Aitchison DNS and BIND 10 The eXPeRT’s VOIce ® In OPen sOuRce Pro DNS and BIND 10 Ron Aitchison A complete reference to DNS and BIND Pro Companion eBook Available Pro DNS and BIND 10 Pro DNS and BIND 10 guides you through the challenging array of features sur- rounding DNS with a special focus on the latest release of BIND, the world’s most popular DNS implementation. This book unravels the mysteries of DNS, offering insight into origins, evolution, and key concepts like domain names and zone files. This book focuses on running DNS systems based on BIND 10, the first stable release that includes support for the latest DNSSEC standards. The book also covers BIND 9, and thus represents a complete reference to the latest BIND 9 release. Whether you administer a DNS system, are thinking about running one, or simply want to understand the DNS system, this book is for you. Pro DNS and BIND 10 starts with simple concepts, then moves on to full security-aware DNSSEC configurations. Various features, parameters, and resource records are described and illustrated with examples. The book contains a complete reference to zone files, resource records, and BIND’s configuration file parameters. You can treat the book as a simple paint- by-numbers guide to everything from a basic caching DNS to the most complex DNSSEC implementation. Background information is included for when you need to know what to do and why you have to do it, so that you can modify processes to meet your unique needs. Ron Aitchison, Author of Beginning Spatial with SQL Server 2008 Pro DNS and BIND Shelve in: Networking / General User level: Beginning–Advanced THE APRESS ROADMAP Pro Linux System Administration Automating Linux and Unix System Administration Pro DNS and BIND 10 Beginning Ubuntu LTS Server Administration www.apress.com SOURCE CODE ONLINE Companion eBook BOOks fOR PROfessIOnals By PROfessIOnals ® Updated to BIND 9.7 www.it-ebooks.info 2 For your convenience Apress has placed some of the front matter material after the index. Please use the Bookmarks and Contents at a Glance links to access them. www.it-ebooks.info iv Contents at a Glance Contents v About the Author xxiii About the Technical Reviewer xxiv Acknowledgments xxv Introdcution xxvi  Part I: Principles and Overview 1 ■Chapter 1: An Introduction to DNS 3 ■Chapter 2: Zone Files and Resource Records 23 ■Chapter 3: DNS Operations 41 ■Chapter 4: DNS Types 63 ■Chapter 5: DNS and IPv6 77 Part II: Get Something Running 95 ■Chapter 6: Installing BIND 97 ■Chapter 7: BIND Type Samples 129 ■Chapter 8: DNS Techniques 163 ■Chapter 9: DNS Diagnostics and Tools 209 Part III: DNS Security 271 ■Chapter 10: DNS Secure Configurations 273 ■Chapter 11: DNSSEC 317 ■Chapter 12: BIND 9 Configuration Reference 379 ■Chapter 13: Zone File Reference 483 Part IV: Programming 553 ■Chapter 14: BIND APIs and Resolver Libraries 555 ■Chapter 15: DNS Messages and Records 587 Part V: Appendixes 615 ■Appendix A: DNS Registration and Governance 617 ■Appendix B: DNS RFCs 629 ■Index 639 www.it-ebooks.info xxvi Introduction Every time you get e-mail, every time you access a web page, you use the Domain Name System (DNS). In fact, over 2 billion such requests hit the DNS root-servers alone every day. Every one of those 2 billion requests originate from a DNS that supports a group of local users, and every one of them is finally answered by a DNS server that may support a high-volume commercial web site or a modest, but much loved, family web site. This book is about understanding, configuring, diagnosing, and securing the DNS servers that do the vital work. Many years ago when I set up my first pair of DNS servers, I wasted my time looking for some practical advice and some sensible description of the theory involved. I found neither. I completed the DNS rite-of-passage—this book was born from that experience. DNS is a complex subject, but it is also unnecessarily cloaked in mystery and mythology. This book, I hope, is a sensible blend of practical advice and theory. You can treat it as a simple paint-by-numbers guide to everything from a simple caching DNS to the most complex secure DNS (DNSSEC) implementations. But the background information is there for those times when you not only need to know what to do, but you also need to know why you are doing it, and how you can modify the process to meet your unique needs. When the first edition of the book was written, we were on the cusp of a major change in DNS technology—the paint had not quite dried yet on the newly published DNSSEC standards. It is no exaggeration to say that even we who live in close proximity to DNS have been staggered by just how radical a change was brought about by those standards. In part this derives from the increasing focus on general Internet security, but it also comes from the recognition of the fundamental role DNS plays in enabling the Internet. Among many unanswered questions for the future is, once the DNS is secure, what form and type of information may be safely added to DNS zones? The obvious follow-up question that immediately springs from