Date post: | 30-May-2018 |
Category: |
Documents |
Upload: | phungthien |
View: | 219 times |
Download: | 1 times |
.
......
DNSThe basics
Karst Koymans
Informatics InstituteUniversity of Amsterdam
(version 16.6, 2016/09/16 12:18:40)
Tuesday, September 13, 2016
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 1 / 68
...1 DNS: basic ideas and functionality
...2 A short history of DNS
...3 Basic concepts
...4 Delegation
...5 Root servers
...6 Lookups
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 2 / 68
DNS: basic ideas and functionality
Outline
...1 DNS: basic ideas and functionality
...2 A short history of DNS
...3 Basic concepts
...4 Delegation
...5 Root servers
...6 Lookups
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 3 / 68
DNS: basic ideas and functionality
Specification versus implementations
DNS (Domain Name System)Specification
ConceptsTheory
BIND (Berkeley Internet Name Domain)Server implementation
SoftwarePractice
Other implementationsNSD/Unbound, PowerDNS, djbdns(tinydns), . . .
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 4 / 68
DNS: basic ideas and functionality
Primary use case
Finding IP addressesStarting with a domain name (human form)Translating to an IP address (machine form)
What is the IP address of www.os3.nl?Client asks serverServer responds with answer. . . case closed?
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 5 / 68
DNS: basic ideas and functionality
Secondary use case
Email routingWhere to deliver email for [email protected]?
The domain os3.nl is an aggregate and might nothave an IP address (in fact it has, but shouldn’t)MX record is used to refer to smtp.os3.nlwhich has (and should have) an IP address
What about email for subdomains?
What about other services?
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 6 / 68
DNS: basic ideas and functionality
Important entities in DNS
Source: Niels Sijm, 2012-2013 CIA lecture
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 7 / 68
DNS: basic ideas and functionality
First architectural option: centralized
Define a protocol for HOSTS.TXT accessOne single DNS server: 1.1.1.1
Simple: one place for all your questions!SPoF (Single Point of Failure) and bottleneck
Multiple DNS servers: 1.1.1.1, 2.2.2.2, 3.3.3.3, . . .Simple: multiple predefined places for all your questions!Easy to remember, easy to use, resilient to network failures.
Scaling issuesEasy for 10 hosts; impossible for 1,000,000,000 hostsAlso the network traffic does not scaleAdministration of database becomes infeasible too
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 8 / 68
DNS: basic ideas and functionality
Second architectural option: decentralized
Use a hierarchy instead of one big flat master fileSolves all of your scaling issuesNeed to tweak protocol to redirect questionsSeems simple, introduces quite some challenges (and issues)
How to split up the database?Use subdomain to split up database?Use the first letter of a domain name?Create a cryptographical hash and use first octet?Use /dev/random and remember the outcome?. . .
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 9 / 68
DNS: basic ideas and functionality
Third architectural option: distributed
Not a hierarchy but an “unmanaged” networkWho owns what part of the database?
Distributed Hash Table (DHT) works well in practice
Works for P2P networks, BitCoins, CDNs and Skype . . .
Authority problemsCan you hijack a part of the database as in a DHT?What if a node goes down?
How to duplicate information?How to redirect questions?How to keep information up-to-date?
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 10 / 68
DNS: basic ideas and functionality
DNS’s choice
Decentralized and hierarchical architecture
Subdomains creating new zones are delegation points
Delegation of authority is done “in-band”Delegation information is put in the database itself
which turned out problematic afterwards
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 11 / 68
DNS: basic ideas and functionality
First way of resolving in a decentralized network
Recursive (would put too much load on the root server)
Source: Niels Sijm, 2012-2013 CIA lecture
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 12 / 68
DNS: basic ideas and functionality
Second way of resolving in a decentralized network
Iterative (scales nicely)
Source: Niels Sijm, 2012-2013 CIA lecture
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 13 / 68
A short history of DNS
Outline
...1 DNS: basic ideas and functionality
...2 A short history of DNS
...3 Basic concepts
...4 Delegation
...5 Root servers
...6 Lookups
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 14 / 68
A short history of DNS
1973—1985
December 1973HOSTS.TXT (RFC 606)
November 1983DNS invented (RFC 882)
October 1984TLDs defined (RFC 920)
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 15 / 68
A short history of DNS
RFC 920, October 1984
Section “Initial Set of Top Level Domains (gTLDs)”gTLD stands for gemeric Top Level Domain.ARPA (“temporary”)Categories
.GOV
.EDU
.COM
.MIL
.ORG
Countries: At first ∅, later to become ccTLDsMultiorganizations: At first ∅ (now obsolete)
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 16 / 68
A short history of DNS
RFC 920, definition of country code
.Countries..
