bind-8 to bind-9 migration a short tutorial apnic meeting, brisbane, october 2000 mathias körber...

BIND-8 to BIND-9 Migration

A short tutorial

APNIC Meeting, Brisbane,October 2000

Mathias KörberNominum, Inc.

[email protected]

© Copyright 2000 Nominum, Inc.

(C) Copyright 2000 Nominum, Inc.2

BIND versions

• BIND-4.* - legacy BIND, limited features, security issues

• BIND-8.* - new, flexible config syntax; many new features (NOTIFY, selective forwarding etc)

• BIND-9 – total rewrite to prepare for future extensions, new features. Not all features are implemented as yet


New in BIND-9

• Full IPv6 support• DNSSEC• EDNS0• VIEWS• Zonetransfer built-in• Light-weight resolver daemon (lwresd)


Features obsoleted in BIND-9• named-xfer-path (no more separate named-xfer executable)• deallocate-on-exit (is on by default now)• fake-iquery (always disabled)• has-old-clients • multiple-cnames (always disabled!)• use-id-pool (always on)• treat-cr-as-space• maintain-ixfr-base• controls { unix … }• support-ixfr• ixfr-base• allow-update


Who should NOT migrate to BIND-9 (yet)

• statistics• dialup Feature• per-zone forwarding• rfc2301-type1• check-names• blackholing• $GENERATE

• lame-TTL• serial-queries• resource-usage

modifiers (*size etc)• topology• RRset ordering

• Those who rely on currently unimplemented features:


Who would want to migrate to BIND-9

• Early adopters :-)• Those who would like

Split-DNS easier


Basic Migration issues

• Handling of config file errors

• Handling of logging• New logging categories• ACLs case sensitive• Default TTL handling• Periods in serial

numbers no longer allowed

• Unbalanced quotes• RRs across line breaks• Unrestricted character

set• ‘ndc’ replaced by

‘rndc’ which requires configuration


Handling of config file errors

• BIND-8 would continue after config file errors, resulting in partial configuration (zones load until the error position)

• BIND-9 will not start if any error is detected in the named.conf file.


Handling of Logging Statement

• BIND-8’s logging statement became effective right after it was read, i.e. configuration errors could be sent to a specific logging channel if logging was specified at the beginning of named.conf.

• BIND-9’s logging statement will become active only after the complete named.conf file has been read and BIND starts. Any configuration errors will go to the default logging, usually syslog or STDERR

• Migration issues:• Look for configuration errors in syslog or on STDERR• Amend any automated log-checkers


New logging categories

• BIND-8• default• config• parser• queries• lame-servers• statistics• panic• update• ncache• xfer-in• xfer-out• db

• BIND-9• default• general• database• security• config• resolver• xfer-in• xfer-out• notify• client• network• update

• eventlib• packet• notify• cname• security• os• insist• maintenance• load• response-

checks


New logging categories

• Migration action• Users who customized their logging will have to adapt their

logging configuration to BIND-9’s new categories !

• Potential problems if not done:• Configuration file errors -> BIND-9 will not start.


ACL names are case sensitive

• BIND-8’s ACL names were case insensitive• BIND-9’s ACL names are case sensitive

• Migration action:• Adapt all ACL references in your named.conf file to the

proper case

• Potential problems if not done:• Configuration file error due to unrecognized ACL names

• -> BIND will not start


$TTL 86400

@ 3600 IN SOA primary admin (

2000102600 3600 1200 604800 3600)

Default TTL handling has changed

• BIND-8 used SOA minimum field if no $TTL was found and first RR had not explicit TTL.

$TTL 86400

@ 3600 IN SOA primary admin (

2000102600 3600 1200 604800 3600)

ERROR

Minimum field used !

• BIND-9 requires either a $TTL (preferred!) or a TTL on the first RR. Else the zone will not load


Periods in SOA Serial numbers

• Some old BIND versions allowed periods in SOA serial numbers (eg: 3.002)

• Special, highly obscure calculations involved. Primary will convert to integer when zone is loaded

• Not widely used, usually recommended against

• BIND-9:• Serial numbers restricted to

integers only

• Migration issue:• Secondaries: none (calculation

will have been performed on primary)

• Primaries: change zonefiles !


Unbalanced quotes

• Some versions of BIND did not complain about unbalanced quotes

• Missing closing quotes were added at end-of line

• BIND-9:• Very strict about

quoting, will continue reading string until next quotes

• Migration issue:• Potentially, old errors

may surface and affect zone loading. Clean up zonefiles!