such speculation is what functionality will be demanded of DNS software? We have already seen increasing specialization, clear separation of the roles of authoritative DNS and resolvers, to name one development, and alternative data sources for zone data such as databases and IP provisioning systems, to name another. But all continue to provide classic DNS look-up functionality. In this respect BIND 10 represents a new and radical approach, not just to the issues of functional separation and alternative data source, though these are provided, but in employing a modular and component-like architecture BIND 10 allows us to contemplate a very different way in which DNS may be used within a rapidly evolving Internet. Introduction to the Second Edition The second edition of this book represents a major expansion of material in both depth and breadth. On the theoretical side of the DNS equation a more rigorous separation of the roles of authoritative DNS servers and resolvers (caching name servers) is present throughout the book in keeping with the move to specialized software. A complete update of the material on zone files and BIND 9 statements and clauses means that once again the material provided represents a complete and detailed reference work on BIND 9. New sections now cover a wider range of specialized DNS Techniques under the renamed Chapter 8. The DNSSEC chapter has been significantly expanded to reflect both the additional standards involved as well as the wealth of operational possibilities offered by BIND 9. Significant new material has www.it-ebooks.info ■ INTRODUCTION xxvii been provided to illustrate usage and implementation of the BIND extended POSIX library functions, which can provide secure last-mile solutions. While one of the original objectives of the book was to introduce BIND 10 with all its radical changes, it rapidly became apparent that to commit to a paper version at this stage in the evolution of BIND 10 would be to short-change readers. Consequently, a downloaded version of the BIND 10 material is provided. This method allows the material to be updated as necessary to reflect the increasing functionality of BIND 10 as it moves through its development cycle. Who This Book Is For This book is about running DNS systems based on BIND 9.7 and BIND 10. If you run or administer a DNS system, are thinking about running a DNS system, need to upgrade to support IPv6 DNS, need to secure a DNS for zone transfer, dynamic update, or other reasons, need to implement DNSSEC, or simply want to understand the DNS system, then this book is designed to provide you with a single point of reference. The book progressively builds up from simple concepts to full security-aware DNSSEC configurations. The various features, parameters, and Resource Records that you will need are all described and in the majority of cases illustrated with one or more examples. The book contains a complete reference on zone files, Resource Records, and BIND 9’s named.conf configuration file parameters. Programmers and the insatiably curious will find BIND 9’s Simple Database API, resolver library interfaces, and the gory details of DNS wire-format messages compelling reading. How This Book Is Structured This book is about the Domain Name System. Most of the examples used throughout the book are based on the Berkeley Internet Name Domain, universally known as BIND, which is the most widely deployed name server software in current use. BIND version 9.7.1-P2was used as the baseline version for all the examples. During the course of writing the book, version 9.7.2-P2—a bug clearance–only version—was released. The majority of, but not all, tests were rerun on the new version—no functional differences were noted between the releases. Readers are advised to always obtain and use the latest stable BIND version. Like most technical books, this is a mixture of descriptive text, reference material, and samples. For those completely unfamiliar with the subject, Part 1 (Chapters 1 to 5) is designed to introduce DNS in a progressive manner and could be read as a classic text on the subject. For those of a hands-on disposition, Part 2 provides an alternative entry point, with the various earlier chapters to be read as needed. Experienced readers would typically head straight for the meat in either Parts 3, 4, or 5, depending on their area of interest. As well as providing help and guidance during your initial endeavors, it is my fervent hope that this book will also provide you with an indispensable reference work for years to come. Chapter 1, “An Introduction to DNS” Chapter 1 provides introductory and background material to the DNS as a specific implementation of the general name server concept. The key concepts introduced are the domain name hierarchy, delegation, DNS operational organization, the role of ICANN, and the various components that comprise a DNS eco-system. A clear separation between the roles of authoritative name servers and resolvers (a.k.a. caching name servers) is introduced, and this terminology is used rigorously throughout