......
The English two letter code identifying a country according to
the ISO Standard for “Codes for the Representation of
Names of Countries”: ISO 3166-1 alpha-2.
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 17 / 68
A short history of DNS
RFC 920, definition of multiorganization
.Multiorganizations..
......
A multiorganization may be a top level domain if it is large,
and is composed of other organizations;
particularly if the multiorganization can not be easily classified into
one of the categories and is international in scope.
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 18 / 68
A short history of DNS
January 1985
SRI runs DNS serviceStanford Research Institute is a not for profit organisationSRI-NIC, in cooperation with IANA
.NET added to top level domains (“forgotten” in RFC 920)
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 19 / 68
A short history of DNS
July 1985
ccTLDs established.US (February 15, 1985).UK, .GB (July 24, 1985).AU (March 5, 1986).NL (April 25, 1986).JP (August 5, 1986)
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 20 / 68
A short history of DNS
1987—1991
November 1987DNS SpecificationSTD 13 (IETF standard), RFC 1034, RFC 1035
November 1988.INT domain established
May 1991DISA (Defense Information Systems Agency) transfersthe DDN (Defense Data Network) NIC contractfrom SRI International to Government Systems Inc. (GSI)
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 21 / 68
A short history of DNS
1993—1995
April 1993InterNIC starts, initiated by NSFand operated by NSI (Network Solutions Inc.) and AT&T
June 1994Commercial use becomes dominant
September 1995Charging for domain name registration starts
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 22 / 68
A short history of DNS
1997
.Start planning for competition..
......
On July 1, 1997, as part of the Administration’s Framework for Global
Electronic Commerce, the President directed the Secretary of Commerce to
privatize the management of the domain name system (DNS) in a manner
that increases competition and facilitates international participation in its
management.
Source: MoU (Memorandum of Understanding; November 1998)1
1Also see RFC 2860 (June 2000)Karst Koymans (UvA) DNS Tuesday, September 13, 2016 23 / 68
A short history of DNS
1998
November 1998Start of ICANN
Internet Corporation for Assigned Numbers and Names
ResponsibilitiesIP address assignment, via ASO
Address Supporting Organization
Internet domain names, via GNSO and ccNSOGeneric Names Supporting OrganizationCountry Code Names Supporting Organization
Protocol parameters and port numbers, supported by IANAInternet Assigned Numbers Authority
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 24 / 68
A short history of DNS
2000—2012
More TLDshttps://www.iana.org/domains/root/db
http:
//newgtlds.icann.org/en/program-status/delegated-strings
IDNs (Internationalized Domain Names)Many more gTLDs, including
grTLDs (generic-restricted; .name, .pro, .biz)sTLDs (sponsored Top Level Domains)
Highly political
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 25 / 68
A short history of DNS
2012—now
Unlimited TLDs (New gTLD Program)https://icannwiki.com/All_New_gTLD_Applications
GeoTLDs introduced“DotBrand” introducedgTLDs and IDNs now have categories
Commerce, Culture, Education, Food & Drink, Government, Health,Industry, Lifestyle, Media, Professional, Real Estate, Sport, Technology
Even more political
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 26 / 68
Basic concepts
Outline
...1 DNS: basic ideas and functionality
...2 A short history of DNS
...3 Basic concepts
...4 Delegation
...5 Root servers
...6 Lookups
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 27 / 68
Basic concepts
DNS concepts
Domain Name Space (Domain Name Tree)
Resource Records (the data itself)
Name Servers (server side)
Resolvers (client side)
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 28 / 68
Basic concepts
Domain names
Nodes (internal and leaf) have a label (sequence of octets)root label is empty: “” (not “ ” or “ ”)non-root labels must be non-emptylabels are 0-63 octets long (only the root label has length 0)
A domain name is a sequence of labels2
specifying the labels on the path to the rootand thus ending in the (empty) root label
A domain is a domain nametogether with all domain names below it
2in text representation separated by “.” (dot) with maximum length 254Karst Koymans (UvA) DNS Tuesday, September 13, 2016 29 / 68
Basic concepts
Where to put your slashesTo slash or not to slash
Compare domain names to pathnames in a filesystemLabels (filenames)
separated by “/” (slash)
Absolute versus relative pathnames
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 30 / 68
Basic concepts
Where to put your dotsTo dot or not to dot
Absolute domain (FQDN)mail.serv.os3.nl.
