Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Bind 8 ->Bind 9

advertisement 
BIND-8 to BIND-9
Migration
A short tutorial
APNIC Meeting, Brisbane,
October 2000
Mathias Körber
Nominum, Inc.
mathias.koerber@nominum.com
© Copyright 2000 Nominum, Inc.
BIND versions
BIND-4.* - legacy BIND, limited features,
security issues
BIND-8.* - new, flexible config syntax; many
new features (NOTIFY, selective forwarding
etc)
BIND-9 – total rewrite to prepare for future
extensions, new features. Not all features are
implemented as yet
•
•
•
2
(C) Copyright 2000 Nominum, Inc.
New in BIND-9
Full IPv6 support
DNSSEC
EDNS0
VIEWS
Zonetransfer built-in
Light-weight resolver daemon (lwresd)
•
•
•
•
•
•
3
(C) Copyright 2000 Nominum, Inc.
Features obsoleted in BIND-9
named-xfer-path (no more separate named-xfer executable)
• deallocate-on-exit (is on by default now)
• fake-iquery (always disabled)
• has-old-clients
• multiple-cnames (always disabled!)
• use-id-pool (always on)
• treat-cr-as-space
• maintain-ixfr-base
• controls { unix … }
• support-ixfr
• ixfr-base
• allow-update
•
4
(C) Copyright 2000 Nominum, Inc.
Who should NOT migrate to
BIND-9 (yet)
•
Those who rely on currently unimplemented features:
•
statistics
dialup Feature
per-zone forwarding
rfc2301-type1
check-names
blackholing
$GENERATE
•
•
•
•
•
•
5
•
•
•
•
•
lame-TTL
serial-queries
resource-usage
modifiers (*size etc)
topology
RRset ordering
(C) Copyright 2000 Nominum, Inc.
Who would want to migrate
to BIND-9
Early adopters :-)
• Those who would like
Split-DNS easier
•
6
(C) Copyright 2000 Nominum, Inc.
Basic Migration issues
Handling of config file
errors
Handling of logging
New logging categories
ACLs case sensitive
Default TTL handling
Periods in serial
numbers no longer
allowed
•
•
•
•
•
•
7
Unbalanced quotes
• RRs across line breaks
• Unrestricted character
set
• ‘ndc’ replaced by
‘rndc’ which requires
configuration
•
(C) Copyright 2000 Nominum, Inc.
Handling of config file errors
•
BIND-8 would continue after config file errors,
resulting in partial configuration (zones load until the
error position)
•
BIND-9 will not start if any error is detected in the
named.conf file.
8
(C) Copyright 2000 Nominum, Inc.
Handling of Logging Statement
•
BIND-8’s logging statement became effective right after it was
read, i.e. configuration errors could be sent to a specific
logging channel if logging was specified at the beginning of
named.conf.
•
BIND-9’s logging statement will become active only after
the complete named.conf file has been read and BIND
starts. Any configuration errors will go to the default
logging, usually syslog or STDERR
•
Migration issues:
• Look for configuration errors in syslog or on STDERR
• Amend any automated log-checkers
9
(C) Copyright 2000 Nominum, Inc.
New logging categories
•
BIND-8
•
•
•
•
•
•
•
•
•
•
•
•
10
default
config
parser
queries
lame-servers
statistics
panic
update
ncache
xfer-in
xfer-out
db
•
•
•
•
•
•
•
•
•
•
•
eventlib
packet
notify
cname
security
os
insist
maintenance
load
responsechecks
BIND-9
•
•
•
•
•
•
•
•
•
•
•
•
default
general
database
security
config
resolver
xfer-in
xfer-out
notify
client
network
update
(C) Copyright 2000 Nominum, Inc.
New logging categories
•
Migration action
•
•
Potential problems if not done:
•
11
Users who customized their logging will have to adapt their
logging configuration to BIND-9’s new categories !
Configuration file errors -> BIND-9 will not start.
(C) Copyright 2000 Nominum, Inc.
ACL names are case sensitive
BIND-8’s ACL names were case insensitive
• BIND-9’s ACL names are case sensitive
•
•
Migration action:
•
•
Adapt all ACL references in your named.conf file to the
proper case
Potential problems if not done:
•
Configuration file error due to unrecognized ACL names
•
12
-> BIND will not start
(C) Copyright 2000 Nominum, Inc.
