパケットの復号ツールを作ろう_v1(Decrypt SSH .pcap File)SSHパケットの復号ツールを作ろう_v1(Decrypt SSH .pcap File)
SSHパケットの復号ツールを作ろう_v1(Decrypt SSH .pcap File)
 
次世代Webコンテナ Undertowについて
次世代Webコンテナ Undertowについて次世代Webコンテナ Undertowについて
次世代Webコンテナ Undertowについて
 
Linux女子部 iptables復習編
Linux女子部 iptables復習編Linux女子部 iptables復習編
Linux女子部 iptables復習編
 
Linux女子部 systemd徹底入門
Linux女子部 systemd徹底入門Linux女子部 systemd徹底入門
Linux女子部 systemd徹底入門
 
ConfD で Linux にNetconfを喋らせてみた
ConfD で Linux にNetconfを喋らせてみたConfD で Linux にNetconfを喋らせてみた
ConfD で Linux にNetconfを喋らせてみた
 
Android起動周りのノウハウ
Android起動周りのノウハウAndroid起動周りのノウハウ
Android起動周りのノウハウ
 
Docker Compose 徹底解説
Docker Compose 徹底解説Docker Compose 徹底解説
Docker Compose 徹底解説
 
コンテナネットワーキング(CNI)最前線
コンテナネットワーキング(CNI)最前線コンテナネットワーキング(CNI)最前線
コンテナネットワーキング(CNI)最前線
 
Diving into SWUpdate: adding new platform support in 30minutes with Yocto/OE !
Diving into SWUpdate: adding new platform support in 30minutes with Yocto/OE !Diving into SWUpdate: adding new platform support in 30minutes with Yocto/OE !
Diving into SWUpdate: adding new platform support in 30minutes with Yocto/OE !
 

Viewers also liked

Fighting Abuse with DNS
Fighting Abuse with DNSFighting Abuse with DNS
Fighting Abuse with DNS
Men and Mice
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing Solutions
Men and Mice
 
Keeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitKeeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runit
Men and Mice
 
DNSTap Webinar
DNSTap WebinarDNSTap Webinar
DNSTap Webinar
Men and Mice
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practices
Men and Mice
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and security
Michael Earls
 
Yeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootYeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the root
Men and Mice
 
Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27
APNIC
 
DNSSec
DNSSecDNSSec
Community tools to fight against DDoS
Community tools to fight against DDoSCommunity tools to fight against DDoS
Community tools to fight against DDoS
Fakrul Alam
 
Windows 2012 and DNSSEC
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSEC
Men and Mice
 
Linux14 Dynamic DNS
Linux14 Dynamic DNSLinux14 Dynamic DNS
Linux14 Dynamic DNS
Jainul Musani
 
Linux15 dynamic dns-2
Linux15 dynamic dns-2Linux15 dynamic dns-2
Linux15 dynamic dns-2
Jainul Musani
 
Fleet Commander - Flock 2017
Fleet Commander - Flock 2017Fleet Commander - Flock 2017
Fleet Commander - Flock 2017
Alberto Ruiz
 
Ps3 linux
Ps3 linuxPs3 linux
Ps3 linux
Keith Wright
 
Centos 7 Installation Steps
Centos 7 Installation StepsCentos 7 Installation Steps
Centos 7 Installation Steps
Keith Wright
 
DDoS Attacks : Preparation Detection Mitigation
DDoS Attacks : Preparation Detection MitigationDDoS Attacks : Preparation Detection Mitigation
DDoS Attacks : Preparation Detection Mitigation
Fakrul Alam
 
PowerDNS Webinar - Part 2
PowerDNS Webinar - Part 2PowerDNS Webinar - Part 2
PowerDNS Webinar - Part 2
Men and Mice
 
Rh199 rhel 7
Rh199   rhel 7Rh199   rhel 7
Rh199 rhel 7
Ranjeet Kumar Azad
 
Linux system administrators-guide
Linux system administrators-guideLinux system administrators-guide
Linux system administrators-guide
Keith Wright
 

Viewers also liked (20)

Fighting Abuse with DNS
Fighting Abuse with DNSFighting Abuse with DNS
Fighting Abuse with DNS
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing Solutions
 
Keeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitKeeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runit
 
DNSTap Webinar
DNSTap WebinarDNSTap Webinar
DNSTap Webinar
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practices
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and security
 
Yeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootYeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the root
 
Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27
 
DNSSec
DNSSecDNSSec
DNSSec
 
Community tools to fight against DDoS
Community tools to fight against DDoSCommunity tools to fight against DDoS
Community tools to fight against DDoS
 
Windows 2012 and DNSSEC
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSEC
 
Linux14 Dynamic DNS
Linux14 Dynamic DNSLinux14 Dynamic DNS
Linux14 Dynamic DNS
 
Linux15 dynamic dns-2
Linux15 dynamic dns-2Linux15 dynamic dns-2
Linux15 dynamic dns-2
 
Fleet Commander - Flock 2017
Fleet Commander - Flock 2017Fleet Commander - Flock 2017
Fleet Commander - Flock 2017
 
Ps3 linux
Ps3 linuxPs3 linux
Ps3 linux
 
Centos 7 Installation Steps
Centos 7 Installation StepsCentos 7 Installation Steps
Centos 7 Installation Steps
 
DDoS Attacks : Preparation Detection Mitigation
DDoS Attacks : Preparation Detection MitigationDDoS Attacks : Preparation Detection Mitigation
DDoS Attacks : Preparation Detection Mitigation
 
PowerDNS Webinar - Part 2
PowerDNS Webinar - Part 2PowerDNS Webinar - Part 2
PowerDNS Webinar - Part 2
 
Rh199 rhel 7
Rh199   rhel 7Rh199   rhel 7
Rh199 rhel 7
 
Linux system administrators-guide
Linux system administrators-guideLinux system administrators-guide
Linux system administrators-guide
 

Similar to What is new in BIND 9.11?

