Académique Documents
Professionnel Documents
Culture Documents
Shinkuro, Inc.
Peter Koch
DENIC eG
2011-03-27
Goal:
Give the audience basic understanding of DNS to be
able to facilitate new uses of DNS and take advantage
of DNSSEC in the protocols they specify in the IETF.
2011-03-27
2011-03-27
2011-03-27
ORG
IETF
www
COM
ogud
ISOC
DE
IS
UK
CAT
DENIC
EDU
2011-03-27
DNS label:
DNS zone:
Delegation:
2011-03-27
Resolver
Server
Some
2011-03-27
Clean
2011-03-27
a name
Example:
- <name>
<TTL> <Class> <RRtype>
ogud.com. 13630
IN
MX
ogud.com. 13630
IN
MX
TTL
(Time To Live):
<data>
10 mail.ogud.com.
90 smtp.elistx.com.
2011-03-27
Transport:
UDP 512 bytes Payload, with TCP
fallback
RFC3226 increases to 1220 bytes
1
6
1
1
1
2
1
3
1
4
1
5
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|
ID
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|QR|
Opcode
|AA|TC|RD|RA| Z|AD|CD|
RCODE
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|
QDCOUNT
== 1
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|
Retransmission: built in
Resends timed-out-query
Possibly to a different server.
ANCOUNT
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|
NSCOUNT
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|
ARCOUNT
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
Query section contains:
QNAME: <name in domain name format, variable length>
QCLASS: 2 bytes
QTYPE:
2 bytes.
Set by query
Set by responder
Unused
2011-03-27
10
+------------------+-----+------+--------+----+-----------+
+ Domain name
|type | class| TTL
| RL | RDATA
|
+------------------+-----+------+--------+----+-----------+
<variable>
2
2
4
2
<variable>
Length (1 byte)
Name (n bytes [1..63])
example.com 07example03com00
2011-03-27
11
2011-03-27
12
QNAME: www.dnsop.org
QCLASS: IN
QTYPE: A
Root Server
Org Server
www.dnsop.org
Ask dnsop.org NS
www.dnsop.org Local
A 81.91.170.12 Resolv www.dnsop.org
er
A 81.91.170.12
2011-03-27
dnsop.org Server
13
at name, or at <prefix>.name
zone wide defaults do not exist
the "zone" is an artificial boundary for management purpose
2011-03-27
14
Indirect RR:
CNAME, DNAME
Indirect DNS RR cause Resolver to change direction of search
Server must have special processing code
Terminal RR:
Address records
A, AAAA,
Informational/Data
TXT, HINFO, KEY, SSHFP
carry information to applications
META:
OPT, TSIG, TKEY, SIG(0)
Not stored in DNS zones, only appear on wire
2011-03-27
15
Solution:
RFC3597 defines that all DNS servers and resolvers MUST
support unknown RR types and rules for defining them.
suggests a common encoding in presentation format for them.
2011-03-27
16
Is
2011-03-27
17
Record:
*.example MX 10 mail.example
matches any name, below the name
example !!
supplies RR type to names present, that are
missing MX RRs.
Is added to the MX RRSet at a name
will expand
2011-03-27
18
Contents of a zone:
*.example. TXT "this is a wildcard"
www.example. A 127.0.0.1
jon.doe.example. A 127.0.0.2
example
Name doe.example
exists w/o any RRtypes empty nonterminal
Name tina.doe.example.
will not be expanded from
wildcard
Name: tina.eod.example. Matched.
2011-03-27
19
Packet size:
512 for standard DNS, 4K+ for EDNS0
Some middle boxes restrict UDP fragments effective <1500 size restriction.
2011-03-27
20
2011-03-27
21
2011-03-27
22
RFC
DNSSEC
23
Role: Protect
DNS
What
2011-03-27
24
Existence proof:
2011-03-27
25
Vendor
26
Just
Only
2011-03-27
27
1.
2.
2011-03-27
28
2011-03-27
29
If
2011-03-27
30
Private/confidential
data
Access control needed
Large data
Unstructured
Naming is difficult
You need search or match capability
2011-03-27
31
DHCP: if
Distributed
databases
2011-03-27
32
New
class
33
2011-03-27
34
SRV format[RFC2782]:
Priority, weight, port, host
_xmpp-client._tcp.jabber.org.
SRV
30 30 5222 hermes.jabber.org.
2011-03-27
35
order
16 bit value
preference 16 bit value
flags
character-string
service
character-string
regexp
character-string
replacement
domain-name
2011-03-27
36
2011-03-27
37
No semantics
RFC 1464 sub-typing
prefixing could help, but has its own problems
TXT verbose for binary information,
If new RRSet is large you want EDNS0 support
Modern software does this and unknown types as well!!!!
MORAL: Fight for local upgrades, do not force the whole Internet to work
around your local issues.
2011-03-27
38
2011-03-27
39
Full
collisions, smaller
Resolution context provided
2011-03-27
40
41
Tailor
it to your needs,
Be specific
Restrict flexibility (avoid being overly generic)
Be
2011-03-27
42
Provide
tools to
Assume
software is modern !!
2011-03-27
43
Goal: allow
Approach:
44
Goal: Allow
2011-03-27
45
DNS Operations:
http://tools.ietf.org/wg/dnsop
Individual sites
http://en.wikipedia.org/wiki/Domain_Name_System
2011-03-27
46
DNS
Many obsolete
Important
ones
47
Extra
slides
Questions & Comments
2011-03-27
48
Problem:
Facts:
Result:
2011-03-27
49
Zones
become larger
need periodic maintenance
have to deal with key management
2011-03-27
50