Relative domainmailmail.serv
machine.cs can (or is it could?) give problemsWhy?
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 31 / 68
Basic concepts
Resource Records (RRs)
owner (domain name)
ttl (time to live (in cache))
class (IN, CH, HS, . . . )Only IN is actively usedCH is used with Chaosnet, an early LAN protocolHS implements the Hesiod lookup service
type (A, AAAA, CNAME, DNAME, MX, NS, PTR, SOA, SRV, . . . )
resource data (depends on type)
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 32 / 68
Basic concepts
Textual representation of Resource Records
Differs between implementationsMost well-known is BIND syntax
owner [ttl] [class] type data
ttl and class are optional and default to $TTL and IN
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 33 / 68
Basic concepts
A record
An A record (address record) translatesa domain name to an IPv4 address
mail.serv.os3.nl. −→ 145.100.96.25
Multihomed hosts have several A recordsRouters may have multiple A records
Example (assuming the $ORIGIN3 is os3.nl.)mail.serv A 145.100.96.25
3BIND variable, but this idea is widely usedKarst Koymans (UvA) DNS Tuesday, September 13, 2016 34 / 68
Basic concepts
Example of multiple A records (os3.nl)
router.studlab.os3.nl. A 145.100.104.1router.studlab.os3.nl. A 145.100.104.33router.studlab.os3.nl. A 145.100.104.65router.studlab.os3.nl. A 145.100.104.97router.studlab.os3.nl. A 145.100.104.129router.studlab.os3.nl. A 145.100.104.145router.studlab.os3.nl. A 145.100.104.161router.studlab.os3.nl. A 145.100.104.193
129.104.100.145.in-addr.arpa. PTR router.studlab.os3.nl.
Source: The domain name system (2014-09-08T191940Z)
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 35 / 68
Basic concepts
Example of multiple A records (phil.uu.nl)
router.phil.uu.nl. CNAME frege.phil.uu.nl.frege.phil.uu.nl. A 131.211.0.89frege.phil.uu.nl. A 131.211.135.1frege.phil.uu.nl. A 131.211.140.1frege.phil.uu.nl. A 131.211.140.65frege.phil.uu.nl. A 131.211.140.129frege.phil.uu.nl. A 131.211.141.1frege.phil.uu.nl. A 131.211.141.129frege.phil.uu.nl. A 131.211.141.193frege.phil.uu.nl. A 131.211.143.1frege.phil.uu.nl. A 131.211.143.129
129.143.211.131.in-addr.arpa. PTR frege.shrapnel.phil.uu.nl.
Source: The domain name system (historic data)
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 36 / 68
Basic concepts
AAAA record
AAAA records are sometimes called quad-A records
A quad-A record translates a domain name to an IPv6 addressmail.serv.os3.nl. −→ 2001:610:158:960::25
Many hosts have multiple AAAA recordsIt is quite normal in IPv6 to belong to multiple subnets
Example (assuming the $ORIGIN is os3.nl.)mail.serv AAAA 2001:610:158:960::25
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 37 / 68
Basic concepts
CNAME record
A CNAME (canonical name) record defines an aliaswww.uva.nl. −→ www-prd.cms.uva.nl. −→ cms-prd-www.lb.uva.nl.
www.uva.nl. CNAME www-prd.cms.uva.nl.www-prd.cms.uva.nl. CNAME cms-prd-www.lb.uva.nl.
No other RRs are allowedDoes not work for subdomains
DNAME record proposed for that (see next slide)
Example (assuming the $ORIGIN is os3.nl.)www CNAME info4u4
4This is now historic and has been replaced by a direct A record.Karst Koymans (UvA) DNS Tuesday, September 13, 2016 38 / 68
Basic concepts
DNAME record
A DNAME is used for non-terminal DNS Name Redirection
Allows other RR types at the same owner except CNAME
DNAME RRset not allowed to contain more than one element
Synthesizes CNAME records for clients
Wildcarded DNAME records should not be used
Also called “Delegation Name” because of its use instead
of NS records in certain cases (see RFC 6672, section 6.3)
Example (assuming the $ORIGIN is nl.)ruu DNAME uu
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 39 / 68
Basic concepts
MX record
MX (Mail eXchanger) record defines for a domainthe mail servers for that domainand the order of their preferencewhere lower precedence is more preferred
MX must not point to a CNAME (or below a DNAME)
Example (assuming the $ORIGIN is os3.nl.)@ MX 0 smtp
@ MX 10 backup.somewhere.nl.