Default TTL handling has changed
•
•
BIND-8 used SOA
minimum field if no
$TTL was found and
first RR had not
explicit TTL.
BIND-9 requires
either a $TTL
(preferred!) or a
TTL on the first
RR. Else the zone
will not load
13
$TTL 86400
@ 3600 IN SOA primary admin (
2000102600 3600 1200 604800
3600)
Minimum field used !
$TTL 86400
@ 3600 IN SOA primary admin (
2000102600 3600 1200 604800
3600)
ERROR
(C) Copyright 2000 Nominum, Inc.
Periods in SOA Serial numbers
•
•
•
Some old BIND versions
• BIND-9:
allowed periods in SOA
• Serial numbers restricted to
serial numbers (eg: 3.002)
integers only
Special, highly obscure
• Migration issue:
calculations involved.
• Secondaries: none (calculation
Primary will convert to
will have been performed on
integer when zone is loaded
primary)
Not widely used, usually
• Primaries: change zonefiles !
recommended against
14
(C) Copyright 2000 Nominum, Inc.
Unbalanced quotes
Some versions of BIND
did not complain about
unbalanced quotes
• Missing closing quotes
were added at end-of
line
•
15
•
BIND-9:
•
•
Very strict about
quoting, will continue
reading string until next
quotes
Migration issue:
•
Potentially, old errors
may surface and affect
zone loading. Clean up
zonefiles!
(C) Copyright 2000 Nominum, Inc.
RRs across line breaks
•
Some versions of BIND allow opening parenthesis on the
second line of a multi-line resource record:
@
•
IN SOA primary admin
( 2000102600 3600 1200 604800 3600 )
•
•
BIND-9 requires the opening parenthesis on the first
line:
@
IN SOA primary admin (
2000102600 3600 1200 604800 3600 )
16
(C) Copyright 2000 Nominum, Inc.
Unrestricted character set
Older BIND versions
attempted to protect
applications from security
breaches by discarding
data containing
‘inappropriate’ characters.
• See:
•
http://www.cert.org/advisories/
CA-96.04
17
BIND-9 is 8-bit-clean in
accordance with
RFC2181.
• BIND-9 will not discard
data to protect
vulnerable applications.
• Migration issues:
•
•
•
Replace vulnerable
applications
Hostnames should follow
RFC952 rules !
(C) Copyright 2000 Nominum, Inc.
rndc(1) instead of ndc(1)
Rndc allows
management of several
remote nameservers
• Authentication via
TSIG keys
• Requires configuration
•
18
•
Migration issues
•
•
•
Must use control
statement in named.conf
Note: UNIX sockets
deprecated !
Must setup rndc.conf
(C) Copyright 2000 Nominum, Inc.
Lightweight Resolver Library &
lwresd Daemon
BIND-8
BIND-9
Stub resolver compiled into
all applications (-lresolv or –
lbind)
Problem:
• IPv6 introduced additional
complexity best handled at
the resolver end, which the
old resolver cannot handle
•
•
19
New lightweight
resolver lib
• Used new resolver
daemon (separate
process on the same
system) ‘lwresd’
(C) Copyright 2000 Nominum, Inc.
lwresd
• able to handle new IPv6
Acts like a caching
requirements
nameserver on the local
• Following A6 chains and
system
DNAME records,
• Requires minimum or no
simultaneous lookup of
configuration
IPv4 and IPv6 addresses
• Uses the servers listed in • simple UDP protocol
the nameservers entries in
between new lightweight
/etc/resolv.conf as
resolver lib and lwresd.
forwarders
NOT DNS !
•
20
(C) Copyright 2000 Nominum, Inc.
IXFR changes
BIND-9
• request-ixfr
• provide-ixfr
BIND-8
• support-ixfr
•
maintain-ixfr-base
obsolete in BIND-9
•
max-ixfr-log-size
currently not implemented
•
ixfr-base
ignored in BIND-9
21
•
IXFR journal file is
always zonename.jnl
(C) Copyright 2000 Nominum, Inc.