the book. This chapter is for those who are unfamiliar with the topic or the changes that have occurred in the recent past. www.it-ebooks.info ■ INTRODUCTION xxviii Chapter 2, “Zone Files and Resource Records” Here you are introduced to the basic Resource Records and directives used to construct zone files. An example forward-mapping zone file is introduced that is used throughout the book and illustrates key DNS operational concepts such as resilience and location diversity. Those with little or no knowledge of zone files and their construction will find this chapter a gentle introduction to the topic. Chapter 3, “DNS Operations” This chapter describes the basic operation of a DNS system, including queries, referrals, reverse mapping, zone transfers, and dynamic updates. A brief overview of DNS security is presented to familiarize readers with the potential threats posed when running DNS systems. This chapter is intended to give the reader a thorough grounding in the theory and background to these topics. Chapter 4, “DNS Types” The text in this chapter breaks down configuring a DNS into a number of types such as master, slave, resolver (caching only name server), forwarding, Stealth, and authoritative only with the objective of giving the reader a set of building blocks from which more complex configurations can be constructed. This chapter will be useful to those unfamiliar with the range of possibilities offered by the DNS and its BIND implementation, including the view clause introduced with the BIND 9 series. Chapter 5, “DNS and IPv6” Chapter 5 focuses on IPv6 and the DNS features that support this increasingly widespread protocol. A brief overview of IPv6 address structure and notation is provided for those currently unfamiliar with this topic. Chapter 6, “Installing BIND” This chapter covers the installation of BIND on Linux (Ubuntu Server 10.04), FreeBSD (8.1), and Windows 7 from binary packages. For those cases where a package is not available, building from a source tarball is also described. An increasingly wide range of software configuration options offered by BIND especially means that building from source tarballs may become increasingly common. Chapter 7, “BIND Type Samples” The zone and named.conf sample files for each of the DNS types introduced in Chapter 4 are provided. While these samples can be used as simple paint-by-number implementations, explanations are included to allow the configurations to be tailored to user requirements. Chapter 8, “DNS Techniques” A number of DNS configurations are described and illustrated with sample files and implementation notes. The items covered include delegation of subdomains, load balancing, fixing sequence errors, delegation of reverse subnets, SPF and DKIM records, DNSBL, split horizon systems, and the use of wildcards. www.it-ebooks.info ■ INTRODUCTION xxix Chapter 9, “DNS Diagnostics and Tools” The major utilities supplied with a BIND distribution, including those used for security operations, are covered with multiple use examples. The reader, however, is encouraged—especially with dig and nslookup—to get out and explore the Internet using these tools. A practical example is used to illustrate to some diagnostics techniques and procedures. Chapter 10, “DNS Secure Configurations” DNS security within this book is broken into four parts: administrative security, securing zone transfers, securing dynamic update, and DNSSEC. An overview of general cryptographic processes including symmetric and asymmetric encryption, digital signatures, and MACs, which form the basis of DNS security implementations, is provided for readers unfamiliar with this topic. Chapter 11, “DNSSEC” This chapter deals exclusively with the DNSSEC security standards and covers both the theory and practical implementation. Zone signing, chains of trust, Zone Signing Keys and Key Signing Keys, DNSSEC Lookaside Validation (DLV), and key-rollover procedures are all covered with practical examples. BIND 9 provides a bewildering variety of DNSSEC implementation options—the final section in this chapter provides some advice and worked examples from which an intelligent choice can be made. Chapter 12, “BIND Configuration Reference” As suggested by the title, this is purely a reference section, and it catalogues and describes with one or more examples all the clauses and statements used in BIND’s named.conf file. The chapter is organized in a manner that allows the reader to easily find appropriate statements to control specific BIND behaviors. Chapter 13, “Zone File Reference” This is purely a reference section that describes each Resource Record in the current IANA list— normally with one or more examples to illustrate usage. Chapter 14, “BIND APIs and Resolver Libraries” Designed more for programmers and designers, you will need a reasonable understanding of C to make sense of this chapter. The new BIND Simple Database API and the newly released BIND extended POSIX interfaces from which secure last-mile DNS solutions can be created. Chapter 15, “DNS Messages and Records” This chapter