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 40 / 68
Basic concepts
NS record
NS (Name Server) record defines a cut (zone)Must list at least two name serversMakes DNS decentralizedDelegates responsibility or authority
NS record must not point to a CNAME (or below a DNAME)
Example (assuming the $ORIGIN is os3.nl.)@ NS ns1
@ NS ns2
@ NS ns1.zurich.surf.net.
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 41 / 68
Basic concepts
PTR record
A PTR (pointer) record literally points
to a(n arbitrary) point in the DNS tree
Mostly used for reverse lookup145.100.96.25 −→ mail.serv.os3.nl.Lookup works via in-addr.arpa.
25.96.100.145.in-addr.arpa. (why not 145.100.96.25.in-addr.arpa.?)Wasn’t .ARPA supposed to be temporary?
Example (assuming the $ORIGIN is os3.nl.)25.96.100.145.in-addr.arpa. PTR mail.serv
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 42 / 68
Basic concepts
SOA record
An SOA (Start Of Authority) record administratesimportant zone parameters
hostname of the (non-hidden) master server
ns1.os3.nl.
email address (in “dot” form5) of the person responsible
[email protected] −→ hostmaster.os3.nl.
numerical parameters
5Using an escaped “dot” if necessary: First\.Last.example.com.Karst Koymans (UvA) DNS Tuesday, September 13, 2016 43 / 68
Basic concepts
Numerical SOA parameters ((former) recommended values)
Parameter values (except Serial) are given in secondsSerial (“YYYYMMDDnn” is a common convention)Refresh (86400 = 1 day)Retry (7200 = 2 hours)Expire (3600000 = 1000 hours ∼ 40 days)“Minimum” (172800 = 2 days, historic. . . )
Properties of the SOA record as a wholeThe SOA record itself can have a low TTLEven 0 (don’t cache) according to RFC 1035
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 44 / 68
Basic concepts
Numerical SOA params (OS3 example during IP migration)
These values are quite low
Serial (2007110900)
Refresh (3600 = 1 hour)
Retry (1800 = 30 minutes)
Expire (21600 = 6 hours)
Minimum (3600 = 1 hour, but. . . )
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 45 / 68
Basic concepts
SOA example (with “modern”, normal values)
cwi.nl. SOA ns1.cwi.nl. hostmaster.cwi.nl. (
2015090700 ;serial (version)
28800 ;refresh period (8 hours)
7200 ;retry interval (2 hours)
604800 ;expire time (1 week)
43200 ;"minimum" (12 hours)
)
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 46 / 68
Basic concepts
“Minimum”
Different interpretationsMinimal TTL allowed (never used this way)Default TTL, if TTL not specified (BIND 8)TTL for caching negative replies (BIND 9)
BIND 9 uses global $TTL for the default TTL
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 47 / 68
Basic concepts
SRV record
A SRV (service) record specifies the location
of the services that a domain supports
The format for the information about a certain “Domainname” uses“ Service. Proto.Domainname” as the owner domain name“Priority Weight Port Target” as its resource data
It is a typical generator of so-called “empty non-terminals”Like “ Proto.Domainname” in the above case
Examplesip. tcp.example.com. SRV 10 20 5060 sip.example.com.