Verified CKAD Exam Questions and Answers
Verified CKAD Exam Questions and AnswersVerified CKAD Exam Questions and Answers
Verified CKAD Exam Questions and Answers
dalebeck957
 
kubernetes for beginners
kubernetes for beginnerskubernetes for beginners
kubernetes for beginners
Dominique Dumont
 
Data Center Floor Design - Your Layout Can Save of Kill Your PUE & Cooling Ef...
Data Center Floor Design - Your Layout Can Save of Kill Your PUE & Cooling Ef...Data Center Floor Design - Your Layout Can Save of Kill Your PUE & Cooling Ef...
Data Center Floor Design - Your Layout Can Save of Kill Your PUE & Cooling Ef...
Maria Demitras
 
Super-NetOps Source of Truth
Super-NetOps Source of TruthSuper-NetOps Source of Truth
Super-NetOps Source of Truth
Joel W. King
 
Oracle cluster installation with grid and nfs
Oracle cluster  installation with grid and nfsOracle cluster  installation with grid and nfs
Oracle cluster installation with grid and nfs
Chanaka Lasantha
 
Running Kubernetes in Production: A Million Ways to Crash Your Cluster - Cont...
Running Kubernetes in Production: A Million Ways to Crash Your Cluster - Cont...Running Kubernetes in Production: A Million Ways to Crash Your Cluster - Cont...
Running Kubernetes in Production: A Million Ways to Crash Your Cluster - Cont...
Henning Jacobs
 
Oracle cluster installation with grid and iscsi
Oracle cluster  installation with grid and iscsiOracle cluster  installation with grid and iscsi
Oracle cluster installation with grid and iscsi
Chanaka Lasantha
 
How Zalando runs Kubernetes clusters at scale on AWS - AWS re:Invent
How Zalando runs Kubernetes clusters at scale on AWS - AWS re:InventHow Zalando runs Kubernetes clusters at scale on AWS - AWS re:Invent
How Zalando runs Kubernetes clusters at scale on AWS - AWS re:Invent
Henning Jacobs
 
vmaf deployement & upgrade for software projects
vmaf deployement & upgrade for software projectsvmaf deployement & upgrade for software projects
vmaf deployement & upgrade for software projects
Thierry Gayet
 
IBM WebSphere MQ for z/OS V8 - Latest Features Deep Dive
IBM WebSphere MQ for z/OS V8 - Latest Features Deep DiveIBM WebSphere MQ for z/OS V8 - Latest Features Deep Dive
IBM WebSphere MQ for z/OS V8 - Latest Features Deep Dive
Damon Cross
 
7 reasons to start using Docker
7 reasons to start using Docker7 reasons to start using Docker
7 reasons to start using Docker
Taras Lyapun
 
DNS Troubleshooting.pdf
DNS Troubleshooting.pdfDNS Troubleshooting.pdf
DNS Troubleshooting.pdf
Ritish H
 
Tungsten University: Replicate Between MySQL And Oracle
Tungsten University: Replicate Between MySQL And OracleTungsten University: Replicate Between MySQL And Oracle
Tungsten University: Replicate Between MySQL And Oracle
Continuent
 
OpenStack Magnum 2016-08-04
OpenStack Magnum 2016-08-04OpenStack Magnum 2016-08-04
OpenStack Magnum 2016-08-04
Adrian Otto
 
2012 09 MariaDB Boston Meetup - MariaDB 是 Mysql 的替代者吗
2012 09 MariaDB Boston Meetup - MariaDB 是 Mysql 的替代者吗2012 09 MariaDB Boston Meetup - MariaDB 是 Mysql 的替代者吗
2012 09 MariaDB Boston Meetup - MariaDB 是 Mysql 的替代者吗
YUCHENG HU
 
From Postgres to ScyllaDB: Migration Strategies and Performance Gains
From Postgres to ScyllaDB: Migration Strategies and Performance GainsFrom Postgres to ScyllaDB: Migration Strategies and Performance Gains
From Postgres to ScyllaDB: Migration Strategies and Performance Gains
ScyllaDB
 
Super-NetOps Source of Truth
Super-NetOps Source of TruthSuper-NetOps Source of Truth
Super-NetOps Source of Truth
Joel W. King
 
Gotchas using Terraform in a secure delivery pipeline
Gotchas using Terraform in a secure delivery pipelineGotchas using Terraform in a secure delivery pipeline
Gotchas using Terraform in a secure delivery pipeline
Anton Babenko
 
Schema replication using oracle golden gate 12c
Schema replication using oracle golden gate 12cSchema replication using oracle golden gate 12c
Schema replication using oracle golden gate 12c
uzzal basak
 
Apache cassandra v4.0
Apache cassandra v4.0Apache cassandra v4.0
Apache cassandra v4.0
Yuki Morishita
 

Similar to What is new in BIND 9.11? (20)

Verified CKAD Exam Questions and Answers
Verified CKAD Exam Questions and AnswersVerified CKAD Exam Questions and Answers
Verified CKAD Exam Questions and Answers
 
kubernetes for beginners
kubernetes for beginnerskubernetes for beginners
kubernetes for beginners
 
Data Center Floor Design - Your Layout Can Save of Kill Your PUE & Cooling Ef...
Data Center Floor Design - Your Layout Can Save of Kill Your PUE & Cooling Ef...Data Center Floor Design - Your Layout Can Save of Kill Your PUE & Cooling Ef...
Data Center Floor Design - Your Layout Can Save of Kill Your PUE & Cooling Ef...
 
Super-NetOps Source of Truth
Super-NetOps Source of TruthSuper-NetOps Source of Truth
Super-NetOps Source of Truth
 
Oracle cluster installation with grid and nfs
Oracle cluster  installation with grid and nfsOracle cluster  installation with grid and nfs
Oracle cluster installation with grid and nfs
 
Running Kubernetes in Production: A Million Ways to Crash Your Cluster - Cont...
Running Kubernetes in Production: A Million Ways to Crash Your Cluster - Cont...Running Kubernetes in Production: A Million Ways to Crash Your Cluster - Cont...
Running Kubernetes in Production: A Million Ways to Crash Your Cluster - Cont...
 
Oracle cluster installation with grid and iscsi
Oracle cluster  installation with grid and iscsiOracle cluster  installation with grid and iscsi
Oracle cluster installation with grid and iscsi
 
How Zalando runs Kubernetes clusters at scale on AWS - AWS re:Invent
How Zalando runs Kubernetes clusters at scale on AWS - AWS re:InventHow Zalando runs Kubernetes clusters at scale on AWS - AWS re:Invent
How Zalando runs Kubernetes clusters at scale on AWS - AWS re:Invent
 
vmaf deployement & upgrade for software projects
vmaf deployement & upgrade for software projectsvmaf deployement & upgrade for software projects
vmaf deployement & upgrade for software projects
 
IBM WebSphere MQ for z/OS V8 - Latest Features Deep Dive
IBM WebSphere MQ for z/OS V8 - Latest Features Deep DiveIBM WebSphere MQ for z/OS V8 - Latest Features Deep Dive
IBM WebSphere MQ for z/OS V8 - Latest Features Deep Dive
 
7 reasons to start using Docker
7 reasons to start using Docker7 reasons to start using Docker
7 reasons to start using Docker
 
DNS Troubleshooting.pdf
DNS Troubleshooting.pdfDNS Troubleshooting.pdf
DNS Troubleshooting.pdf
 
Tungsten University: Replicate Between MySQL And Oracle
Tungsten University: Replicate Between MySQL And OracleTungsten University: Replicate Between MySQL And Oracle
Tungsten University: Replicate Between MySQL And Oracle
 
OpenStack Magnum 2016-08-04
OpenStack Magnum 2016-08-04OpenStack Magnum 2016-08-04
OpenStack Magnum 2016-08-04
 
