Peter Janssen, EURid.eu Ljubljana, RIPE 64, 2012 Peter Janssen, EURid.eu Ljubljana, RIPE 64, April 18 2012.

Slides:



Advertisements
Similar presentations
Review iClickers. Ch 1: The Importance of DNS Security.
Advertisements

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
School of Electrical Engineering and Computer Science, 2004 Slide 1 Autonomic DNS Experiment Architecture, Symptom and Fault Identification.
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
The new APNIC DNS generation system. Previous System Direct access to backend whois.db files – Constructed radix tree in memory from domain objects –
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
Domain Name System (DNS) Network Information Center (NIC) : HOSTS.TXT.
Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.
25.1 Chapter 25 Domain Name System Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Domain Name System ( DNS )  DNS is the system that provides name to address mapping for the internet.
Presented by Neeta Jain CISC 856 TCP/IP and Upper Layer Protocols RFC 1034 & RFC 1035.
Module 12: Domain Name System (DNS)
Module 3 DNS Types.
DNS Workbench Update DNS-OARC Workshop Phoenix, Arizona, USA Sat Oct 5, Jelte Jansen, Antoin Verschuren.
DNS and Active Directory Integration
Tony Kombol ITIS Who knows this? Who controls this? DNS!
NAME SERVICES. Names and addresses File names /etc/passwd URLS Internet domain names—dcs.qmw.ac.uk Identifiers- ROR, NFS.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Domain Names System The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the.
IIT Indore © Neminath Hubballi
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 17 Domain Name System (DNS)
Geoff Huston APNIC Labs
Test cases for domain checks – a step towards a best practice Mats Dufberg,.SE Sandoche Balakrichenan, AFNIC.
Chapter 17 Domain Name System
25.1 Chapter 25 Domain Name System Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Zone Properties. Zone Properties Continued Aging allows zone to remove “stale” or “old” records for clients who have not updated within a certain period.
TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.
Domain Names Implementation and specification 陳怡良 RFC #1035.
Module 8 DNS Tools & Diagnostics. Objectives Understand dig and nslookup Understand BIND toolset Understand BIND logs Understand wire level messages.
Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for.
Krit Witwiyaruj Thai Name Server Co., Ltd.th DNSSEC Implementation.
Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman
DNS Dynamic Update Performance Study The Purpose Dynamic update and XFR is key approach to perform zone data replication and synchronization,
1 Kyung Hee University Chapter 18 Domain Name System.
© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Practicalities.
Tony Kombol ITIS DNS! overview history features architecture records name server resolver dnssec.
Configuring and Troubleshooting Domain Name System
Configuring Name Resolution and Additional Services Lesson 12.
1 Domain Name System (DNS). 2 3 How DNS Works Application Transport Internet Network Application Transport Internet Network DNS Resolver Name Server.
1 Internet Network Services. 2 Module - Internet Network Services ♦ Overview This module focuses on configuring and customizing the servers on the network.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.
Module 8 DNS Tools & Diagnostics. Dig always available with BIND (*nix) and windows Nslookup available on windows and *nix Dig on windows – unpack zip,
DNS DNS overview DNS operation DNS zones. DNS Overview Name to IP address lookup service based on Domain Names Some DNS servers hold name and address.
DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.
RIPE 43, September 2002, Ρόδος. nsd a Name Service Daemon Alexis Yushin, Daniel Karrenberg, Olaf Kolkman,
Linux Operations and Administration
What if Everyone Did It? Geoff Huston APNIC Labs.
Web Server Administration Chapter 4 Name Resolution.
1 CMPT 471 Networking II DNS © Janice Regan,
2/26/2003 Lecture 4 Computer System Administration Lecture 4 Networking Startup/DNS.
TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.
DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access
Internet Naming Service: DNS* Chapter 5. The Name Space The name space is the structure of the DNS database –An inverted tree with the root node at the.
WHAT IS DNS??????????.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY IT375 Window Enterprise Administration Course Name – IT Introduction to Network Security Instructor.
AfNOG-2003 Domain Name System (DNS) Ayitey Bulley Setting up an Authoritative Name Server.
Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.
DNS Session 3: Configuration of Authoritative Nameservice Joe Abley AfNOG 2013, Lusaka, Zambia.
BIND 10 DNS Project Status + DNS Resolver Status/Plans Shane Kerr 23 January 2013.
Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved
Networking Applications
DNS zones and resource records
IMPLEMENTING NAME RESOLUTION USING DNS
Configuring and Troubleshooting DNS
nsd a Name Service Daemon
Managing Name Resolution
Presentation transcript:

Peter Janssen, EURid.eu Ljubljana, RIPE 64, 2012 Peter Janssen, EURid.eu Ljubljana, RIPE 64, April

Peter Janssen, EURid.eu Ljubljana, RIPE 64, 2012 Primary Design goals  “drop-in” replacement for BIND and NSD  Standards (RFC) compliant  Performance (queries ~ TLD level)  Authoritative  DNSSEC support  AXFR/IXFR support (master and slave)  (BIND) zone files as storage Secondary goals  Dynamic update API (update content of zones on the fly)  Dynamic provisioning (add/remove zones on the fly)  “higher level storage” backend (sql db,...)  Recursive caching resolver? A new DNS implementation