covers the gory details of DNS wire-format messages and RR formats. A reasonable working knowledge of decimal, hex, and binary notations are required to make sense of the chapter. Essential reading if you are developing DNS applications, when RRs are not supported by your sniffer application or you are insatiably curious about how this stuff works. www.it-ebooks.info ■ INTRODUCTION xxx Appendix A, “Domain Name Registration” This appendix is a collection of material, presented in FAQ format, that may help to answer questions about registering domains in a variety of situations. Appendix B, “DNS RFCs” This appendix presents a list of RFCs that define the DNS and DNS-related topics. Additional Material In addition, the author maintains a web site about the book (www.netwidget.net/books/apress/dns) that covers additional material, including links to alternative DNS software, resolver language bindings, and background reading on various topics covered in the book, which may be of use to the reader. Conventions The following conventions are used throughout the book: • The # (hash or pound) symbol is used to denote a command prompt and always precedes a command to be entered. The command to be entered starts after this symbol. • The \ (back slash) is used to denote where lines that are contiguous have been split purely for presentational reasons. When added to a file or entered on a command line the \ should not be present. • Lines consisting of four dots ( ) in zone and configuration files are used to denote that other lines may or may not be present in these files. The dot sequence should not be entered in the actual files. • When describing command syntax, the following convention is used throughout: command argument [option1] keyword [option2 [optional3] ] where all items in bold, which include command and keywords, must be entered as is. Optional values are enclosed in square brackets and may be nested. Where repeated options are allowed, a sequence of three dots is used to indicate this. Contacting the Author The author may be contacted at ron.aitchison@netwidget.net, and he maintains links and other information relating to this book at www.netwidget.net/books/apress/dns. www.it-ebooks.info P A R T I ■ ■ ■ Principles and Overview www.it-ebooks.info C H A P T E R 1 ■ ■ ■ 3 An Introduction to DNS The Internet—or any network for that matter—works by allocating a locally or globally unique IP address to every endpoint (host, server, router, interface, and so on). But without the ability to assign some corresponding name to each resource, every time we want to access a resource available on the network, the web site www.example.com for instance, it would be necessary to know its physical IP address, such as 192.168.34.166. With hundreds of million of hosts and more than 200 million web sites, 1 it’s an impossible task—it’s also pretty difficult with even a handful of hosts and resources. To solve this problem, the concept of name servers was created in the mid-1970s to enable certain attributes (or properties) of a named resource, in this case the IP address of www.example.com, to be maintained in a well-known location—the basic idea being that people find it much easier to remember the name of something especially when that name is reasonably descriptive of function, content, or purpose rather than a numeric address. This chapter introduces basic name server concepts and provides a bit of background regarding the evolution of the Domain Name System from a tool used for managing just a few hundred hosts to a global utility responsible for maintaining smooth operation of the entire modern Internet. A Brief History of Name Servers The problem of converting names to physical addresses is as old as computer networking. Even in times long since past, people found it easier to remember they were using a teletype device called “tty2” rather than “port 57 of the MCCU,” or whatever the addressing method then in use. Furthermore, administrators wanted the flexibility to reconfigure equipment while leaving users with a consistent way of describing the device they were using. In the preceding example, the user could continue to use “tty2” even if the device had been reconfigured to be on port 23 of the mythical MCCU. Simple configuration files were typically used to perform address translation. As networking, rather than simple communications, emerged in the early 1970s, the problem became more acute. IBM’s System Network Architecture (SNA), probably the grandfather of networking, contained a rudimentary mainframe database for name translation when originally published in 1974. The much-maligned Open Systems Interconnect (OSI) Model, developed by the International Organization for Standardization (ISO— www.iso.org), defined Address/Name Translation services at the Transport Layer (Layer 4) when initially published in 1978. NetBIOS provided the NetBIOS Name Server (NBNS) when originally defined in 1984, which later morphed into Microsoft’s Windows Internet Naming Service (WINS). The first ARPANET (the network that morphed into the Internet) RFC, the quaintly named Request For Comments that document and standardize the Internet, on the concept of domain names dates from 1981 (RFC 799), and the definitive specifications for the Internet’s Domain Name System as we know it today were published in 1987 (RFC 1034 and RFC 1035). 