2012 09 MariaDB Boston Meetup - MariaDB 是 Mysql 的替代者吗
2012 09 MariaDB Boston Meetup - MariaDB 是 Mysql 的替代者吗2012 09 MariaDB Boston Meetup - MariaDB 是 Mysql 的替代者吗
2012 09 MariaDB Boston Meetup - MariaDB 是 Mysql 的替代者吗
 
From Postgres to ScyllaDB: Migration Strategies and Performance Gains
From Postgres to ScyllaDB: Migration Strategies and Performance GainsFrom Postgres to ScyllaDB: Migration Strategies and Performance Gains
From Postgres to ScyllaDB: Migration Strategies and Performance Gains
 
Super-NetOps Source of Truth
Super-NetOps Source of TruthSuper-NetOps Source of Truth
Super-NetOps Source of Truth
 
Gotchas using Terraform in a secure delivery pipeline
Gotchas using Terraform in a secure delivery pipelineGotchas using Terraform in a secure delivery pipeline
Gotchas using Terraform in a secure delivery pipeline
 
Schema replication using oracle golden gate 12c
Schema replication using oracle golden gate 12cSchema replication using oracle golden gate 12c
Schema replication using oracle golden gate 12c
 
Apache cassandra v4.0
Apache cassandra v4.0Apache cassandra v4.0
Apache cassandra v4.0
 

More from Men and Mice

Cisco Live 2019: New Best Practices for Hybrid and Multicloud Network Strategies
Cisco Live 2019: New Best Practices for Hybrid and Multicloud Network StrategiesCisco Live 2019: New Best Practices for Hybrid and Multicloud Network Strategies
Cisco Live 2019: New Best Practices for Hybrid and Multicloud Network Strategies
Men and Mice
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Men and Mice
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows Networks
Men and Mice
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local Networks
Men and Mice
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encrypted
Men and Mice
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rolls
Men and Mice
 
The CAA-Record for increased encryption security
The CAA-Record for increased encryption securityThe CAA-Record for increased encryption security
The CAA-Record for increased encryption security
Men and Mice
 
SMTP STS (Strict Transport Security) vs. SMTP with DANE
SMTP STS (Strict Transport Security) vs. SMTP with DANESMTP STS (Strict Transport Security) vs. SMTP with DANE
SMTP STS (Strict Transport Security) vs. SMTP with DANE
Men and Mice
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial
Men and Mice
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 Webinar
Men and Mice
 
Kea DHCP – the new open source DHCP server from ISC
Kea DHCP – the new open source DHCP server from ISCKea DHCP – the new open source DHCP server from ISC
Kea DHCP – the new open source DHCP server from ISC
Men and Mice
 
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarRIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinar
Men and Mice
 
PowerDNS Webinar
PowerDNS Webinar PowerDNS Webinar
PowerDNS Webinar
Men and Mice
 
IETF 93 Review Webinar
IETF 93 Review WebinarIETF 93 Review Webinar
IETF 93 Review Webinar
Men and Mice
 
RIPE 70 Report Webinar
RIPE 70 Report WebinarRIPE 70 Report Webinar
RIPE 70 Report Webinar
Men and Mice
 
DNSSEC best practices Webinar
DNSSEC best practices WebinarDNSSEC best practices Webinar
DNSSEC best practices Webinar
Men and Mice
 
IETF 92 Webinar
IETF 92 WebinarIETF 92 Webinar
IETF 92 Webinar
Men and Mice
 
The KNOT DNS Server
The KNOT DNS ServerThe KNOT DNS Server
The KNOT DNS Server
Men and Mice
 
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
Men and Mice
 
DNSSEC and DANE – E-Mail security reloaded
DNSSEC and DANE – E-Mail security reloadedDNSSEC and DANE – E-Mail security reloaded
DNSSEC and DANE – E-Mail security reloaded
Men and Mice
 

More from Men and Mice (20)

Cisco Live 2019: New Best Practices for Hybrid and Multicloud Network Strategies
Cisco Live 2019: New Best Practices for Hybrid and Multicloud Network StrategiesCisco Live 2019: New Best Practices for Hybrid and Multicloud Network Strategies
Cisco Live 2019: New Best Practices for Hybrid and Multicloud Network Strategies
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows Networks
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local Networks
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encrypted
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rolls
 
The CAA-Record for increased encryption security
The CAA-Record for increased encryption securityThe CAA-Record for increased encryption security
The CAA-Record for increased encryption security
 
SMTP STS (Strict Transport Security) vs. SMTP with DANE
SMTP STS (Strict Transport Security) vs. SMTP with DANESMTP STS (Strict Transport Security) vs. SMTP with DANE
SMTP STS (Strict Transport Security) vs. SMTP with DANE
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 Webinar
 
Kea DHCP – the new open source DHCP server from ISC
Kea DHCP – the new open source DHCP server from ISCKea DHCP – the new open source DHCP server from ISC
Kea DHCP – the new open source DHCP server from ISC
 
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarRIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinar
 
PowerDNS Webinar
PowerDNS Webinar PowerDNS Webinar
PowerDNS Webinar
 
IETF 93 Review Webinar
IETF 93 Review WebinarIETF 93 Review Webinar
IETF 93 Review Webinar
 
RIPE 70 Report Webinar
RIPE 70 Report WebinarRIPE 70 Report Webinar
RIPE 70 Report Webinar
 
DNSSEC best practices Webinar
DNSSEC best practices WebinarDNSSEC best practices Webinar
DNSSEC best practices Webinar
 
IETF 92 Webinar
IETF 92 WebinarIETF 92 Webinar
IETF 92 Webinar
 
The KNOT DNS Server
The KNOT DNS ServerThe KNOT DNS Server
The KNOT DNS Server
 
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
 
DNSSEC and DANE – E-Mail security reloaded
DNSSEC and DANE – E-Mail security reloadedDNSSEC and DANE – E-Mail security reloaded
DNSSEC and DANE – E-Mail security reloaded
 

Recently uploaded

Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptxIntroduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
313mohammedarshad
 
find out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challengesfind out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challenges
huseindihon
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
shanihomely
 
Figma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdfFigma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdf
Management Institute of Skills Development
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
bhumivarma35300
 
Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024
aakash malhotra
 
Feature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptxFeature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptx
ssuser1915fe1
 
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and OllamaTirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Zilliz
 
How Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdfHow Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdf
HackersList
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Kunal Gupta
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
Matthias Neugebauer
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
Google Developer Group - Harare
 
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes..."Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
Anant Gupta
 
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc
 
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
sunilverma7884
 
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
maigasapphire
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
Tatiana Al-Chueyr
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
alexjohnson7307
 
How to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptxHow to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptx
Adam Dunkels
 
Integrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecaseIntegrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecase
shyamraj55
 

Recently uploaded (20)

Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptxIntroduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
 
find out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challengesfind out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challenges
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
 
Figma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdfFigma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdf
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
 
Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024
 
Feature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptxFeature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptx
 
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and OllamaTirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
 
How Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdfHow Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdf
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
 
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes..."Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
 
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
 
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
 
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
 
How to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptxHow to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptx
 
Integrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecaseIntegrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecase
 

What is new in BIND 9.11?