Peter Janssen, EURid.eu Ljubljana, RIPE 64, 2012 Authoritative Load/parse zone files (BIND style files)  Include, /  Resource record types  SPF, SRV, NAPTR  SOA, A, AAAA, NS, CNAME, PTR, HINFO, MX, TXT  DNSKEY, DS, RRSIG, NSEC, NSEC3, NSECPARAM Zone transfer  Master & Slave, AXFR / IXFR  Notify, TSIG Nsupdate (add, remove RR) DNSSEC  RSASHA1(5,7)  Online re-signing Current Status - Features

Peter Janssen, EURid.eu Ljubljana, RIPE 64, 2012 YADIFA 1.0 RC2 packages available on yadifa.eu Current Status – 1.0 RC2 x86 64bit  CentOS 5  CentOS 6  Debian 6  Ubuntu  FreeBSD  OSX Lion x86 32bit  CentOS 5  CentOS 6  Debian 6 x86 64bit  CentOS 5  CentOS 6  Debian 6  Ubuntu  FreeBSD  OSX Lion x86 32bit  CentOS 5  CentOS 6  Debian 6

Peter Janssen, EURid.eu Ljubljana, RIPE 64, 2012 “Near Future” (coming months)  DSA/SHA1, DSA-NSEC3-SHA1, RSASHA256, RSASHA512  Full client to “control” the name server daemon (1.0 does stop and reload)  Dynamic zone management (add/remove zones on the fly ) “Not so Near Future”  Caching resolver  Validating  Sql backend API End June 2012  BSD open source Coming up

Peter Janssen, EURid.eu Ljubljana, RIPE 64, 2012.com zone file (198 million lines) zones (7 RR) Load times comparison PrepareLoadReady BIND m40s NSD m58s12m03s40m01s YADIFA 0.88m26s PrepareLoadReady BIND s NSD s2s10s YADIFA 0.84s (Dual Xeon 2.1Ghz, 48Gb, Linux Debian) EURid Feb. 2012

Peter Janssen, EURid.eu Ljubljana, RIPE 64, 2012 Adding and removing zones  Without interrupting “production”  Centrally managed Extension of RFC 2136 “Dynamic Updates in the Domain Name System (DNS UPDATE)”  Extend existing channel to “master”  (Re)use existing channel between “master” and “slave” Dynamic Provisioning

Peter Janssen, EURid.eu Ljubljana, RIPE 64, 2012 Dynamic Provisioning Name server 1 Name server 2 Name server 3 All name servers are configured with a minimal set of access control rules 1. Dyn. Upd. message : {abc.eu} -Master : NS1 -Slave : NS Dyn. Upd. message : {abc.eu} -Master : NS1 -Slave : NS Notify : {abc.eu} 2. Notify : {abc.eu} 3. AXFR/IXFR: {abc.eu} -Master(NS1) AXFR/IXFR: {abc.eu} -Master(NS1) Dyn. Upd. message : {abc.eu} -Master : NS1 -Slave : NS2 + NS Dyn. Upd. message : {abc.eu} -Master : NS1 -Slave : NS2 + NS

Peter Janssen, EURid.eu Ljubljana, RIPE 64, 2012 Dynamic Update Message Dynamic Provisioning | Header | | Zone | | Prerequisite | | Update | | Additional Data |

Peter Janssen, EURid.eu Ljubljana, RIPE 64, 2012 Zone Section Dynamic Provisioning | / ZNAME / / | ZTYPE | | ZCLASS | abc.eu SOA 0x2a

Peter Janssen, EURid.eu Ljubljana, RIPE 64, 2012 Prerequisite Section  When adding -> should not exist  When removing -> should exist ... Dynamic Provisioning

Peter Janssen, EURid.eu Ljubljana, RIPE 64, 2012 Update Section Dynamic Provisioning | / NAME / | | TYPE | | CLASS | | TTL | | | RDLENGTH | | / RDATA / abc.eu zonetype, zonefile, zonenotify, master, dnssec,... 0x2a

Peter Janssen, EURid.eu Ljubljana, RIPE 64, 2012 Update Section Dynamic Provisioning TYPERDATA zonetypeMaster | Slave zonefileZone file full name zonenotifyIP address, TSIG masterIP address, TSIG

Peter Janssen, EURid.eu Ljubljana, RIPE 64, 2012 “Activate” new configuration “Query like” message  NAME : abc.eu  CLASS : 0x2a  TYPE : freeze | unfreeze | merge | save Check status  NAME :  CLASS : 0x2a  TYPE : Dynamic Provisioning

Peter Janssen, EURid.eu Ljubljana, RIPE 64, 2012 One slide to say it all..... yadifa.eu. NS ns.yadifa.eu. NS yadifa.eurid.eu. yadifa.eu DNS is served by YADIFA! yadifa.eu. NS ns.yadifa.eu. NS yadifa.eurid.eu. yadifa.eu DNS is served by YADIFA! URL : Mailinglists :yadifa-announce, yadifa-users URL : Mailinglists :yadifa-announce, yadifa-users YADIFA 1.0 RC binaries available now  CentOS (32&64bit)  Debian (32&64bit)  freeBSD (64bit)  osX(Lion) (64bit) YADIFA 1.0 RC binaries available now  CentOS (32&64bit)  Debian (32&64bit)  freeBSD (64bit)  osX(Lion) (64bit) YADIFA 1.2  BSD open source license  June 2012 YADIFA 1.2  BSD open source license  June 2012 LET US KNOW WHAT Y::O::U THINK, PLEASE GET IN T::O:U:C:H

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.