BIND-8 to BIND-9 Migration A short tutorial APNIC Meeting, Brisbane, October 2000 Mathias Körber Nominum, Inc. © Copyright 2000 Nominum, Inc.

(C) Copyright 2000 Nominum, Inc.2 BIND versions BIND-4.* - legacy BIND, limited features, security issues BIND-8.* - new, flexible config syntax; many new features (NOTIFY, selective forwarding etc) BIND-9 – total rewrite to prepare for future extensions, new features. Not all features are implemented as yet

(C) Copyright 2000 Nominum, Inc.3 New in BIND-9 Full IPv6 support DNSSEC EDNS0 VIEWS Zonetransfer built-in Light-weight resolver daemon (lwresd)

(C) Copyright 2000 Nominum, Inc.4 Features obsoleted in BIND-9 named-xfer-path (no more separate named-xfer executable) deallocate-on-exit (is on by default now) fake-iquery (always disabled) has-old-clients multiple-cnames (always disabled!) use-id-pool (always on) treat-cr-as-space maintain-ixfr-base controls { unix … } support-ixfr ixfr-base allow-update

(C) Copyright 2000 Nominum, Inc.5 Who should NOT migrate to BIND-9 (yet) statistics dialup Feature per-zone forwarding rfc2301-type1 check-names blackholing $GENERATE lame-TTL serial-queries resource-usage modifiers (*size etc) topology RRset ordering Those who rely on currently unimplemented features:

(C) Copyright 2000 Nominum, Inc.6 Who would want to migrate to BIND-9 Early adopters :-) Those who would like Split-DNS easier

(C) Copyright 2000 Nominum, Inc.7 Basic Migration issues Handling of config file errors Handling of logging New logging categories ACLs case sensitive Default TTL handling Periods in serial numbers no longer allowed Unbalanced quotes RRs across line breaks Unrestricted character set ‘ndc’ replaced by ‘rndc’ which requires configuration

(C) Copyright 2000 Nominum, Inc.8 Handling of config file errors BIND-8 would continue after config file errors, resulting in partial configuration (zones load until the error position) BIND-9 will not start if any error is detected in the named.conf file.

(C) Copyright 2000 Nominum, Inc.9 Handling of Logging Statement BIND-8’s logging statement became effective right after it was read, i.e. configuration errors could be sent to a specific logging channel if logging was specified at the beginning of named.conf. BIND-9’s logging statement will become active only after the complete named.conf file has been read and BIND starts. Any configuration errors will go to the default logging, usually syslog or STDERR Migration issues: Look for configuration errors in syslog or on STDERR Amend any automated log-checkers

(C) Copyright 2000 Nominum, Inc.10 New logging categories BIND-8 default config parser queries lame-servers statistics panic update ncache xfer-in xfer-out db BIND-9 default general database security config resolver xfer-in xfer-out notify client network update eventlib packet notify cname security os insist maintenance load response- checks

(C) Copyright 2000 Nominum, Inc.11 New logging categories Migration action Users who customized their logging will have to adapt their logging configuration to BIND-9’s new categories ! Potential problems if not done: Configuration file errors -> BIND-9 will not start.

(C) Copyright 2000 Nominum, Inc.12 ACL names are case sensitive BIND-8’s ACL names were case insensitive BIND-9’s ACL names are case sensitive Migration action: Adapt all ACL references in your named.conf file to the proper case Potential problems if not done: Configuration file error due to unrecognized ACL names -> BIND will not start

(C) Copyright 2000 Nominum, Inc.13 $TTL 3600 IN SOA primary admin ( ) Default TTL handling has changed BIND-8 used SOA minimum field if no $TTL was found and first RR had not explicit TTL. $TTL 3600 IN SOA primary admin ( ) ERROR Minimum field used ! BIND-9 requires either a $TTL (preferred!) or a TTL on the first RR. Else the zone will not load

(C) Copyright 2000 Nominum, Inc.14 Periods in SOA Serial numbers Some old BIND versions allowed periods in SOA serial numbers (eg: 3.002) Special, highly obscure calculations involved. Primary will convert to integer when zone is loaded Not widely used, usually recommended against BIND-9: Serial numbers restricted to integers only Migration issue: Secondaries: none (calculation will have been performed on primary) Primaries: change zonefiles !