  • 1. © Men & Mice http://menandmice.com BIND 9.11 1
  • 2. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org BIND 9.11 • Catalog Zones • new rndc functions • dnssec-keymgr • CDS/CDNSKEY auto generation • Negative Trust Anchor • DNS cookies • Minimal “any” 2
  • 3. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org BIND 9.11 License change •BIND 9.11 is now licensed under the Mozilla Public License (MPL)
 https://en.wikipedia.org/wiki/Mozilla_Public_License •previous versions of BIND 9 are licensed under ISC License (a variation of the BSD License)
 https://en.wikipedia.org/wiki/ISC_license •both licenses are "Open-Source" licenses •this change does have no impact on users of BIND 9 (including users of the Men & Mice Suite) •it has an impact of companies that include an adapted version of BIND 9 into their product offerings 3
  • 4. © Men & Mice http://menandmice.com BIND 9 catalog zones 4
  • 5. © Men & Mice http://menandmice.com Catalog Zones •catalog zones are a way to provision DNS zones •catalog zones are an internet draft (RFC "work in progress) in the IETF 
 https://tools.ietf.org/html/draft-muks-dnsop-dns-catalog-zones •a "proof-of-concept" implementation for PowerDNS exists 5
  • 6. © Men & Mice http://menandmice.com Catalog Zones •a catalog zone works like a normal DNS zone •it contains the names and configuration metadata of zones that should exist on a secondary server •the catalog zone is maintained on the master server • new zones added into the catalog zone on the master are also created on the secondaries receiving the same catalog zone 6
  • 7. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org 7 Server with Master zones Server with Slave zones
  • 8. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org 8 Catalog Zone (master) empty Server with Master zones Server with Slave zones
  • 9. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org 9 Catalog Zone (master) empty Server with Master zones Server with Slave zones Catalog Zone (slave) empty
  • 10. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org 10 Catalog Zone (master) empty Server with Master zones Server with Slave zones Catalog Zone (slave) empty Production Zone (master) example.com
  • 11. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org 11 Catalog Zone (master) example.com Server with Master zones Server with Slave zones Catalog Zone (slave) empty Production Zone (master) example.com new production zone added to the catalog zone
  • 12. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org 12 Catalog Zone (master) example.com Server with Master zones Server with Slave zones Catalog Zone (slave) example.com Production Zone (master) example.com zone transfer
  • 13. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org 13 Catalog Zone (master) example.com Server with Master zones Server with Slave zones Catalog Zone (slave) example.com Production Zone (master) example.com production slave zone configuration is added by BIND Production Zone (slave) example.com
  • 14. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org 14 Catalog Zone (master) example.com Server with Master zones Server with Slave zones Catalog Zone (slave) example.com Production Zone (master) example.com zone transfer Production Zone (slave) example.com
  • 15. © Men & Mice http://menandmice.com Catalog Zones •empty catalog zone $TTl 60
 @ IN SOA authoritative.example.com. hostmaster (
 1001 2h 20m 41d 1h )
 IN NS authoritative.example.com.
 IN NS secondary01.example.com. 15 names should be resolvable via DNS for notify to work
  • 16. © Men & Mice http://menandmice.com Catalog Zones •BIND 9 named.conf with catalog zone on the master server options {
 directory "/etc/namedb";
 recursion no;
 }; logging { channel transfer-log { file "transfer.log" size 200M versions 10; print-time yes; };
 category xfer-in { transfer-log; };
 category xfer-out { transfer-log; };
 }; zone "catalog.example" {
 type master;
 file "catalog.example";
 }; 16
  • 17. © Men & Mice http://menandmice.com Catalog Zones •start BIND 9 on the master # named-checkconf -z
 zone catalog.example/IN: loaded serial 1001 # named # rndc status
 version: BIND 9.11.0b3 <id:a23f742>
 running on csmobile4.example.com: Linux x86_64 4.6.5-300.fc24.x86_64 #1 SMP Thu Jul 28 01:10:12 UTC 2016
 boot time: Tue, 16 Aug 2016 07:29:05 GMT
 last configured: Tue, 16 Aug 2016 07:30:49 GMT
 configuration file: /etc/named.conf
 CPUs found: 4
 worker threads: 4
 UDP listeners per interface: 3
 number of zones: 2 (0 automatic)
 debug level: 0
 xfers running: 0
 xfers deferred: 0
 soa queries in progress: 0
 query logging is OFF
 recursive clients: 0/900/1000
 tcp clients: 0/150
 server is up and running 17
  • 18. © Men & Mice http://menandmice.com Catalog Zones • BIND 9 configuration on the secondary options {
 directory "/etc/namedb";
 recursion no;
 
 allow-new-zones yes;
 catalog-zones {
 zone "catalog.example"
 zone-directory "cat-zones"
 in-memory no
 default-masters { 172.22.1.196; };
 };
 }; logging {
 channel transfer-log { file "transfer.log" size 200M versions 10; print-time yes; };
 category xfer-in { transfer-log; };
 category xfer-out { transfer-log; };
 };
 
 zone "catalog.example" {
 type slave;
 file "catalog.example";
 masters { 172.22.1.196; };
 }; 18 allow BIND 9 to dynamically add new zones definition of the catalog zone directory for storing new slave zones IP addresses of the default masters for new slave zones write slave zone contents to disk catalog zone definition
  • 19. © Men & Mice http://menandmice.com Catalog Zones • adding the new zone to the BIND 9 server (Step 1) # $EDITOR /etc/namedb/example.com $ttl 1800
 @ IN SOA authoritative.example.com. hostmaster 1001 2h 30m 41d 1h
 IN NS authoritative.example.com.
 IN NS secondary01.example.com. authoritative IN A 172.22.1.196
 secondary01 IN A 172.22.1.199 19
  • 20. © Men & Mice http://menandmice.com Catalog Zones • adding the new zone to the BIND 9 server (Step 2) # $EDITOR /etc/namedb/named.conf options {
 directory "/etc/namedb";
 recursion no;
 }; logging {
 channel transfer-log { file "transfer.log" size 200M versions 10; print-time yes; };
 category xfer-in { transfer-log; };
 category xfer-out { transfer-log; };
 };
 
 zone "example.com" {
 type master;
 file "example.com";
 };
 
