bind-8 to bind-9 migration a short tutorial apnic meeting, brisbane, october 2000 mathias körber...

Post on 20-Dec-2015

221 Views

Category:

Documents

0 Downloads

Preview:

Click to see full reader

TRANSCRIPT

BIND-8 to BIND-9 Migration

A short tutorial

APNIC Meeting, Brisbane,October 2000

Mathias KörberNominum, Inc.

mathias.koerber@nominum.com

© Copyright 2000 Nominum, Inc.

(C) Copyright 2000 Nominum, Inc.2

BIND versions

• BIND-4.* - legacy BIND, limited features, security issues

• BIND-8.* - new, flexible config syntax; many new features (NOTIFY, selective forwarding etc)

• BIND-9 – total rewrite to prepare for future extensions, new features. Not all features are implemented as yet

(C) Copyright 2000 Nominum, Inc.3

New in BIND-9

• Full IPv6 support• DNSSEC• EDNS0• VIEWS• Zonetransfer built-in• Light-weight resolver daemon (lwresd)

(C) Copyright 2000 Nominum, Inc.4

Features obsoleted in BIND-9• named-xfer-path (no more separate named-xfer executable)• deallocate-on-exit (is on by default now)• fake-iquery (always disabled)• has-old-clients • multiple-cnames (always disabled!)• use-id-pool (always on)• treat-cr-as-space• maintain-ixfr-base• controls { unix … }• support-ixfr• ixfr-base• allow-update

(C) Copyright 2000 Nominum, Inc.5

Who should NOT migrate to BIND-9 (yet)

• statistics• dialup Feature• per-zone forwarding• rfc2301-type1• check-names• blackholing• $GENERATE

• lame-TTL• serial-queries• resource-usage

modifiers (*size etc)• topology• RRset ordering

• Those who rely on currently unimplemented features:

(C) Copyright 2000 Nominum, Inc.6

Who would want to migrate to BIND-9

• Early adopters :-)• Those who would like

Split-DNS easier

(C) Copyright 2000 Nominum, Inc.7

Basic Migration issues

• Handling of config file errors

• Handling of logging• New logging categories• ACLs case sensitive• Default TTL handling• Periods in serial

numbers no longer allowed

• Unbalanced quotes• RRs across line breaks• Unrestricted character

set• ‘ndc’ replaced by

‘rndc’ which requires configuration

(C) Copyright 2000 Nominum, Inc.8

Handling of config file errors

• BIND-8 would continue after config file errors, resulting in partial configuration (zones load until the error position)

• BIND-9 will not start if any error is detected in the named.conf file.

(C) Copyright 2000 Nominum, Inc.9

Handling of Logging Statement

• BIND-8’s logging statement became effective right after it was read, i.e. configuration errors could be sent to a specific logging channel if logging was specified at the beginning of named.conf.

• BIND-9’s logging statement will become active only after the complete named.conf file has been read and BIND starts. Any configuration errors will go to the default logging, usually syslog or STDERR

• Migration issues:• Look for configuration errors in syslog or on STDERR• Amend any automated log-checkers

(C) Copyright 2000 Nominum, Inc.10

New logging categories

• BIND-8• default• config• parser• queries• lame-servers• statistics• panic• update• ncache• xfer-in• xfer-out• db

• BIND-9• default• general• database• security• config• resolver• xfer-in• xfer-out• notify• client• network• update

• eventlib• packet• notify• cname• security• os• insist• maintenance• load• response-

checks

(C) Copyright 2000 Nominum, Inc.11

New logging categories

• Migration action• Users who customized their logging will have to adapt their

logging configuration to BIND-9’s new categories !

• Potential problems if not done:• Configuration file errors -> BIND-9 will not start.

(C) Copyright 2000 Nominum, Inc.12

ACL names are case sensitive

• BIND-8’s ACL names were case insensitive• BIND-9’s ACL names are case sensitive

• Migration action:• Adapt all ACL references in your named.conf file to the

proper case

• Potential problems if not done:• Configuration file error due to unrecognized ACL names

• -> BIND will not start

(C) Copyright 2000 Nominum, Inc.13

$TTL 86400

@ 3600 IN SOA primary admin (

2000102600 3600 1200 604800 3600)

Default TTL handling has changed

• BIND-8 used SOA minimum field if no $TTL was found and first RR had not explicit TTL.

$TTL 86400

@ 3600 IN SOA primary admin (

2000102600 3600 1200 604800 3600)

ERROR

Minimum field used !

• BIND-9 requires either a $TTL (preferred!) or a TTL on the first RR. Else the zone will not load

(C) Copyright 2000 Nominum, Inc.14

Periods in SOA Serial numbers

• Some old BIND versions allowed periods in SOA serial numbers (eg: 3.002)

• Special, highly obscure calculations involved. Primary will convert to integer when zone is loaded

• Not widely used, usually recommended against

• BIND-9:• Serial numbers restricted to

integers only

• Migration issue:• Secondaries: none (calculation

will have been performed on primary)

• Primaries: change zonefiles !

