DNS Session 3: Configuration of Recap Authoritative Nameservice ● DNS is a distributed database ● Resolver asks Cache for information ● Cache traverses the DNS delegation tree to find Authoritative nameserver which has the Ayitey Bulley information requested AfNOG 2008 Workshop ● Bad configuration of authoritative servers can result in broken domains Slaves connect to Master to retrieve DNS Replication copy of zone data ● For every domain, we need more than one ● The master does not "push" data to the slaves authoritative nameserver with the same information (RFC 2182) ● Data is entered in one server (Master) and Slave replicated to the others (Slave(s)) ● Outside world cannot tell the difference between master and slave Master Slave – NS records are returned in random order for equal load sharing ● Used to be called "primary" and "secondary" When does replication take place? Serial Numbers ● Slaves poll the master periodically - called the ● Every zone file has a Serial Number "Refresh Interval" - to check for new data ● Slave will only copy data when this number – Originally this was the only mechanism INCREASES ● With new software, master can also notify the – Periodic UDP query to check Serial Number slaves when the data changes – If increased, TCP transfer of zone data – Results in quicker updates ● It is your responsibility to increase the serial ● The notification is unreliable (e.g. network might number after every change, otherwise slaves lose a packet) so we still need checks at the and master will be inconsistent Refresh Interval 1
Recommended serial number Serial Numbers: Danger 1 format: YYYYMMDDNN ● YYYY = year ● If you ever decrease the serial number, the slaves will never update again until the serial ● MM = month (01-12) number goes above its previous value ● DD = day (01-31) ● RFC1912 section 3.1 explains a method to fix ● NN = number of changes today (00-99) this problem – e.g. if you change the file on 23rd April 2007, the ● At worst, you can contact all your slaves and serial number will be 2008052700. If you change it get them to delete their copy of the zone data again on the same day, it will be 2008052701. Serial Numbers: Danger 2 Configuration of Master ● Serial no. is a 32-bit unsigned number ● /etc/namedb/named.conf points to zone file (manually created) containing your RRs ● Range: 0 to 4,294,967,295 ● Choose a logical place to keep them ● Any value larger than this is silently truncated – e.g. /etc/namedb/master/tiscali.co.uk ● e.g. 20080527000 (note extra digit) – or /etc/namedb/master/uk.co.tiscali = 4ACE48698 (hex) zone "example.com" { = ACE48698 (32 bits) type master; file "master/example.com"; = 2900657816 allow-transfer { 192.188.58.126; ● If you make this mistake, then later correct it, 192.188.58.2; }; }; the serial number will have decreased Configuration of Slave Master and Slave ● It's perfectly OK for one server to be Master for ● named.conf points to IP address of master some zones and Slave for others and location where zone file should be ● That's why we recommend keeping the files in created different directories ● Zone files are transferred automatically – /etc/namedb/master/ ● Don't touch them! – /etc/namedb/slave/ zone "example.com" { ● (also, the slave directory can have appropriate type slave; permissions so that the daemon can create files) masters { 192.188.58.126; }; file "slave/example.com"; allow-transfer { none; }; }; 2
Structure of a zone file allow-transfer { ... } ● Global options ● Remote machines can request a transfer of the – $TTL 1d entire zone contents – Sets the default TTL for all other records ● By default, this is permitted to anyone ● SOA RR ● Better to restrict this – "Start Of Authority" ● You can set a global default, and override this – Housekeeping information for the zone for each zone if required ● NS RRs options { – List all the nameservers for the zone, master and allow-transfer { 127.0.0.1; }; slaves }; ● Other RRs – The actual data you wish to publish Format of a Resource Record Shortcuts www 3600 IN A 212.74.112.80 Domain TTL Class Type Data ● If the Domain Name does not end in a dot, the zone's own domain ("origin") is appended ● One per line (except SOA can extend over several lines) ● A Domain Name of "@" means the origin itself ● If you omit the Domain Name, it is the same as the ● e.g. in zone file for example.com: previous line – @ means