 zone "catalog.example" {
 type master;
 file "catalog.example";
 }; 20 new zone configuration
  • 21. © Men & Mice http://menandmice.com Catalog Zones • adding the new zone to the BIND 9 server (Step 3) # named-checkconf -z
 zone example.com/IN: loaded serial 1001
 zone catalog.example/IN: loaded serial 1001 21
  • 22. © Men & Mice http://menandmice.com Catalog Zones • adding the new zone to the catalog zone 
 # echo -n "example.com" | openssl sha1
 (stdin)= 0caaf24ab1a0c33440c06afe99df986365b0781f
 # $EDITOR /etc/namedb/catalog.example
 $TTl 60
 @ IN SOA authoritative.example.com. hostmaster 1002 (
 2h 20m 41d 1h )
 IN NS authoritative.example.com.
 IN NS secondary01.example.com.
 0caaf24ab1a0c33440c06afe99df986365b0781f.zones IN PTR example.com. 22 sha1 hash identifying the new zone mapping the hash to the name of the zone increment SOA serial number
  • 23. © Men & Mice http://menandmice.com Catalog Zones • BIND 9 log information shows the update of the catalog zone followed by an transfer of the new zone: named[157]: client 172.22.1.196#60914: received notify for zone 'catalog.example'
 named[157]: zone catalog.example/IN: notify from 172.22.1.196#60914: serial 1002
 named[157]: zone catalog.example/IN: Transfer started.
 named[157]: catz: updating catalog zone 'catalog.example' with serial 1002
 named[157]: zone catalog.example/IN: transferred serial 1002
 named[157]: zone catalog.example/IN: sending notifies (serial 1002)
 named[157]: catz: adding zone 'example.com' from catalog 'catalog.example' - success
 named[157]: zone example.com/IN: Transfer started.
 named[157]: zone example.com/IN: transferred serial 1001
 named[157]: zone example.com/IN: sending notifies (serial 1001) 23 new zone is now available on the secondary
  • 24. © Men & Mice http://menandmice.com Catalog Zones • catalog zones can contain configuration information for the new zone (Details in the BIND 9 ARM): $TTl 60
 @ IN SOA authoritative.catalog.example. hostmaster 1002 2h 20m 41d 1h
 IN NS authoritative.example.com.
 IN NS secondary01.example.com. 0caaf24ab1a0c33440c06afe99df986365b0781f.zones IN PTR example.com.
 masters.0caaf24ab1a0c33440c06afe99df986365b0781f.zones IN A 172.22.1.196
 allow-transfer.0caaf24ab1a0c33440c06afe99df986365b0781f.zones IN APL (
 1:172.22.1.196/32 1:172.22.1.199/32 ) 24 access control list for zone-transfer definition of the zones master server(s)
  • 25. © Men & Mice http://menandmice.com Catalog Zones • rndc zonestatus on a zone added via catalog zone: # rndc zonestatus example.com
 name: example.com
 type: slave
 files: cat-zones/__catz___default_catalog.example_example.com.db
 serial: 1001
 nodes: 3
 last loaded: Thu, 18 Aug 2016 07:29:58 GMT
 next refresh: Thu, 18 Aug 2016 07:52:54 GMT
 expires: Mon, 26 Sep 2016 07:54:36 GMT
 secure: no
 dynamic: no
 reconfigurable via modzone: yes 25 zone expiry information for slave zones backup file
  • 26. © Men & Mice http://menandmice.com rndc 
 Remote Name Daemon Control 26
  • 27. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org read-only rndc •a rndc control channel can be configured "read-only" •all "destructive" rndc commands are blocked ("reload", "reconfigure", "stop", "addzone", "delzone" etc) •multiple control channels can be configured •each should have a unique "tsig" key for authentication
 
 key "rndc-key" {
 algorithm hmac-md5;
 secret "ikRtqFL52Inn+7wCE0Bb9A==";
 };
 
 controls {
 inet 127.0.0.1 port 953
 allow { 127.0.0.1; }
 keys { "rndc-key"; }
 read-only yes;
 }; 27
  • 28. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org Zone provisioning with rndc •in previous BIND 9 versions, it is possible to dynamically add/remove zones to a running configuration with rndc addzone and rndc delzone •Zone configurations added with rndc addzone can now be changed dynamically with rndc modzone •rndc delzone can now also remove zones that are configured in named.conf
 # rndc delzone example.com
 zone 'example.com' is no longer active and will be deleted.
 To keep it from returning when the server is restarted, it
 must also be removed from named.conf. 28
  • 29. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org rndc zonestatus •rndc can now display detail information about a configured zone
 
 # rndc zonestatus example.com
 name: example.com
 type: master
 files: example.com
 serial: 1001
 nodes: 3
 last loaded: Thu, 18 Aug 2016 07:25:06 GMT
 secure: no
 dynamic: no
 reconfigurable via modzone: no 29
  • 30. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org python rndc •BIND 9.11 contains a python library to access the rndc control channel from within python programs •python written applications can make use of rndc functions (addzone, manage keys, sign zones etc) 30
  • 31. © Men & Mice http://menandmice.com DNSSEC 31
  • 32. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org dnssec-keymgr •dnssec-keymgr is a new tool written in Python to manage DNSSEC keys (and the key-rollover) •the tool will read a policy file (${SYSCONFDIR}/policy.conf) and will create new ZSK/KSK based on the defined policies •Policies can be defined global, per algorithm and per zone •Policies can inherit settings from a global policy definition 32
  • 33. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org dnssec-keymgr •dnssec-keymgr example policy configuration
 
 policy default-dnssec {
 directory "/etc/namedb/keys";
 algorithm rsasha256;
 key-size zsk 2048;
 key-size ksk 2560;
 pre-publish zsk 1w;
 post-publish zsk 2w;
 roll-period zsk 2mo;
 roll-period ksk 0;
 coverage 364d;
 };
 
 zone example.com {
 policy default-dnssec;
 key-size zsk 1536;
 }; 33 inherit the "default- dnssec" policy for the zone override a setting inherited from the global policy global policy definition
  • 34. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org dnssec-keymgr •dnssec-keymgr is designed to be run from a cron-job •it can be started manually:
 