(C) Copyright 2000 Nominum, Inc.15

Unbalanced quotes

• Some versions of BIND did not complain about unbalanced quotes

• Missing closing quotes were added at end-of line

• BIND-9:• Very strict about

quoting, will continue reading string until next quotes

• Migration issue:• Potentially, old errors

may surface and affect zone loading. Clean up zonefiles!

(C) Copyright 2000 Nominum, Inc.16

RRs across line breaks

• Some versions of BIND allow opening parenthesis on the second line of a multi-line resource record:

• @ IN SOA primary admin

( 2000102600 3600 1200 604800 3600 )

• BIND-9 requires the opening parenthesis on the first line:

• @ IN SOA primary admin (2000102600 3600 1200 604800 3600 )

(C) Copyright 2000 Nominum, Inc.17

Unrestricted character set

• Older BIND versions attempted to protect applications from security breaches by discarding data containing ‘inappropriate’ characters.

• See: http://www.cert.org/advisories/

CA-96.04

• BIND-9 is 8-bit-clean in accordance with RFC2181.

• BIND-9 will not discard data to protect vulnerable applications.

• Migration issues:• Replace vulnerable

applications• Hostnames should follow

RFC952 rules !

(C) Copyright 2000 Nominum, Inc.18

rndc(1) instead of ndc(1)

• Rndc allows management of several remote nameservers

• Authentication via TSIG keys

• Requires configuration

• Migration issues• Must use control

statement in named.conf• Note: UNIX sockets

deprecated !• Must setup rndc.conf

(C) Copyright 2000 Nominum, Inc.19

Lightweight Resolver Library & lwresd Daemon

BIND-8• Stub resolver compiled into

all applications (-lresolv or –lbind)

Problem:• IPv6 introduced additional

complexity best handled at the resolver end, which the old resolver cannot handle

BIND-9• New lightweight

resolver lib• Used new resolver

daemon (separate process on the same system) ‘lwresd’

(C) Copyright 2000 Nominum, Inc.20

lwresd

• Acts like a caching nameserver on the local system

• Requires minimum or no configuration

• Uses the servers listed in the nameservers entries in /etc/resolv.conf as forwarders

• able to handle new IPv6 requirements• Following A6 chains and

DNAME records, simultaneous lookup of IPv4 and IPv6 addresses

• simple UDP protocol between new lightweight resolver lib and lwresd. NOT DNS !

(C) Copyright 2000 Nominum, Inc.21

IXFR changes

BIND-8• support-ixfr

• maintain-ixfr-baseobsolete in BIND-9

• max-ixfr-log-sizecurrently not implemented

• ixfr-baseignored in BIND-9

BIND-9• request-ixfr• provide-ixfr

• IXFR journal file is always zonename.jnl

(C) Copyright 2000 Nominum, Inc.22

Example: BIND-8 Split DNS

Clients192.168.x.x

inside outside

zonetransferof internalzones

Reply for internal zones

zonetransferof externalzones

fwd all queriesfor non-localzones

iNS1192.168.10.1

iNS2192.168.88.1

iPRI192.168.1.1

GWNS192.168.0.1 (int)1.2.3.4 (ext)

eNS12.3.4.5

eNS23.4.5.6

ePRI192.168.1.2 (int)1.2.3.5 (pub)

(C) Copyright 2000 Nominum, Inc.23

BIND-8 Split DNS configs• iNS1 & iNS2 • GWNS

acl “iPRI” { 192.168.1.1; };acl “GWNS” { 192.168.0.1; };

options {forwarders { GWNS;

};forward only;recursion yes;};

zone “example.com” {type slave;masters {

iPRI;};

};

acl “INTERNAL” {192.168.0.0/16; };acl “PRIVINTF” { 192.168.0.1; };ccl “PUBINTF” { 1.2.3.4; };

options {allow-query {INTERNAL; };recursion yes;listen-on { PRIVINTF; };query-source address PUBINTF

port *;};

(C) Copyright 2000 Nominum, Inc.24

BIND-8 Split DNS configs• iPRI • clients

acl “iNSes” { 192.168.10.1; 192.168.88.1;};

options {recursion no;allow-transfer { iNSes; };allow-query { iNSes; };};

Zone “example.com” {type master;filename

“/private/example.db”;};

/etc/resolv.conf:nameserver 192.168.10.1nameserver 192.168.88.1

(C) Copyright 2000 Nominum, Inc.25

BIND-8 Split DNS configs• eNS1 & eNS2 • ePRI

acl “ePRI” { 1.2.3.5; };

options {recursion no;allow-query { any; };allow-transfer { none; };};

Zone “example.com” {type slave;file “sec/example.db”;masters {

ePRI;};

};

acl “eNSes” { 2.3.4.5; 3.4.5.6; };

options {allow-transfer {eNSes; };recursion no;allow-query { eNSes; };};

Zone “example.com” {type master; file “/public/example.db”;};