Example: BIND-8 Split DNS
outside
inside
GWNS
192.168.0.1 (int)
1.2.3.4 (ext)
iPRI
192.168.1.1
zonetransfer
of internal
zones
iNS1
192.168.10.1
eNS1
fwd all queries
2.3.4.5
for non-local
zones
zonetransfer
of external
zones
iNS2
192.168.88.1
Clients
192.168.x.x
22
eNS2
3.4.5.6
Reply for
internal zones
(C) Copyright 2000 Nominum, Inc.
ePRI
192.168.1.2 (int)
1.2.3.5 (pub)
BIND-8 Split DNS configs
•
iNS1 & iNS2
acl “iPRI” { 192.168.1.1; };
acl “GWNS” { 192.168.0.1; };
options {
forwarders { GWNS;
};
forward only;
recursion yes;
};
zone “example.com” {
type slave;
masters {
iPRI;
};
};
23
•
GWNS
acl “INTERNAL” {192.168.0.0/16; };
acl “PRIVINTF” { 192.168.0.1; };
ccl “PUBINTF” { 1.2.3.4; };
options {
allow-query {INTERNAL; };
recursion yes;
listen-on { PRIVINTF; };
query-source address PUBINTF
port *;
};
(C) Copyright 2000 Nominum, Inc.
BIND-8 Split DNS configs
•
•
iPRI
acl “iNSes” { 192.168.10.1;
192.168.88.1;};
options {
recursion no;
allow-transfer { iNSes; };
allow-query { iNSes; };
};
clients
/etc/resolv.conf:
nameserver 192.168.10.1
nameserver 192.168.88.1
Zone “example.com” {
type master;
filename
“/private/example.db”;
};
24
(C) Copyright 2000 Nominum, Inc.
BIND-8 Split DNS configs
•
eNS1 & eNS2
acl “ePRI” { 1.2.3.5; };
options {
recursion no;
allow-query { any; };
allow-transfer { none; };
};
Zone “example.com” {
type slave;
file “sec/example.db”;
masters {
ePRI;
};
};
25
•
ePRI
acl “eNSes” { 2.3.4.5;
3.4.5.6; };
options {
allow-transfer {eNSes; };
recursion no;
allow-query { eNSes; };
};
Zone “example.com” {
type master;
file “/public/example.db”;
};
(C) Copyright 2000 Nominum, Inc.
SPLIT DNS with BIND-9
iPRI
192.168.1.2
ePRI
192.168.1.1
zonetransfer
Query for ‘example.com’
of internal
zones
NS1
1.2.3.4
192.168.10.1
zonetransfer
of external
zones
Query for ‘example.com’
Reply with internal
data
26
(C) Copyright 2000 Nominum, Inc.
Reply with
external data
NS2
2.3.4.5
192.168.10.2
BIND-9 Split DNS config
•
NS1 and NS2
acl “iPRI” { 192.168.1.2; };
acl “ePRI” { 192.168.1.1; };
view “external” {
match-clients {
! 192.168.0.0/16; };
options { recursion no; };
zone “example.com” {
type slave;
file “ext/example.com”;
masters { ePRI; };
};
};
options {
recursion no;
allow-query { any; };
allow-transfer { none; };
};
view “internal” {
match-clients {
192.168.0.0/16; };
options { recursion yes; };
zone “example.com” {
type slave;
file “int/example.db”;
masters { iPRI; };
};
};
27
(C) Copyright 2000 Nominum, Inc.
BIND-9 Split DNS configs
•
iPRI & ePRI
acl “NSes” { 192.168.10.1;
192.168.10.2; };
options {
recursion no;
allow-query { none; };
allow-transfer { none;
notify yes;
};
• The only difference between iPRI
and ePRI is the contents of the
zonefile for ‘example.com’ (and of
course their IP address).
};
zone “example.com” {
type slave;
file “example.db”;
allow-query { NSes };
allow-transfer { NSes; };
};
28
• iPRI and ePRI could run on the
same machine, if 2 instances of
named are used, each with its own
IP address !
(C) Copyright 2000 Nominum, Inc.