example.com. ● TTL shortcuts: e.g. 60s, 30m, 4h, 1w2d – www means www.example.com. ● If you omit the TTL, uses the $TTL default value ● If you omit the Class, it defaults to IN ● Type and Data cannot be omitted ● Comments start with SEMICOLON (;) If you write this... Format of the SOA record $TTL 1d @ SOA ( ... ) $TTL 1d NS ns0 NS ns0.as9105.net. ; Main webserver @ 1h IN SOA ns1.example.net. joe.pooh.org. ( 2004030300 ; Serial www A 212.74.112.80 8h ; Refresh MX 10 mail 1h ; Retry 4w ; Expire ... it becomes this 1h ) ; Negative IN NS ns1.example.net. example.com. 86400 IN SOA ( ... ) IN NS ns2.example.net. example.com. 86400 IN NS ns0.example.com. IN NS ns1.othernetwork.com. example.com. 86400 IN NS ns0.as9105.net. www.example.com. 86400 IN A 212.74.112.80 www.example.com. 86400 IN MX 10 mail.example.com. 3
Format of the SOA record Format of the SOA record (cont) ● ns1.example.net. ● Expiry time – hostname of master nameserver ● joe.pooh.org. – If the slave is unable to contact the master for this period of time, it will delete its copy of the zone data – E-mail address of responsible person, with "@" ● Negative / Minimum changed to dot, and trailing dot ● Serial number – Old software used this as a minimum value of the TTL ● Refresh interval – Now it is used for negative caching: indicates how – How often Slave checks serial number on Master long a cache may store the non-existence of a RR ● Retry interval ● RIPE-203 has recommended values – How often Slave checks serial number if the – http://www.ripe.net/ripe/docs/dns-soa.html Master did not respond Format of NS records Format of other RRs ● List all authoritative nameservers for the zone ● IN A 1.2.3.4 - master and slave(s) ● IN MX 10 mailhost.example.com. ● Must point to HOSTNAME not IP address – The number is a "preference value". Mail is $TTL 1d delivered to the lowest-number MX first @ 1h IN SOA ns1.example.net. joe.pooh.org. ( – Must point to HOSTNAME not IP address 2004030300 ; Serial 8h ; Refresh ● IN CNAME host.example.com. 1h ; Retry 4w ; Expire ● IN PTR host.example.com. 1h ) ; Negative ● IN TXT "any text you like" IN NS ns1.example.net. IN NS ns2.example.net. IN NS ns1.othernetwork.com. When you have added or changed a These checks are ESSENTIAL zone file: ● Remember to increase the serial number! ● If you have an error in named.conf or a zone ● named-checkzone example.com \ file, named may continue to run but will not be /etc/namedb/master/example.com authoritative for the bad zone(s) – bind 9 feature ● You will be lame for the zone without realising it – reports zone file syntax errors; correct them! ● Slaves will not be able to contact the master ● named-checkconf ● Eventually (e.g. 4 weeks later) the slaves will – reports errors in named.conf expire the zone ● rndc reload ● Your domain will stop working – or: rndc reload example.com ● tail /var/log/messages 4
So now you have working Other checks you can do authoritative nameservers! ● dig +norec @x.x.x.x example.com. soa ● But none of this will work until you have delegation from the domain above – Check the AA flag ● That is, they put in NS records for your domain, – Repeat for the master and all the slaves pointing at your nameservers – Check the serial numbers match ● dig @x.x.x.x example.com. axfr ● You have also put NS records within the zone file – "Authority Transfer" ● The two sets should match – Requests a full copy of the zone contents over TCP, as slaves do to master – This will only work from IP addresses listed in the allow-transfer {...} section TOP TEN ERRORS in authoritative Any questions? nameservers ● All operators of auth nameservers should read RFC 1912 – Common DNS Operational and Configuration Errors ? ● And also RFC 2182 – Selection and Operation of Secondary DNS servers 2. Comments in zone files starting 1. Serial number errors '#' instead of ';' ● Forgot to increment serial number ● Syntax error in zone file ● Incremented serial number, then decremented it ● Master is no longer authoritative for the zone ● Used serial number greater than 2 32 ● Slaves cannot check SOA ● Impact: ● Slaves eventually expire the zone, and your domain stops working entirely – Slaves do not update ● Use "named-checkzone" – Master and slaves have inconsistent data – Caches will sometimes get the new data and ● Use "tail /var/log/messages" sometimes old - intermittent problem 5
Recommend
More recommend