(C) Copyright 2000 Nominum, Inc.26

SPLIT DNS with BIND-9

NS11.2.3.4192.168.10.1

NS22.3.4.5192.168.10.2

iPRI192.168.1.2

ePRI192.168.1.1

zonetransferof internalzones

zonetransferof externalzones

Query for ‘example.com’Reply with internal data

Query for ‘example.com’

Reply with external data

(C) Copyright 2000 Nominum, Inc.27

BIND-9 Split DNS config• NS1 and NS2acl “iPRI” { 192.168.1.2; };acl “ePRI” { 192.168.1.1; };

options {recursion no;allow-query { any; };allow-transfer { none; };};

view “internal” { match-clients {

192.168.0.0/16; };options { recursion yes; };zone “example.com” {

type slave;file “int/example.db”;masters { iPRI; };};

};

view “external” {match-clients {

! 192.168.0.0/16; };options { recursion no; };zone “example.com” {

type slave;file “ext/example.com”;masters { ePRI; };};

};

(C) Copyright 2000 Nominum, Inc.28

BIND-9 Split DNS configs• iPRI & ePRI

acl “NSes” { 192.168.10.1; 192.168.10.2; };

options {recursion no;allow-query { none; };allow-transfer { none; };notify yes;};

zone “example.com” {type slave;file “example.db”;allow-query { NSes };allow-transfer { NSes; };};

• The only difference between iPRI and ePRI is the contents of the zonefile for ‘example.com’ (and of course their IP address).

• iPRI and ePRI could run on the same machine, if 2 instances of named are used, each with its own IP address !

(C) Copyright 2000 Nominum, Inc.29

Alternative SPLIT DNS w/ BIND-9PRI1.2.3.4192.168.10.2

iSEC1.2.3.5

192.168.1.2

eSEC13.4.5.6

zonetransferof internalzones zonetransfer

of externalzones

Query for ‘example.com’Reply with internal

data

Query for ‘example.com’

Reply with external dataeSEC2

2.3.4.5

Fwd queries for External domains

(C) Copyright 2000 Nominum, Inc.30

Alternative split DNS w/ BIND-9• PRI

acl “internal” { 192.168.0.0/16; };acl “iSEC” { 192.168.1.2; }; acl “eSECs” { 2.3.4.5; 3.4.5.6; };

options {recursion yes;forwarders { eSECs; };};

view “internal” { match-clients { internal; }; zone “example.com” { type master; file “int/example.db”; allow-transfer { iSEC; }; allow-query { internal; }; }; };

view “external” { match-clients { eSECs; }; zone “example.com” { file master; file”ext/example.db”; allow-transfer { eSECs; }; allow-query { eSECs; }; }; };

(C) Copyright 2000 Nominum, Inc.31

Alternative split DNS w/ BIND-9• iSEC

acl “internal” { 192.168.0.0/16; };acl “PRI” { 192.168.10.2; }; acl “eSECs” { 2.3.4.5; 3.4.5.6; };

options {recursion yes;forwarders { eSECs; };};

view “internal” { match-clients { internal; }; zone “example.com” { type slave; masters { PRI; }; file “int/example.db”; }; };

• eSEC1 & eSEC2acl “PRI” { 1.2.3.4; }; acl “internal” { 1.2.3.4;

1.2.3.5; };options { recursion no; };

view “external” { match-clients { ! internal; }; zone “example.com” { type slave; masters { PRI; }; file “sec/example.db”; }; };

view “internal” { match-clients { internal; }; options { recursion yes; }; };

(C) Copyright 2000 Nominum, Inc.32

Split DNS with BIND-9

• If both primary and secondary server are to be the same for an internal and an external view, additional IP addresses are required (because there is no way to distinguish which view is meant in a serial# query or zonetransfer).

(C) Copyright 2000 Nominum, Inc.33

PRIMARY1.2.3.4

This will NOT Work !

Reason: with BOTH servers using only 1 IP address each, there is no way to distinguish requests for the internal view from those for the external view (SOA query and zonetransfer request)Workaround: Secondary with 2 IP addresses (transfer-source) or two primaries (2 instances of BIND on the same server?)

Zonetransfer of external view

Zonetransfer of internal view

The same primary and secondary for different views of the same zone:

SECONDARY4.3.2.1

(C) Copyright 2000 Nominum, Inc.34

Alternatives to BIND-9

• For those who can or don’t want to use BIND-9 yet (available from www.isc.org ):• BIND-8.2.2-p5• BIND-8.2.3 (to be released Real-Soon-Now)

• All prior versions of BIND have security problems !

(C) Copyright 2000 Nominum, Inc.35

References, Further Reading etc

• The BIND-9 Administrators Reference Manual• http://www.nominum.com/resources/Bv9ARM-091200.pdf

• BIND-8 to BIND-9 Migration Notes• /usr/src/bind-9.0.0/doc/misc/migration

• Implementation status of BIND-9 options• /usr/src/bind-9.0.0/doc/misc/options

top related