 # dnssec-keymgr example.com
 # /usr/local/sbin/dnssec-keygen -q -K /etc/namedb/keys -L 3600 -a RSASHA256 -b 1536 example.com
 # /usr/local/sbin/dnssec-keygen -q -K /etc/namedb/keys -L 3600 -fk -a RSASHA256 -b 2560 example.com
 # /usr/local/sbin/dnssec-settime -K /etc/namedb/keys -I 20161017081131 -D 20161031081131 Kexample.com.+008+16143
 # /usr/local/sbin/dnssec-keygen -q -K /etc/namedb/keys -S Kexample.com.+008+16143 -L 3600 -i 604800
 # /usr/local/sbin/dnssec-settime -K /etc/namedb/keys -I 20161216081131 -D 20161230081131 Kexample.com.+008+45825
 # /usr/local/sbin/dnssec-keygen -q -K /etc/namedb/keys -S Kexample.com.+008+45825 -L 3600 -i 604800
 # /usr/local/sbin/dnssec-settime -K /etc/namedb/keys -I 20170214081131 -D 20170228081131 Kexample.com.+008+58464
 # /usr/local/sbin/dnssec-keygen -q -K /etc/namedb/keys -S Kexample.com.+008+58464 -L 3600 -i 604800
 # /usr/local/sbin/dnssec-settime -K /etc/namedb/keys -I 20170415081131 -D 20170429081131 Kexample.com.+008+59949
 # /usr/local/sbin/dnssec-keygen -q -K /etc/namedb/keys -S Kexample.com.+008+59949 -L 3600 -i 604800
 # /usr/local/sbin/dnssec-settime -K /etc/namedb/keys -I 20170614081131 -D 20170628081131 Kexample.com.+008+59589
 # /usr/local/sbin/dnssec-keygen -q -K /etc/namedb/keys -S Kexample.com.+008+59589 -L 3600 -i 604800
 # /usr/local/sbin/dnssec-settime -K /etc/namedb/keys -I 20170813081131 -D 20170827081131 Kexample.com.+008+47265
 # /usr/local/sbin/dnssec-keygen -q -K /etc/namedb/keys -S Kexample.com.+008+47265 -L 3600 -i 604800 34
  • 35. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org rndc managed-keys •rndc can now be used to get information about the configured DNSSEC trust-anchor(s) •useful to track the automatic trust anchor update (RFC 5011) for the upcoming KSK change in the root zone
 https://www.icann.org/resources/pages/ksk-rollover •Example:
 # rndc managed-keys status
 view: _default
 next scheduled event: Fri, 19 Aug 2016 08:30:56 GMT
 
 name: .
 keyid: 19036
 algorithm: RSASHA256
 flags: SEP
 next refresh: Fri, 19 Aug 2016 08:30:56 GMT
 trusted since: Thu, 18 Aug 2016 08:30:53 GMT 35
  • 36. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org DNSSEC trust-anchor telemetry BIND 9 configured as a DNSSEC validating resolver will send specially- formed queries once per day to domains for which trust anchors have been configured via trusted-keys, managed-keys, dnssec-validation auto, or dnssec-lookaside auto • The query name used for these queries has the form "_ta-xxxx(-xxxx)(...)".<domain>, where each "xxxx" is a group of four hexadecimal digits representing the key ID of a trusted DNSSEC key • this gives operators of trusted DNSSEC domains feedback on which active trust- anchors are used for the domains they host • this helps operators to decide when an old key can be removed from the DNSSEC zone • trust-anchor-telemetry no; will disable this function
 36
  • 37. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org Automating DNSSEC Delegation Trust Maintenance (RFC 7344) BIND 9.11 supports the CDS and CDNSKEY resource records BIND 9.11 can publish new DS via CDS, or new DNSKEY via CDNSKEY, whenever a new KSK is being created parent zone operator can monitor the child
 zone and imports new DS and DNSKEY 
 data from the CDS or CDNSKEY records 37
  • 38. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org Automating DNSSEC Delegation Trust Maintenance 38 Parent DNS Child DNS child.tld. IN SOA … child.tld. IN NS … child.tld. IN DNSKEY … tld. IN SOA … tld. IN NS … tld. IN DNSKEY …
  • 39. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org Automating DNSSEC Delegation Trust Maintenance 39 Parent DNS Child DNS child.tld. IN SOA … child.tld. IN NS … child.tld. IN DNSKEY … tld. IN SOA … tld. IN NS … tld. IN DNSKEY … child.tld. IN DS … child.tld. IN DS … Updating DNSSEC Trust chain today
  • 40. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org Automating DNSSEC Delegation Trust Maintenance 40 Parent DNS Child DNS child.tld. IN SOA … child.tld. IN NS … child.tld. IN DNSKEY … tld. IN SOA … tld. IN NS … tld. IN DNSKEY … child.tld. IN CDS … child.tld. IN DS … Updating DNSSEC Trust chain 
 with CDS / CDNSKEY
  • 41. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org Automating DNSSEC Delegation Trust Maintenance (RFC 7344) dnssec-keygen and dnssec-settime now support additional timing information SYNC Publish (when to publish CDS/ CDNSKEY) and SYNC Delete (when to remove CDS/CDNSKEY)
 
 # dnssec-settime -Psync +3mo /etc/namedb/keys/Kexample.com.+008+58464.key
 # dnssec-settime -p all /etc/namedb/keys/Kexample.com.+008+58464.key Created: Thu Aug 18 10:11:31 2016
 Publish: Fri Dec 9 09:11:31 2016
 Activate: Fri Dec 16 09:11:31 2016
 Revoke: UNSET
 Inactive: Tue Feb 14 09:11:31 2017
 Delete: Tue Feb 28 09:11:31 2017
 SYNC Publish: Wed Nov 16 09:47:45 2016
 SYNC Delete: UNSET 41
  • 42. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org DNSSEC negative trust anchors negative trust anchors (nta) disable DNSSEC validation for a specific domain for a certain amount of time • can be used by operators in case a misconfiguration for a remote DNSSEC signed zone is detected. Care should be take to check that the DNSSEC validation failure is indeed a misconfiguration and not attack • domains with an NTA are processed as if there is no trust-anchor for that domain • NTAs are stored and are persistent across BIND 9 restarts • BIND 9 checks the domain periodically. Once the domain starts validating again, the NTA for the domain is removed • NTAs have a lifetime (maximum one week) and expire automatically 42
  • 43. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org DNSSEC negative trust anchors adding an NTA (for 60 seconds):
 
 # rndc nta -l 60 fail01.dnssec.works Negative trust anchor added: fail01.dnssec.works/_default, expires 18-Aug-2016 13:52:19.000 # rndc nta -dump
 fail01.dnssec.works: expired 18-Aug-2016 13:52:19.000 # ls -l /etc/namedb/_default.nta
 -rw-r--r--. 1 root root 44 Aug 18 13:51 /etc/namedb/_default.nta # cat /etc/namedb/_default.nta
 fail01.dnssec.works. regular 20160818115219 43
  • 44. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org DNSSEC negative trust anchors removing an NTA:
 
 # rndc nta -l 86400 fail02.dnssec.works
 Negative trust anchor added: fail02.dnssec.works/_default, expires 19-Aug-2016 13:56:22.000 # rndc nta -dump
 fail02.dnssec.works: expiry 19-Aug-2016 13:56:22.000 # rndc nta -r fail02.dnssec.works
 Negative trust anchor removed: fail02.dnssec.works/_default # rndc nta -dump
 # 44 NTA for one day NTA removed
  • 45. © Men & Mice http://menandmice.com DNS Cookies 45
  • 46. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org DNS Cookies DNS Cookies, defined in RFC 7873, create a lightweight session over UDP between a DNS client (can be a DNS resolver) and DNS server DNS cookies • can mitigate cache poisoning attacks • make DNS amplification attacks harder 46
  • 47. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org 47 DNS cookie secret configured BIND 9.11 DNS Resolver
  • 48. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org 48 DNS query
 Client Cookie Hash: a56f341
 Server Cookie Hash: empty BIND 9.11 DNS Resolver
  • 49. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org 49 DNS query
 Client Cookie Hash: a56f341
 Server Cookie Hash: empty BIND 9.11 DNS Resolver Error Response: BADCOOKIE includes 
 Server Cookie Hash b761a22 Client can cache server cookie
  • 50. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org 50 DNS query
 Client Cookie Hash: a56f341
 Server Cookie Hash: b761a22 BIND 9.11 DNS Resolver
  • 51. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org 51 DNS query
 Client Cookie Hash: a56f341
 Server Cookie Hash: b761a22 BIND 9.11 DNS Resolver NOERROR Response
 includes 
 Server Cookie Hash b761a22
  • 52. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org DNS Cookies DNS cookies are enabled in BIND 9.11 by default (including the dig tool)
 
