BIND, which originally stood for Berkeley Internet Name
Daemon, is a suite of DNS (domain name system) software
that provides a DNS server, DNS resolver library, and various
DNS-related tools.
BIND dates back to the early 1980's where it was designed
to serve the needs of distributed computing communities and to
be compatible with the naming service planned for the DARPA
Internet. Since the mid-1990's, BIND has been maintained and
developed by Internet Systems Consortium (ISC) which has become
well-known for their support for many open source projects,
funding and development of BIND and other open source
software, and design and advocacy of many Internet standards.
BIND was rewritten and version 9 was released in September
2000.
According to the Infoblox 2007 DNS Survey, 70% of the Internet's
estimated 11.7 million name servers ran BIND. (Microsoft's
DNS Server ran on 2.7%.) BIND is provided in the default
installations of NetBSD, FreeBSD, OpenBSD, and DragonFly
operating systems. Plus, it is the frequently recommended
DNS server used on most Linux distributions and various
Unix flavours.
For over a year, ISC has been developing and testing many new
features for BIND 9.5. This article will quickly summarize some of
the significant new features:
• GSS-TSIG support
• DHCID
• Statistics support for named via XML
• UDP Socket Pool
• Handling EDNS timeouts
• O(1) ACL processing
GSS-TSIG, or the Generic Security Service Algorithm for
Secret Key Transaction Authentication for DNS, is documented
in RFC 3645. It is an update for Secret Key Transaction
Authentication.
GSS-TSIG is the authentication mechanism of choice for DNS
dynamic update in Microsoft Active Directory.
It is potentially useful for other things, said Rob Austein of
ISC, but the big push for BIND 9.5 was to allow named (the
BIND DNS server) to act as the DNS server for an Active Directory
zone.
GSS-TSIG is a composite of GSSAPI and TSIG – a wrapper
layer built on top of a wrapper layer. It is insanely general, said
Austein, but the common usage is DNS wrapping TSIG wrapping
GSSAPI wrapping SPNEGO wrapping Kerberos 5 – thus for
practical purposes it is a mechanism for using Kerberos 5 to authenticate
DNS.
BIND added the new DHCID Resource Record (RR) type
to keep up with standards. The DHCID RR is used for encoding
DHCP information and DHCP servers and clients use it to identify
DHCP clients with a DNS name with a strategy of reducing
conflicts in the use of fully-qualified domain names. The data is
a one-way SHA-256 hash computation. More details are in RFCs
4701 and 4703.
BIND 9.5 adds an experimental HTTP server and statistics
support for the DNS server via XML. It is not a web-based configu-
BIND 9.5's new features ration interface, but a statistics feed that happens to use the HTTP
protocol for delivery because it is flexible and very well-supported,
said Evan Hunt of ISC.
Also BIND 9.5 makes it a bit harder to play games with insecure
DNS by brute force attack on the 16-bit DNS ID space,
said Austein. The server provides a pool of UDP sockets for queries
to be made over, for example, using eight ports instead of
one in effect adds three more bits to the search space.
BIND 9.5 makes fallback to plain DNS from EDNS due to timeouts
more visible. EDNS (Extension Mechanisms for DNS)
have been available for around eight years and many servers (and
all root servers) support it.
The problem is that some firewalls do not support EDNS by
default, said Mark Andrews of ISC. Also there are some authoritative
servers that fail to respond when they see a EDNS query
rather than return an error code as is required, said Andrews. Timeouts
may mean network problems, dead servers, broken middle
boxes, and broken authoritative servers.
Falling back to plain DNS will help with the later, said Andrews,
but has a negative impact on DNSSEC (which requires
EDNS) especially when there are overloaded links causing
packet loss.
On timeouts, named retries EDNS with a 512 octet UDP size
(which usually allows EDNS to get through a firewall as it
is generally not fragmented and is within the sizes allowed by
plain DNS) and then tries plain DNS if still needed. The server
logs this to draw attention to the issue and to get any non-RFC
compliant boxes replaced or re-configured, said Andrews.
Andrews said at some point soon, BIND will not fallback from
EDNS to DNS on timeout. He suggests the following for BIND administrators
for EDNS:
• Firewalls and NAT boxes need to handle fragmented
responses both in and out of order.
• Firewalls need to handle EDNS responses.
• Broken authoritative servers need to be replaced or upgraded
which first means they need to be identified.
Also BIND 9.5 introduces a new ACL-processing engine.
Instead of storing ACLs (i.e., allow-query, allow-recursion,
et cetera) as linear lists that have to be searched every time
a query comes in, they are now modified radix trees. There
should not be any change in the way things are configured,
said Evan Hunt of ISC, but sites with ACLs containing more
than one or two addresses should hopefully see an uptick in
queries per second.
More details about BIND 9.5 features can be found in the
BIND Administrator Reference Manual and manual pages.
No comments:
Post a Comment