DNS & X.500
Overview The Domain Name System(DNS) X.500 Directory Service Domain Name Space DNS Name Servers Name resolution algorithm Caching: The Key to Efficiency Domain Server Message Format Resource Records Example X.500 Directory Service
DNS The Domain Name System(DNS) A name service design whose principal naming database is used across the Internet The original Internet naming scheme All host names and addresses were held in a single central master file Downloaded by FTP to all computers that required them The major shortcomings of original scheme It does not scale to large numbers of computers Local organizations wish to administer their own naming system A general name service is needed – not one that only serves for looking up computer address To map a name onto an IP address, an application program calls a library procedure called the resolver, passing it the name as a parameter The resolver sends a UDP packet to a local DNS server, which look up the name and returns the IP address to the resolver, which then returns it to the caller
DNS(Cont.) The Domain Name Space has a tree structure Internet is divided into several hundred top-level domains Each domain is partitioned into subdomains, and these are further partitioned, and so on The Internet DNS name space is partitioned both organizationally and according to geography com, deu, gov, mil, net, org, int… us, uk, fr, kr… Domains can be inserted into the tree in two different ways Each domain is named by the path upward from it to the root Each domain controls how it allocates the domains under it To create a new domain, permission is required of the domain in which it will be included Domains names are completely independent of their location
DNS(Cont.) A portion of the Internet domain name space …
DNS(Cont.) Name Servers A name server is a server program that supplies name-to-address translation, mapping from domain to IP addresses A large organization is highly unlike to store all of its naming information on a single server such a server would be a bottleneck and a critical point of failure Each name server maintain entire directories The database is divided up into sections called zones The essential task of a name server is to answer queries using data in its zones The name server marks its responses to queries so that the requester can tell whether the response comes from authoritative data or not Authoritative record is one that comes from the authority that manages the record, and is thus always correct(complete information)
DNS(Cont.) DNS name servers ns1.cs.ucl.ac.uk (ac.uk) ns.nasa.gov dcs.qmw.ac.uk doc.ic.ac.uk aAlpha.qmw.ac.uk (qmw.ac.uk) (root) (purdue.edu) ns.purdue.edu (dcs.qmw.ac.uk) magician.dcs.qmw.ac.uk dns-0.doc.ic.ac.uk (doc.ic.ac.uk) qmw.ac.uk ac.uk purdue.edu *.purdue.edu *.doc.ic.ac.uk *.dcs.qmw.ac.uk *.qmw.ac.uk
DNS(Cont.) Name resolution algorithm There are two ways : by contacting name servers one at a time(non-recursive, iterative) or asking the name server system to perform the complete translation(recursive) Conceptually, domain name resolution proceeds top-down, starting with the root name server and proceeding to servers located at the leaves of the tree The client software forms a domain name query It sends the query to a name server for resolution When a domain server receives a query, it checks to see if the name lies in the subdomain for which it is an authority If so, it translates the name to an address according to its database, and appends an answer to the query before sending it back to the client If the client requested complete translation, the server contacts a domain name server that can resolve the name and returns the answer to the client If the client requested non-recursive resolution, the name server cannot supply an answer It generate a reply that specifies the name server the client should contact next to resolve the name
DNS(Cont.) Iterative navigation Non-recursive navigation UA NS2 NS1 NS3 Namesevers 1 2 3 UA NS2 NS1 NS3 1 2 3 4 Recursive navigation UA NS2 NS1 NS3 1 2 3 5 4
DNS(Cont.) Efficient Translation Inefficiencies for three reasons Most name resolution refers to local names, those found within the same subdivision of the namespace as the machine from which the request originates If each name resolution always started by contacting the topmost level of the hierarchy, the machine at that point would become overloaded Failure of machines at the topmost levels of the hierarchy would prevent name resolution, even if the local authority could resolve the name In the two-step name resolution process, resolution begins with the local name sever If the local server cannot resolve a name, the query must then be sent to another server in the domain system
DNS(Cont.) Caching: The Key to Efficiency To improve the overall performance of a name server system, it is necessary to lower the cost lookup for nonlocal names Internet name servers use name caching to optimize search costs Each server maintains a cache of recently used as well as a record of where the mapping information for that name was obtained (marking as a nonauthoritative) To keep the cache correct, servers time each entry and dispose of entries that exceed a reasonable time Servers do not apply a single fixed timeout to all entries, but allow the authority for an entry to configure its timeout Whenever an authority responds to a request, it includes a Time To Live(TTL) value in the response that species how long it guarantees the binding to remain
DNS(Cont.)