 # dig @localhost menandmice.com
 
 ; <<>> DiG 9.11.0b3 <<>> @localhost menandmice.com
 ; (2 servers found)
 ;; global options: +cmd
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6448
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 7
 
 ;; OPT PSEUDOSECTION:
 ; EDNS: version: 0, flags:; udp: 4096
 ; COOKIE: d22bde1a43ccf88213b35b4257b59343163def237257e622 (good)
 ;; QUESTION SECTION:
 ;menandmice.com. IN A
 
 ;; ANSWER SECTION:
 menandmice.com. 300 IN A 72.10.32.220 52 DNS cookie
  • 53. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org DNS Cookies Configuration options for DNS cookies in BIND 9.11: • require-server-cookie - (authoritative server or resolver) Require a valid server cookie before sending a full response to a UDP request from a cookie aware client. BADCOOKIE is sent if there is a bad or no existent server cookie. • send-cookie - (resolver) If yes, then a COOKIE EDNS option is sent along with the query. If the resolver has previously talked to the server, the COOKIE returned in the previous transaction is sent. 53
  • 54. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org DNS Cookies Configuration options for DNS cookies in BIND 9.11: • nocookie-udp-size - (authoritative or resolver) 
 Sets the maximum size of UDP responses that will be sent to queries without a valid server COOKIE. • cookie-algorithm - (authoritative or resolver) 
 Set the algorithm to be used when generating the server cookie. One of "aes", "sha1" or "sha256". • cookie-secret - (authoritative or resolver) 
 If set, this is a shared secret used for generating and verifying DNS cookies within an anycast cluster. If not set, the system will generate a random secret at startup. 54
  • 55. © Men & Mice http://menandmice.com Misc 55
  • 56. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org new resource record types BIND 9 now supports the following resource record types: • OPENPGPKEY - stores PGP public keys for email-addresses • AVC - stores metadata about applications (Cisco DNS-AS - "DNS Authoritative Source") • TA - DNSSEC Trust Authorities • TALINK - used by applications that maintain trust anchors for DNS validators • NINFO - a mechanism in the DNS to publish descriptive information about the status of the zone • RKEY - publishing arbitrary application keys that could be used to encrypt DNS resource records • SINK - Kitchen Sink Resource Record 
 (https://tools.ietf.org/html/draft-eastlake-kitchen-sink) 56
  • 57. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org Minimal ANY •a BIND 9 server getting an query with type ANY (QTYPE 255) will answer with all records matching the requested domain name and class •this can create large UDP DNS answer packets ;; QUESTION SECTION:
 ;menandmice.com. IN ANY
 
 ;; ANSWER SECTION:
 menandmice.com. 86400 IN SOA dns1.menandmice.com. hostmaster.menandmice.com. 2016052701 900 300 604800 900
 menandmice.com. 3600 IN TXT "HhnTdT3K"
 menandmice.com. 3600 IN TXT "MS=ms81797768"
 menandmice.com. 3600 IN TXT "v=spf1 include:spf.protection.outlook.com a:smtp.menandmice.is a:support.menandmice.com a:otrs.menandmice.com a:imap2.skyrr.is a:mx.hysing.is ~all"
 ns2.c.is. 84985 IN A 213.176.143.102
 dns1.menandmice.com. 171385 IN A 217.151.171.7
 dns2.menandmice.com. 171385 IN A 217.151.171.21
 dns3.menandmice.com. 171385 IN A 45.79.153.125
 […]
 ;; Query time: 97 msec
 ;; SERVER: 127.0.0.1#53(127.0.0.1)
 ;; WHEN: Mon Aug 15 10:49:15 CEST 2016
 ;; MSG SIZE rcvd: 719 57 DNS answer size
  • 58. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org Minimal ANY •starting with BIND 9.11, BIND 9 can be configured to only return the first entry of an matching ANY query •this mitigates the problem without causing (too much) breakage of older software (qmail etc) options {
 minimal-any yes;
 }; 58
  • 59. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org Minimal ANY •same query as before with minimal-any enabled: # dig menandmice.com any ; <<>> DiG 9.11.0b3 <<>> menandmice.com any
 ;; global options: +cmd
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32396
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
 ;; OPT PSEUDOSECTION:
 ; EDNS: version: 0, flags:; udp: 4096
 ; COOKIE: f0a6921ce7023ebc646d789357b1837a0962c60d534b251e (good)
 ;; QUESTION SECTION:
 ;menandmice.com. IN ANY
 ;; ANSWER SECTION:
 menandmice.com. 86033 IN SOA dns1.menandmice.com. hostmaster.menandmice.com. 2016052701 900 300 604800 900
 ;; Query time: 0 msec
 ;; SERVER: 127.0.0.1#53(127.0.0.1)
 ;; WHEN: Mon Aug 15 10:55:22 CEST 2016
 ;; MSG SIZE rcvd: 123 59 DNS answer size 123 < 719 Byte
  • 60. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org adaptive preferred glue BIND 9.11 now fills the additional section with glue records matching the transport protocol the query was received • query received over IPv4 - A-Record glue data is preferred • query received over IPv6 - AAAA-Record glue data is preferred 60
  • 61. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org nslookup resolves IPv6 AAAA nslookup got updated (WHOOO!) nslookup will now lookup IPv4 and IPv6 information for a hostname # nslookup
 > menandmice.com
 Server: 172.22.1.22
 Address: 172.22.1.22#53
 
 Non-authoritative answer:
 Name: menandmice.com
 Address: 72.10.32.220
 Name: menandmice.com
 Address: 2a01:7e00::f03c:91ff:fe89:ed54 61
  • 62. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org SERVFAIL Caching DNS answers with the return code of SERVFAIL are now cached (Default 1 sec) This reduces the frequency of retries when a query is persistently failing, which can be a burden on recursive servers Cache-Time for SERVFAIL answers can be configured with the servfail-ttl statement, maximum is 30 seconds 62
  • 63. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org new mdig query tool the new tool mdig (multi-dig) can be used to send multiple queries at once to an DNS server answers will be printed in order of arrival 63
  • 64. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org new mdig query tool # mdig @8.8.8.8 menandmice.com www.menandmice.com info.menandmice.com
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26843
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
 