Alternative SPLIT DNS w/ BIND-9
PRI
Query for ‘example.com’
1.2.3.4
192.168.10.2
zonetransfer
of internal
zones
iSEC
1.2.3.5
192.168.1.2
Reply with internal
data
29
eSEC2
2.3.4.5
Reply with
external data
zonetransfer
of external
zones
Query for
‘example.com’
Fwd queries for
External domains
(C) Copyright 2000 Nominum, Inc.
eSEC1
3.4.5.6
Alternative split DNS w/ BIND-9
•
PRI
acl “internal” { 192.168.0.0/16; };
acl “iSEC” { 192.168.1.2; };
acl “eSECs” { 2.3.4.5; 3.4.5.6; };
options {
recursion yes;
forwarders { eSECs; };
};
view “internal” {
match-clients { internal; };
zone “example.com” {
type master;
file “int/example.db”;
allow-transfer { iSEC; };
allow-query { internal; };
};
};
30
view “external” {
match-clients { eSECs; };
zone “example.com” {
file master;
file”ext/example.db”;
allow-transfer { eSECs; };
allow-query { eSECs; };
};
};
(C) Copyright 2000 Nominum, Inc.
Alternative split DNS w/ BIND-9
•
•
iSEC
eSEC1 & eSEC2
acl “internal” { 192.168.0.0/16; }; acl “PRI” { 1.2.3.4; };
acl “internal” { 1.2.3.4;
acl “PRI” { 192.168.10.2; };
1.2.3.5; };
acl “eSECs” { 2.3.4.5; 3.4.5.6; };
options { recursion no; };
options {
recursion yes;
forwarders { eSECs; };
};
view “internal” {
match-clients { internal; };
zone “example.com” {
type slave;
masters { PRI; };
file “int/example.db”;
};
};
31
view “external” {
match-clients { ! internal; };
zone “example.com” {
type slave;
masters { PRI; };
file “sec/example.db”;
};
};
view “internal” {
match-clients { internal; };
options { recursion yes; };
};
(C) Copyright 2000 Nominum, Inc.
Split DNS with BIND-9
•
If both primary and secondary server are to be the
same for an internal and an external view, additional
IP addresses are required (because there is no way to
distinguish which view is meant in a serial# query or
zonetransfer).
32
(C) Copyright 2000 Nominum, Inc.
This will NOT Work !
The same primary and secondary for different views of the same zone:
PRIMARY
1.2.3.4
Zonetransfer of external view
Zonetransfer of internal view
SECONDARY
4.3.2.1
Reason: with BOTH servers using only 1 IP address each, there is no way to
distinguish requests for the internal view from those for the external view (SOA
query and zonetransfer request)
Workaround: Secondary with 2 IP addresses (transfer-source) or two primaries (2
instances of BIND on the same server?)
33
(C) Copyright 2000 Nominum, Inc.
Alternatives to BIND-9
•
For those who can or don’t want to use BIND-9
yet (available from www.isc.org ):
BIND-8.2.2-p5
• BIND-8.2.3 (to be released Real-Soon-Now)
•
•
34
All prior versions of BIND have security
problems !
(C) Copyright 2000 Nominum, Inc.
References, Further Reading
etc
•
The BIND-9 Administrators Reference Manual
•
•
BIND-8 to BIND-9 Migration Notes
•
•
/usr/src/bind-9.0.0/doc/misc/migration
Implementation status of BIND-9 options
•
35
http://www.nominum.com/resources/Bv9ARM-091200.pdf
/usr/src/bind-9.0.0/doc/misc/options
(C) Copyright 2000 Nominum, Inc.
Related documents
Network Security for Service Providers
Network Security for Service Providers
About ACL
About ACL
DPI as a means of access segregation in a corporate
DPI as a means of access segregation in a corporate
ACL-Connections-New-York
ACL-Connections-New-York
Prevention of ACL Injuries
Prevention of ACL Injuries
ACL Risk Introduction - St. Louis ACL User Group
ACL Risk Introduction - St. Louis ACL User Group
Program 2014.xlsx - Capio Artro Clinic
Program 2014.xlsx - Capio Artro Clinic
The Domain Name System
The Domain Name System
The Domain Name System
The Domain Name System
Download
advertisement