RRs across line breaks

• Some versions of BIND allow opening parenthesis on the second line of a multi-line resource record:

• @ IN SOA primary admin

( 2000102600 3600 1200 604800 3600 )

• BIND-9 requires the opening parenthesis on the first line:

• @ IN SOA primary admin (2000102600 3600 1200 604800 3600 )


Unrestricted character set

• Older BIND versions attempted to protect applications from security breaches by discarding data containing ‘inappropriate’ characters.

• See: http://www.cert.org/advisories/

CA-96.04

• BIND-9 is 8-bit-clean in accordance with RFC2181.

• BIND-9 will not discard data to protect vulnerable applications.

• Migration issues:• Replace vulnerable

applications• Hostnames should follow

RFC952 rules !


rndc(1) instead of ndc(1)

• Rndc allows management of several remote nameservers

• Authentication via TSIG keys

• Requires configuration

• Migration issues• Must use control

statement in named.conf• Note: UNIX sockets

deprecated !• Must setup rndc.conf


Lightweight Resolver Library & lwresd Daemon

BIND-8• Stub resolver compiled into

all applications (-lresolv or –lbind)

Problem:• IPv6 introduced additional

complexity best handled at the resolver end, which the old resolver cannot handle

BIND-9• New lightweight

resolver lib• Used new resolver

daemon (separate process on the same system) ‘lwresd’


lwresd

• Acts like a caching nameserver on the local system

• Requires minimum or no configuration

• Uses the servers listed in the nameservers entries in /etc/resolv.conf as forwarders

• able to handle new IPv6 requirements• Following A6 chains and

DNAME records, simultaneous lookup of IPv4 and IPv6 addresses

• simple UDP protocol between new lightweight resolver lib and lwresd. NOT DNS !


IXFR changes

BIND-8• support-ixfr

• maintain-ixfr-baseobsolete in BIND-9

• max-ixfr-log-sizecurrently not implemented

• ixfr-baseignored in BIND-9

BIND-9• request-ixfr• provide-ixfr

• IXFR journal file is always zonename.jnl


Example: BIND-8 Split DNS

Clients192.168.x.x

inside outside

zonetransferof internalzones

Reply for internal zones

zonetransferof externalzones

fwd all queriesfor non-localzones

iNS1192.168.10.1

iNS2192.168.88.1

iPRI192.168.1.1

GWNS192.168.0.1 (int)1.2.3.4 (ext)

eNS12.3.4.5

eNS23.4.5.6

ePRI192.168.1.2 (int)1.2.3.5 (pub)


BIND-8 Split DNS configs• iNS1 & iNS2 • GWNS

acl “iPRI” { 192.168.1.1; };acl “GWNS” { 192.168.0.1; };

options {forwarders { GWNS;

};forward only;recursion yes;};

zone “example.com” {type slave;masters {

iPRI;};

};

acl “INTERNAL” {192.168.0.0/16; };acl “PRIVINTF” { 192.168.0.1; };ccl “PUBINTF” { 1.2.3.4; };

options {allow-query {INTERNAL; };recursion yes;listen-on { PRIVINTF; };query-source address PUBINTF

port *;};


BIND-8 Split DNS configs• iPRI • clients

acl “iNSes” { 192.168.10.1; 192.168.88.1;};

options {recursion no;allow-transfer { iNSes; };allow-query { iNSes; };};

Zone “example.com” {type master;filename

“/private/example.db”;};

/etc/resolv.conf:nameserver 192.168.10.1nameserver 192.168.88.1


BIND-8 Split DNS configs• eNS1 & eNS2 • ePRI

acl “ePRI” { 1.2.3.5; };

options {recursion no;allow-query { any; };allow-transfer { none; };};

Zone “example.com” {type slave;file “sec/example.db”;masters {

ePRI;};

};

acl “eNSes” { 2.3.4.5; 3.4.5.6; };

options {allow-transfer {eNSes; };recursion no;allow-query { eNSes; };};

Zone “example.com” {type master; file “/public/example.db”;};


SPLIT DNS with BIND-9

NS11.2.3.4192.168.10.1

NS22.3.4.5192.168.10.2

iPRI192.168.1.2

ePRI192.168.1.1

zonetransferof internalzones

zonetransferof externalzones

Query for ‘example.com’Reply with internal data

Query for ‘example.com’