 ;; QUESTION SECTION:
 ;www.menandmice.com. IN A
 
 ;; ANSWER SECTION:
 www.menandmice.com. 4m59s IN A 72.10.32.220
 
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61756
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
 
 ;; QUESTION SECTION:
 ;menandmice.com. IN A
 
 ;; ANSWER SECTION:
 menandmice.com. 4m59s IN A 72.10.32.220
 
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23068
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
 
 ;; QUESTION SECTION:
 ;info.menandmice.com. IN A
 
 ;; ANSWER SECTION:
 info.menandmice.com. 4m59s IN CNAME 77026.group26.sites.hubspot.net.
 77026.group26.sites.hubspot.net. 29m59s IN CNAME cos2mdc.hubspot.net.mdc.edgesuite.net.
 cos2mdc.hubspot.net.mdc.edgesuite.net. 5h57m44s IN CNAME a1711.b.akamai.net.
 a1711.b.akamai.net. 19s IN A 95.101.90.26
 a1711.b.akamai.net. 19s IN A 95.101.90.82 64 three queries Answer for #2 Answer for #1 Answer for #3
  • 65. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org dig switches dig +ttlunits causes dig to print TTL values with time-unit suffixes: w, d, h, m, s for weeks, days, hours, minutes, and seconds:
 
 # dig +ttlunits menandmice.com
 
 ; <<>> DiG 9.11.0b3 <<>> +ttlunits menandmice.com
 ;; global options: +cmd
 ;; Got answer:
 […]
 
 ;; ANSWER SECTION:
 menandmice.com. 4m54s IN A 72.10.32.220 
 ;; AUTHORITY SECTION:
 menandmice.com. 20h52m59s IN NS ns2.c.is.
 menandmice.com. 20h52m59s IN NS dns1.menandmice.com.
 menandmice.com. 20h52m59s IN NS ns0.c.is.
 menandmice.com. 20h52m59s IN NS dns3.menandmice.com.
 menandmice.com. 20h52m59s IN NS ns1.c.is.
 menandmice.com. 20h52m59s IN NS dns2.menandmice.com.
 
 ;; ADDITIONAL SECTION:
 dns1.menandmice.com. 21h9m22s IN A 217.151.171.7
 dns2.menandmice.com. 20h52m59s IN A 217.151.171.21
 dns3.menandmice.com. 1h29m39s IN A 45.79.153.125 65
  • 66. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org multiple named processes BIND 9.11 prevents the named process to start accidentally more than once named refuses to start if • it cannot bind to any network interface • if the Lock-File /var/run/named/named.lock already exists 66
  • 67. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org multiple named processes # named -g
 18-Aug-2016 13:31:16.929 starting BIND 9.11.0b3 <id:a23f742>
 18-Aug-2016 13:31:16.929 running on Linux x86_64 4.6.6-300.fc24.x86_64 #1 SMP Wed Aug 10 21:07:35 UTC 2016
 18-Aug-2016 13:31:16.929 built with '--sysconfdir=/etc/namedb'
 18-Aug-2016 13:31:16.929 running as: named -g
 18-Aug-2016 13:31:16.929 ----------------------------------------------------
 18-Aug-2016 13:31:16.929 BIND 9 is maintained by Internet Systems Consortium,
 18-Aug-2016 13:31:16.929 Inc. (ISC), a non-profit 501(c)(3) public-benefit
 18-Aug-2016 13:31:16.929 corporation. Support and training for BIND 9 are
 18-Aug-2016 13:31:16.929 available at https://www.isc.org/support
 18-Aug-2016 13:31:16.929 ----------------------------------------------------
 18-Aug-2016 13:31:16.929 adjusted limit on open files from 65536 to 1048576
 18-Aug-2016 13:31:16.929 found 4 CPUs, using 4 worker threads
 18-Aug-2016 13:31:16.929 using 3 UDP listeners per interface
 18-Aug-2016 13:31:16.929 using up to 4096 sockets
 18-Aug-2016 13:31:16.938 loading configuration from '/etc/namedb/named.conf'
 18-Aug-2016 13:31:16.939 reading built-in trusted keys from file '/etc/namedb/bind.keys'
 18-Aug-2016 13:31:16.939 using default UDP/IPv4 port range: [32768, 60999]
 18-Aug-2016 13:31:16.939 using default UDP/IPv6 port range: [32768, 60999]
 18-Aug-2016 13:31:16.941 listening on IPv6 interfaces, port 53
 18-Aug-2016 13:31:16.948 binding TCP socket: address in use
 18-Aug-2016 13:31:16.948 listening on IPv4 interface lo, 127.0.0.1#53
 18-Aug-2016 13:31:16.949 binding TCP socket: address in use
 18-Aug-2016 13:31:16.949 listening on IPv4 interface mv-p3p1, 172.22.1.129#53
 18-Aug-2016 13:31:16.950 binding TCP socket: address in use
 18-Aug-2016 13:31:16.950 unable to listen on any configured interfaces
 18-Aug-2016 13:31:16.950 loading configuration: failure
 18-Aug-2016 13:31:16.950 exiting (due to fatal error) 67
  • 68. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org more changes The BIND 9.11 change log file has additional information on all the changes http://ftp.isc.org/isc/bind9/9.11.0b3/RELEASE-NOTES-bind-9.11.0b3.txt 68
  • 69. © Men & Mice http://menandmice.com Upcoming training classes KEA-DHCP October 13 – 14, 2016 - West Coast, USA October 17 – 18, 2016 - East Coast, USA November 21 – 22, 2016 - Amsterdam, The Netherlands Two days - Hands-On training US$ 1795 69 https://www.menandmice.com/support-training/training/kea-dhcp-training/
  • 70. © Men & Mice http://menandmice.com more training •October 3 – 5, 2016 Introduction to DNS & BIND Hands-On class Arlington (VA), USA •October 3 – 7, 2016 Introduction & Advanced DNS and BIND Topics Hands-on class Arlington (VA), USA •October 5 – 7, 2016 DNSSEC Technical Workshop – Implementation and Deployment Arlington (VA), USA •October 10-14, 2014 "DNS und BIND / DNS Sicherheit" (German) @ Linuxhotel, Essen, Germany 70 https://www.menandmice.com/support-training/training/
  • 71. © Men & Mice http://menandmice.com our next webinar 
 A secure BIND 9 – best practices When operating a DNS server, a secure configuration is paramount. BIND 9 experts from the Men & Mice team will answer questions about BIND 9 security. Learn more on: • “chroot” vs. “container” • separating resolving and authoritative services for security • BIND 9 configuration hardening • monitoring BIND 9 for security issues August 31st, 2016 4:00pm CEST/ 2:00pm GMT/ 10:00am EDT/ 7:00am PDT 71 https://www.menandmice.com/resources/educational-resources/webinars/a-secure-bind-9-best-practices/
  • 72. © Men & Mice http://menandmice,com Thank you! Questions? Comments? 72