(C) Copyright 2000 Nominum, Inc.15 Unbalanced quotes Some versions of BIND did not complain about unbalanced quotes Missing closing quotes were added at end-of line BIND-9: Very strict about quoting, will continue reading string until next quotes Migration issue: Potentially, old errors may surface and affect zone loading. Clean up zonefiles!

(C) Copyright 2000 Nominum, Inc.16 RRs across line breaks Some versions of BIND allow opening parenthesis on the second line of a multi-line resource IN SOA primary admin ( ) BIND-9 requires the opening parenthesis on the first IN SOA primary admin ( )

(C) Copyright 2000 Nominum, Inc.17 Unrestricted character set Older BIND versions attempted to protect applications from security breaches by discarding data containing ‘inappropriate’ characters. See: CA BIND-9 is 8-bit-clean in accordance with RFC2181. BIND-9 will not discard data to protect vulnerable applications. Migration issues: Replace vulnerable applications Hostnames should follow RFC952 rules !

(C) Copyright 2000 Nominum, Inc.18 rndc(1) instead of ndc(1) Rndc allows management of several remote nameservers Authentication via TSIG keys Requires configuration Migration issues Must use control statement in named.conf Note: UNIX sockets deprecated ! Must setup rndc.conf

(C) Copyright 2000 Nominum, Inc.19 Lightweight Resolver Library & lwresd Daemon BIND-8 Stub resolver compiled into all applications (-lresolv or – lbind) Problem: IPv6 introduced additional complexity best handled at the resolver end, which the old resolver cannot handle BIND-9 New lightweight resolver lib Used new resolver daemon (separate process on the same system) ‘lwresd’

(C) Copyright 2000 Nominum, Inc.20 lwresd Acts like a caching nameserver on the local system Requires minimum or no configuration Uses the servers listed in the nameservers entries in /etc/resolv.conf as forwarders able to handle new IPv6 requirements Following A6 chains and DNAME records, simultaneous lookup of IPv4 and IPv6 addresses simple UDP protocol between new lightweight resolver lib and lwresd. NOT DNS !

(C) Copyright 2000 Nominum, Inc.21 IXFR changes BIND-8 support-ixfr maintain-ixfr-base obsolete in BIND-9 max-ixfr-log-size currently not implemented ixfr-base ignored in BIND-9 BIND-9 request-ixfr provide-ixfr IXFR journal file is always zonename.jnl

(C) Copyright 2000 Nominum, Inc.22 Example: BIND-8 Split DNS Clients x.x inside outside zonetransfer of internal zones Reply for internal zones zonetransfer of external zones fwd all queries for non-local zones iNS iNS iPRI GWNS (int) (ext) eNS eNS ePRI (int) (pub)

(C) Copyright 2000 Nominum, Inc.23 BIND-8 Split DNS configs iNS1 & iNS2 GWNS acl “iPRI” { ; }; acl “GWNS” { ; }; options { forwarders { GWNS; }; forward only; recursion yes; }; zone “example.com” { type slave; masters { iPRI; }; acl “INTERNAL” { /16; }; acl “PRIVINTF” { ; }; ccl “PUBINTF” { ; }; options { allow-query {INTERNAL; }; recursion yes; listen-on { PRIVINTF; }; query-source address PUBINTF port *; };

(C) Copyright 2000 Nominum, Inc.24 BIND-8 Split DNS configs iPRI clients acl “iNSes” { ; ;}; options { recursion no; allow-transfer { iNSes; }; allow-query { iNSes; }; }; Zone “example.com” { type master; filename “/private/example.db”; }; /etc/resolv.conf: nameserver nameserver

(C) Copyright 2000 Nominum, Inc.25 BIND-8 Split DNS configs eNS1 & eNS2 ePRI acl “ePRI” { ; }; options { recursion no; allow-query { any; }; allow-transfer { none; }; }; Zone “example.com” { type slave; file “sec/example.db”; masters { ePRI; }; acl “eNSes” { ; ; }; options { allow-transfer {eNSes; }; recursion no; allow-query { eNSes; }; }; Zone “example.com” { type master; file “/public/example.db”; };