ADDITOINAL INFORMATION SECTION DNS(Cont.) Domain Server Message Format Standard message format ADDITOINAL INFORMATION SECTION AUTHORITY SECTION ANSWER SECTION QUESTION SECTION NUMBER OF ADDITIONAL NUMBER OF AUTHORITY NUMBER OF ANSWER NUMBER OF QUESTIONS PARAMETER IDENTIFICATION 16 31
DNS(Cont.) Unique IDENTIFACTION field that the client uses to match response PARAMETER field that specifies the operation requested and a response NUMBER OF QUESTION gives the count of entries in the QUESTION SECTION QUESTION SECTION contains queries for which answers are desired ANSWER SECTION, AUTHORITY SECTION, ADDITIONAL SECTION consists of a set of resource records The client fills in only the question section; the server returns the question and answers in its response
DNS(Cont.) The format entries in the QUESTION SECTION of a domain name server message 16 31 QUERY DOMAIN NAME QUERY TYPE QUERY CLASS The format of Resource Records of messages returned by domain name servers RESOURCE DATA RESOURCE DATA LENGTH TIME TO LIVE CLASS TYPE RESOURCE DOMAIN NAME 31 16
DNS(Cont.) Resource Records When a resolver gives a domain name to DNS, what it gets back are the resource records associated with that name RESOURCE DOMAIN NAME field contains the domain name to which this resource record refers TIME TO LIVE field describes how long can be cashed before it should be discarded CLASS field species the data’ class. For Internet information, it is always IN The TYPE field specifies the type of the data included in the resource record The RESOURCE DATA field can be a number, a domain name, or an ASCII string depending on the record record type
The principal DNS resource record types DNS(Cont.) The principal DNS resource record types Type Meaning Value SOA Start of Authority Parameters for this zone A IP address of a host 32-Bit integer MX Mail exchange Priority, domain willing to accept email NS Name Server Name of a server for this domain CNAME Canonical name Domain name PTR Pointer Alias for an IP address HINFO Host description CPU and OS in ASCII TXT Text Uninterpreted ASCII text
DNS(Cont.) How a resolver looks up a remote name int gov edu com mil nl net us org jp eng yale sun acm keio ieee cs ac co jack jill pc24 nec robot csl linda ai fluit oce vu flits Originator name server VU CS Edu Yale Yale CS yale.edu flits.cs.vu.nl Edu-server.net cs.yale.edu cs.vu.nl 1 4 3 2 7 5 6 8
X.500 Directory Service Attribute–based name service : <name, attribute> X.500 directory is under a common root directory is a tree hierarchy of : country, organization, organizational unit, person wide range of attributes are stored at each node in the tree access is not just by name searching for entries with any required combination of attributes DIT(Directory Information Tree) The X.500 name tree DIB(Directory Information Base) Entire directory structure including the data associated with the nodes Two of the largest directory service provider are InterNIC and ESnet
X.500 Directory Service(Cont.) Part of the X.500 Directory Information Tree X500 Service (root) …France(country) Great Britain(country) Greece(country)… …BT Plc(organization) Cambridge University(oiganization)… ….Computing Service(organizational Unit) …Computer Lab(organizationalUnit) Engineering Department(organizationalUnit)… …Departmental Staff(organizationalUnit) ely (applicationProcess) Research Students(organizationalUnit)… Jon Fairbairn(person) Ken Moody(person) Karen Sparck-jones(person)… …Jean Bacon(person)
X.500 Directory Service(Cont.) DSA(Directory Service Agents) : server Each local directory represent one organization or a group of organizations DUA(Directory User Agents) : client user interface program for access to one of more DSAs DUA DSA
X.500 Directory Service(Cont.) Operation client ---- connection ----> server access directory(issued query) If have no required data in DIB invoke other server or redirected the client to another server The full name of an entry corresponds to a path through the DIT from the root of the tree to the entry A DIB entry consists of a set of attributes, where an attributes has a type and one or more values Type name : for example, countryName, organizationalName, commonName, telephoneNumber, mailbox, objectClass
X.500 Directory Service(Cont.) The name of a DIB entry is determined by selecting one or more of its attributes as distinguished attributes – Distinguished Name(DN) Two main types of access request read an absolute or relative name for an entry is given together with a list of attributes to be read The DSA server retrieves the required attributes and returns them to the client search A base name and a filter expression are supplied as arguments This command returns a list of names for all of the entries below the base node for which the filter evaluates to TRUE
X.500 Directory Service(Cont.) DNS Versus X.500 DNS X.500 - simply look up data attached to a given domain name supports many types of searching matches and specify incomplete information - relatively simple distributed database meant to solve a particular problem - is a full-blown distributed database meant to be used for a wide variety of applications - can store the phone book , information about all sorts of network devices and their attributes - is not secure - has a security features involving credentials and the support of multiple encryption types