Reply with external data


BIND-9 Split DNS config• NS1 and NS2acl “iPRI” { 192.168.1.2; };acl “ePRI” { 192.168.1.1; };

options {recursion no;allow-query { any; };allow-transfer { none; };};

view “internal” { match-clients {

192.168.0.0/16; };options { recursion yes; };zone “example.com” {

type slave;file “int/example.db”;masters { iPRI; };};

};

view “external” {match-clients {

! 192.168.0.0/16; };options { recursion no; };zone “example.com” {

type slave;file “ext/example.com”;masters { ePRI; };};

};


BIND-9 Split DNS configs• iPRI & ePRI

acl “NSes” { 192.168.10.1; 192.168.10.2; };

options {recursion no;allow-query { none; };allow-transfer { none; };notify yes;};

zone “example.com” {type slave;file “example.db”;allow-query { NSes };allow-transfer { NSes; };};

• The only difference between iPRI and ePRI is the contents of the zonefile for ‘example.com’ (and of course their IP address).

• iPRI and ePRI could run on the same machine, if 2 instances of named are used, each with its own IP address !


Alternative SPLIT DNS w/ BIND-9PRI1.2.3.4192.168.10.2

iSEC1.2.3.5

192.168.1.2

eSEC13.4.5.6

zonetransferof internalzones zonetransfer

of externalzones

Query for ‘example.com’Reply with internal

data

Query for ‘example.com’

Reply with external dataeSEC2

2.3.4.5

Fwd queries for External domains


Alternative split DNS w/ BIND-9• PRI

acl “internal” { 192.168.0.0/16; };acl “iSEC” { 192.168.1.2; }; acl “eSECs” { 2.3.4.5; 3.4.5.6; };

options {recursion yes;forwarders { eSECs; };};

view “internal” { match-clients { internal; }; zone “example.com” { type master; file “int/example.db”; allow-transfer { iSEC; }; allow-query { internal; }; }; };

view “external” { match-clients { eSECs; }; zone “example.com” { file master; file”ext/example.db”; allow-transfer { eSECs; }; allow-query { eSECs; }; }; };


Alternative split DNS w/ BIND-9• iSEC

acl “internal” { 192.168.0.0/16; };acl “PRI” { 192.168.10.2; }; acl “eSECs” { 2.3.4.5; 3.4.5.6; };

options {recursion yes;forwarders { eSECs; };};

view “internal” { match-clients { internal; }; zone “example.com” { type slave; masters { PRI; }; file “int/example.db”; }; };

• eSEC1 & eSEC2acl “PRI” { 1.2.3.4; }; acl “internal” { 1.2.3.4;

1.2.3.5; };options { recursion no; };

view “external” { match-clients { ! internal; }; zone “example.com” { type slave; masters { PRI; }; file “sec/example.db”; }; };

view “internal” { match-clients { internal; }; options { recursion yes; }; };


Split DNS with BIND-9

• If both primary and secondary server are to be the same for an internal and an external view, additional IP addresses are required (because there is no way to distinguish which view is meant in a serial# query or zonetransfer).


PRIMARY1.2.3.4

This will NOT Work !

Reason: with BOTH servers using only 1 IP address each, there is no way to distinguish requests for the internal view from those for the external view (SOA query and zonetransfer request)Workaround: Secondary with 2 IP addresses (transfer-source) or two primaries (2 instances of BIND on the same server?)

Zonetransfer of external view

Zonetransfer of internal view

The same primary and secondary for different views of the same zone:

SECONDARY4.3.2.1


Alternatives to BIND-9

• For those who can or don’t want to use BIND-9 yet (available from www.isc.org ):• BIND-8.2.2-p5• BIND-8.2.3 (to be released Real-Soon-Now)

• All prior versions of BIND have security problems !


References, Further Reading etc

• The BIND-9 Administrators Reference Manual• http://www.nominum.com/resources/Bv9ARM-091200.pdf

• BIND-8 to BIND-9 Migration Notes• /usr/src/bind-9.0.0/doc/misc/migration

• Implementation status of BIND-9 options• /usr/src/bind-9.0.0/doc/misc/options

bind-8 to bind-9 migration a short tutorial apnic meeting, brisbane, october 2000 mathias körber...

Documents

bind versions bind

new logging categories

c copyright

db bind

legacy bind

logging configuration

configuration slide

default logging