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 48 / 68
Basic concepts
Resource Record sets (RRsets)
An RRset is a grouping of a set of RRs
with the same owner, class and type
All RRs in an RRset must have the same TTL
DNSSEC signs complete RRsets with RRSIG RRsWhich might make the RRSIG RR an exception to the TTL rule :)But in fact the DNSSEC specification tells us they do not forma resource record set at all (RFC 4035, section 2.2)
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 49 / 68
Delegation
Outline
...1 DNS: basic ideas and functionality
...2 A short history of DNS
...3 Basic concepts
...4 Delegation
...5 Root servers
...6 Lookups
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 50 / 68
Delegation
Name servers and zones
Zones are created by cuts (delegations)
Cuts are defined by NS records“inside” parent zonenon-authoritative by definitionbest interpreted as the edge leading to the child zone
Glue A records sometimes neededWhen name servers for the delegation are “in bailiwick”Or in the more general case when name servers havecircular dependencies and create bailiwick loops
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 51 / 68
Delegation
Bootstrap issues
Hint file for root server’s A and AAAA RRs
Glue for child zonesGlue NS records
Stub server automates this
Glue A records (only for servers inside the child zone)
Glue data is not authoritative unless the parent is
also a (slave) server for the child zone
Non-authoritative data should be replaced by authoritative data
as soon as the latter becomes available
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 52 / 68
Delegation
Name server types
Master (primary)
Slave (secondary)
Stub (limited secondary)
Stealth (secondary that is not listed)Lame (listed but not operating as secondary)
Caching-only (never authoritative)
Forward-only (using forwarders)
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 53 / 68
Root servers
Outline
...1 DNS: basic ideas and functionality
...2 A short history of DNS
...3 Basic concepts
...4 Delegation
...5 Root servers
...6 Lookups
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 54 / 68
Root servers
DNS structure
Hierarchical treeits root is unnamed (unlabeled)
in fact the root uses the empty label: “”
Top Level Domains (TLDs)
generic TLDs (gTLDs)country code TLDs (ccTLDs). . . TLDs
Decentralized database
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 55 / 68
Root servers
Root servers
Status in 2001, according to ICANN official Michael Roberts13 root serversMost of them located in the US (10)
Nowadays there is a complete infrastructure with
both global and local servers
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 56 / 68
Root servers
Root servers map
Source: ICANN
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 57 / 68
Root servers
Root server list (part 1)
Name Org Where Globals Locals
A Verisign Los Angeles, CA, US 8 0B USC-ISI Marina del Rey, CA, US 0 1C Cogent Communications Herndon, VA, US 8 0D University of Maryland College Park, MD, US 1 0E NASA (Ames) Mountain View, CA, US 1 11F ISC (Internet Software Consortium) Palo Alto, CA, US 5 51G US DOD NIC Columbus, OH, US 6 0
Source: http://www.root-servers.org/ (retrieved 20130909)
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 58 / 68
Root servers
Root server list (part 2)
Name Org Where Globals Locals
H US Army Research Lab (ARL) Aberdeen, MD, US 2 0I Netnod (NORDUnet) Stockholm, SE 0 43J Verisign Dulles, VA, US 63 5K RIPE NCC London, UK 5 12L ICANN Los Angeles, CA, US 0 146M WIDE Tokyo, JP 5 1
Source: http://www.root-servers.org/ (retrieved 20130909)
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 59 / 68
Root servers
Anycast
Overloading of an IP address
Route to nearest instance (BGP metric)
Global or local significance
Live data for k root can be found at
http://k.root-servers.org/
Research exercise:Find two documented ways for finding out which specific serverfrom the anycasted set of servers answers your query.
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 60 / 68
Root servers
k root server presence (2006 snapshot)
Source: http://k.root-servers.org/pics/map.png (RIPE NCC)
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 61 / 68
Root servers
Anycasted root servers map (snapshot 20130909)
Source: http://www.root-servers.org/ (retrieved 20130909)
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 62 / 68
Lookups
Outline
...1 DNS: basic ideas and functionality
...2 A short history of DNS
...3 Basic concepts
...4 Delegation
...5 Root servers
...6 Lookups
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 63 / 68
Lookups
Recursive and iterative queries
Recursive queriesIn this case the server
follows referrals itself on behalf of its clientsoften doesn’t have authoritative data at all (almost)should build up a cache
Iterative queriesIn this case the server
either answers with authoritative dataor passes referrals back to clientsoften has only authoritative data and no cache
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 64 / 68
Lookups
Resolvers
Stub resolverLibrary doing domain name lookup
Uses /etc/resolv.conf
Contacts a recursive (allowing recursion) name serverDoes not follow referrals itself
Resolving nameserverRuns name server software
Recursive (sets RA, allowing recursive queries as server)Caching (remembers outcome of iterative queries made as client)
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 65 / 68
Lookups
Caching
Necessary for performance
Negative caching adds more functionalitySee RFC 2308Lots of subtleties
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 66 / 68
Lookups
IETF WG dprive (DNS PRIVate Exchange)
Usually a client sends the complete query name in a DNS request
Query minimisationDNS Query Name Minimisation to Improve Privacy (RFC 7816)Only send the relevant suffix to find the needed NS delegationsPatented by Verisign?!?
https://datatracker.ietf.org/ipr/2542/
https://www.verisign.com/en_US/patent-information/
dns-query/index.xhtml
https://www.ietf.org/rfc/rfc3979.txt
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 67 / 68
Lookups
Common mistakes
See RFC 1912 and also RFCs 2181 and 4697Using CNAMEs in MX and NS recordsForgetting the final “.”Lame delegationLack of human coordination
New efforts on its way (CSYNC RRs), seeChild-to-Parent Synchronization in DNS (RFC 7477)
Karst Koymans (UvA) DNS Tuesday, September 13, 2016 68 / 68