UNIX System Administration Handbook - Evi Nemeth [237]
For example, the lines
forklift IN A 192.108.21.7
IN MX 10 chimchim.xor.com.
in the “forward” file, and
7 IN PTR forklift.xor.com.
in the “reverse” file associate “forklift.xor.com” with the IP address 192.108.21.7.
DNS is a client/server system. Servers (“name servers”) load the data from your DNS files into memory and use it to answer queries both from internal clients and from clients and other servers out on the Internet. All of your hosts should be DNS clients, but relatively few need to be DNS servers.
If your organization is small (a few hosts on a single network), you can run a server on one host or ask your ISP to supply DNS service on your behalf. A medium-sized site with several subnets should run multiple DNS servers to reduce query latency and improve reliability. A very large site can divide its DNS domain into subdomains and run several servers for each subdomain.
16.4 WHAT’S NEW IN DNS
Several significant changes have been made to DNS over the last few years. This section gives you the flavor of the major changes and a road map to the places where they are covered in more detail.
Both DNS and BIND are constantly being updated. DNS has new types of resource records, new protocol tweaks, and some new features. BIND has been redesigned and rewritten with support for multithreading and multiprocessor systems. Table 16.1 lists the major changes.
Table 16.1 New features in DNS and BIND
a. Not covered in this book, or in the case of ip6.arpa, not covered in much detail
Some of these new features are enormous projects that the IETF has not yet finished standardizing. The working groups that are writing the standards have good writers but lack vigilant code warriors; some of the more recent specifications may be difficult or even impossible to implement. The current release of BIND (8.2.2-P5) includes some of the new features; the initial release of BIND 9 (9.0.0) includes almost all of them, but not necessarily in their final form.
IPv6 is described in more detail in Chapter 13.
Two massive new features, IPv6 support and DNSSEC, warrant a bit of commentary. IPv6 increases the length of IP addresses from 32 bits to 128 bits. If ever fully implemented, it will have an enormous impact on the Internet. BIND 9 supports the pieces of IPv6 that have been standardized so far, but it appears unlikely that IPv6 will be widely deployed during the lifetime of this book. Therefore, our coverage of BIND 9’s IPv6 support is brief. There’s enough in this chapter to give you the general flavor, but not enough to let you migrate your site to IPv6 and configure DNS for it.
The DNSSEC standard attempts to add authentication to the DNS database and its servers. It uses public key cryptography to verify the source and integrity of DNS data and uses DNS to distribute keys as well as host data.
Simpler authentication mechanisms have also been introduced, such as support for authentication through the use of a “shared secret.” However, the shared secret must be distributed to each pair of servers that wants to perform mutual authentication. Although that’s fine for a local site with a handful of servers, it doesn’t scale to the level of the Internet. BIND 9 implements both the DNSSEC public key system and the TSIG (transaction signatures) shared secret system.
We expect to see some form of authentication used extensively in the next few years, starting with the root zones. Experiments have shown that some top-level zones (e.g., nl and de) can be signed in a few hours, but that to sign com with current (circa 2000) technology would take months. Since com is currently updated twice a day, signing that takes months won’t work. Security attacks against the integrity of DNS will no doubt hasten the adoption of authentication measures.
16.5 THE DNS NAMESPACE
In the sections that follow, we first discuss the general anatomy of DNS (the specification) and then describe the configuration files used by BIND (the implementation). If you are familiar with DNS and