(C) Copyright 2000 Nominum, Inc.26 SPLIT DNS with BIND-9 NS NS iPRI ePRI zonetransfer of internal zones zonetransfer of external zones Query for ‘example.com’ Reply with internal data Query for ‘example.com’ Reply with external data

(C) Copyright 2000 Nominum, Inc.27 BIND-9 Split DNS config NS1 and NS2 acl “iPRI” { ; }; acl “ePRI” { ; }; options { recursion no; allow-query { any; }; allow-transfer { none; }; }; view “internal” { match-clients { /16; }; options { recursion yes; }; zone “example.com” { type slave; file “int/example.db”; masters { iPRI; }; }; view “external” { match-clients { ! /16; }; options { recursion no; }; zone “example.com” { type slave; file “ext/example.com”; masters { ePRI; }; };

(C) Copyright 2000 Nominum, Inc.28 BIND-9 Split DNS configs iPRI & ePRI acl “NSes” { ; ; }; options { recursion no; allow-query { none; }; allow-transfer { none; }; notify yes; }; zone “example.com” { type slave; file “example.db”; allow-query { NSes }; allow-transfer { NSes; }; }; The only difference between iPRI and ePRI is the contents of the zonefile for ‘example.com’ (and of course their IP address). iPRI and ePRI could run on the same machine, if 2 instances of named are used, each with its own IP address !

(C) Copyright 2000 Nominum, Inc.29 Alternative SPLIT DNS w/ BIND-9 PRI iSEC eSEC zonetransfer of internal zones zonetransfer of external zones Query for ‘example.com’ Reply with internal data Query for ‘example.com’ Reply with external data eSEC Fwd queries for External domains

(C) Copyright 2000 Nominum, Inc.30 Alternative split DNS w/ BIND-9 PRI acl “internal” { /16; }; acl “iSEC” { ; }; acl “eSECs” { ; ; }; options { recursion yes; forwarders { eSECs; }; }; view “internal” { match-clients { internal; }; zone “example.com” { type master; file “int/example.db”; allow-transfer { iSEC; }; allow-query { internal; }; }; view “external” { match-clients { eSECs; }; zone “example.com” { file master; file”ext/example.db”; allow-transfer { eSECs; }; allow-query { eSECs; }; };

(C) Copyright 2000 Nominum, Inc.31 Alternative split DNS w/ BIND-9 iSEC acl “internal” { /16; }; acl “PRI” { ; }; acl “eSECs” { ; ; }; options { recursion yes; forwarders { eSECs; }; }; view “internal” { match-clients { internal; }; zone “example.com” { type slave; masters { PRI; }; file “int/example.db”; }; eSEC1 & eSEC2 acl “PRI” { ; }; acl “internal” { ; ; }; options { recursion no; }; view “external” { match-clients { ! internal; }; zone “example.com” { type slave; masters { PRI; }; file “sec/example.db”; }; view “internal” { match-clients { internal; }; options { recursion yes; }; };

(C) Copyright 2000 Nominum, Inc.32 Split DNS with BIND-9 If both primary and secondary server are to be the same for an internal and an external view, additional IP addresses are required (because there is no way to distinguish which view is meant in a serial# query or zonetransfer).

(C) Copyright 2000 Nominum, Inc.33 PRIMARY This will NOT Work ! Reason: with BOTH servers using only 1 IP address each, there is no way to distinguish requests for the internal view from those for the external view (SOA query and zonetransfer request) Workaround: Secondary with 2 IP addresses (transfer-source) or two primaries (2 instances of BIND on the same server?) Zonetransfer of external view Zonetransfer of internal view The same primary and secondary for different views of the same zone: SECONDARY

(C) Copyright 2000 Nominum, Inc.34 Alternatives to BIND-9 For those who can or don’t want to use BIND-9 yet (available from ): BIND p5 BIND (to be released Real-Soon-Now) All prior versions of BIND have security problems !

(C) Copyright 2000 Nominum, Inc.35 References, Further Reading etc The BIND-9 Administrators Reference Manual BIND-8 to BIND-9 Migration Notes /usr/src/bind-9.0.0/doc/misc/migration Implementation status of BIND-9 options /usr/src/bind-9.0.0/doc/misc/options