1 http://news.netcraft.com/archives/web_server_survey.html www.it-ebooks.info [...]... to the extensive BIND user base The first release of this new BIND 10 generation of products is an authoritative-only name server that is fully described in Chapter 14 with the configuration samples in Chapter 7 updated to cover both BIND 10 and BIND 9 where appropriate A BIND 10 resolver–only product and a BIND 10 multifunction product (equivalent to today’s BIND 9) will be released progressively over... consequences, and the functionality of the DNS resolver (4), which reduces the complexity of client resolvers (stub-resolvers) and proxies by concentrating the complex and potentially dangerous job of accessing the DNS authoritative hierarchy The configuration and functionality of a DNS resolver (4) and DNS authoritative name servers (5), (6), and (7) are explained further in Chapter 4, and detailed... consequence, BIND has generally traded performance for generic functionality BIND, including the current production versions of BIND 9, is a “one size fits all” solution providing both DNS resolver and authoritative name server functionality within the same software package Microsoft Windows users are well provided with DNS solutions The Microsoft Server packages come bundled with a native DNS server (providing... the service provider’s DNS resolver (4), increasingly the DNS address points to the DSL modem or local router (3), which will contain a DNS proxy Depending on device manufacturer and Internet service provider policies, DNS proxy functionality varies wildly from a simple pass-through operation (nothing is changed), to caching and other more intrusive operations mostly designed to reduce load and speed... server, which in turn provides a referral to the appropriate domain (user) name server which returns the real (authoritative) answer Figure 1–3 illustrates this process 8 www.it-ebooks.info CHAPTER 1 ■ AN INTRODUCTION TO DNS Query = fred.example.com Root DNS Referral to com gTLD DNS Query = fred.example.com DNS TLD DNS Referral to example.com DNS Query = fred.example.com Domain (User) DNS Authoritative... (www.isc.org) It is probably the most widely known and deployed of the DNS implementations, and indeed most of this book documents BIND features BIND, however, is by no means the only DNS solution available or for that matter the only Open Source DNS solution BIND has historically been viewed as the high-quality reference implementation of the Internet Engineering Task Force (IETF) RFCs that specify DNS functionality... the DNS infrastructure that issues queries in order to resolve (translate) names into IP addresses Resolvers, which can come in all shapes and sizes, are explained further in the next section and throughout the book 16 www.it-ebooks.info CHAPTER 1 ■ AN INTRODUCTION TO DNS DSL Modem/Router DNS Proxy (cache) (3) Service Provider DNS Resolver (cache) (4) Authoritative Hierarchy DNS (5) root-servers e) DNS. .. by an equivalent BIND 9 configuration Unbound is an Open Source DNS resolver solution (www.unbound.net) that provides a highperformance C implementation of an original Java–based design exercise that also fully supports the latest DNSSEC standards Even BIND is not invulnerable to changes BIND 10 is a multiyear radical restructuring program designed to bring significant functional and performance benefits... INTRODUCTION TO DNS The Internet DNS elegantly solves all three problems ■Note The standard RFCs that define the basic DNS functionality, RFC 103 4 and RFC 103 5, were both written close to a quarter of a century ago—1987 and authored by Dr Paul Mockapetris while at the Information Sciences Institute of the University of Southern California Although many subsequent RFCs have modified certain DNS behaviors,... original DNS specifications used the terms Primary and/ or master and Secondary (called slave previously) to describe the zone transfer process The terms Primary and Secondary are still widely used to describe the order of DNS in many places such as registration of domain names and when defining network properties on PCs or hosts In an attempt to reduce confusion, Berkeley Internet Name Domain (BIND) introduced . Aitchison DNS and BIND 10 The eXPeRT’s VOIce ® In OPen sOuRce Pro DNS and BIND 10 Ron Aitchison A complete reference to DNS and BIND Pro Companion eBook Available Pro DNS and BIND 10 Pro DNS and BIND. understand the DNS system, this book is for you. Pro DNS and BIND 10 starts with simple concepts, then moves on to full security-aware DNSSEC configurations. Various features, parameters, and resource. 2008 Pro DNS and BIND Shelve in: Networking / General User level: Beginning–Advanced THE APRESS ROADMAP Pro Linux System Administration Automating Linux and Unix System Administration Pro DNS and