Versions Compared

Old Version 3

changes.mady.by.user Christine Koppelt

Saved on

compared with

New Version 4

changes.mady.by.user Emmanuel Lécharny

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Wiki Markup
{note:title=Work in progress}
This site is in the process of being reviewed and updated.
{note}
h3. Introduction

The ApacheDS Domain Name Service (DNS) provider implements {link:RFC 1034|http://www.faqs.org/rfcs/rfc1034.html} and {link:RFC 1035|http://www.faqs.org/rfcs/rfc1034.html} to service DNS Protocol requests.

The DNS provider plugins into the Apache Directory server. As a plugin, the DNS provider uses the network layer (MINA) for front-end services and the Apache Directory read-optimized backing store via JNDI for a persistent store.

The ApacheDS DNS provider, in conjunction with MINA and the ApacheDS LDAP JNDI store, provides an easy-to-use yet fully-featured name resolution service. As implemented within the Apache Directory, it will provide:

* Domain name service (RFC 1034, 1035)
* Service location support (SRV) (RFC 2782)
* Certificate support (CERT) (RFC 2782)
* Security Extensions (DNSSEC) (RFC 2535)
* Secure query and dynamic update support (GSS-TSIG) (RFC 3645)
* LDAP/JMX management
* UDP and TCP Support (MINA)
* Easy POJO embeddability for containers such as Geronimo, JBoss, and OSGi

h5. Basic Testing
On Linux, a typical invocation of dig looks like:
{code}
dig @server name type
{code}
If no type argument is supplied, dig will perform a lookup for an A record.  For example:
{code}
bash-2.05b# dig @localhost www.example.com
{code}

h3. ApacheDS schema for storing DNS zones in LDAP

h5.  Abstract objectClass used to build all DNS record objectclasses
||objectclass||apacheDnsAbstractRecord||
|apacheDnsName    |A sequence of labels representing a domain name or host name|
|apacheDnsType    |The type of a resource record|
|apacheDnsClass   |The class of a resource record|
|apacheDnsTtl     |An integer denoting time to live|

h5. Address (A) record
||objectclass||apacheDnsAddressRecord||
|apacheDnsName    |A sequence of labels representing a domain name or host name|
|apacheDnsType    |The type of a resource record|
|apacheDnsClass   |The class of a resource record|
|apacheDnsTtl     |An integer denoting time to live|
|apacheDnsIpAddress|A 4 octet IP address|

h5. Pointer (PTR) record
||objectclass||apacheDnsPointerRecord||
|apacheDnsName    |A sequence of labels representing a domain name or host name|
|apacheDnsType    |The type of a resource record|
|apacheDnsClass   |The class of a resource record|
|apacheDnsTtl     |An integer denoting time to live|
|apacheDnsDomainName|A domain or sequence dotted labels|

h5. Name Server (NS) record
||objectclass||apacheDnsNameServerRecord||
|apacheDnsName    |A sequence of labels representing a domain name or host name|
|apacheDnsType    |The type of a resource record|
|apacheDnsClass   |The class of a resource record|
|apacheDnsTtl     |An integer denoting time to live|
|apacheDnsDomainName|A domain or sequence dotted labels|

h5. Start Of Authority (SOA) record
||objectclass||apacheDnsStartOfAuthorityRecord||
|apacheDnsName    |A sequence of labels representing a domain name or host name|
|apacheDnsType    |The type of a resource record|
|apacheDnsClass   |The class of a resource record|
|apacheDnsTtl     |An integer denoting time to live|
|apacheDnsSoaMName|A domain of the server that was the primary source of data for this zone|
|apacheDnsSoaRName|The domain which specifies the mailbox of the person responsible for this zone|
|apacheDnsSoaSerial|The unsigned 32 bit ver num of the original copy of the zone|
|apacheDnsSoaRefresh|A 32 bit time interval before the zone should be refreshed|
|apacheDnsSoaRetry|A 32 bit time interval that should elapse before a failed refresh should be retired|
|apacheDnsSoaExpire|A 32 bit time value that specifies the upper limit on the time interval that can elapse before the zone is no longer authoritative|
|apacheDnsSoaMinimum|The unsigned 32 bit minimum TTL field that should be exported with any RR from this zone.|

h3. Configuring DNS Zones

!zones.jpg|align=center!

h4. The STRUCTURAL 'dcObject' objectClass
( 1.3.6.1.4.1.1466.344 NAME 'dcObject' SUP top AUXILIARY MUST dc )

h4. An example entry using the STRUCTURAL objectClass domain
{code}
dn: dc=tcp,dc=example,dc=com
objectClass: top
objectClass: domain
dc: tcp
description: a placeholder entry used with SRV records
{code}

h4. The AUXILIARY 'domain' objectClass
( 0.9.2342.19200300.100.4.13 NAME 'domain' SUP top STRUCTURAL
 MUST dc
 MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
 x121Address $ registeredAddress $ destinationIndicator $
 preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
 telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $
 street $ postOfficeBox $ postalCode $ postalAddress $
 physicalDeliveryOfficeName $ st $ l $ description $ o $
 associatedName ) )

h5. An example entry using the AUXILIARY objectClass dcObject
{code}
dn: dc=example,dc=com
objectClass: top
objectClass: organization
objectClass: dcObject
dc: example
o: Example Inc.
{code}

h4. Resources
- {link:RFC 2247 - Using Domains in LDAP/X.500 Distinguished Names|http://www.faqs.org/rfcs/rfc2247.html}

h3. DNS Best Practices

h4. DNS Testing Tool
Useful tool for testing DNS configuration: {link:www.dnsreport.com|http://www.dnsreport.com/}

There are other tools available from the same people, at {link:www.dnsstuff.com|http://www.dnsstuff.com/}, but I have not tested any of them.

# MX - Change MX records from CNAME's to A records. This is supposed to improve lookup speed and MX pointing to CNAME's is an RFC violation.
# SOA - Change SOA values to come in line with recommended values, per dnsreports.com.
# PTR - Add PTR records for server1.example.com. This is to address an error being generated by AOL and Hotmail, which use reverse lookups on mail servers to weed out spam. Mail on the example.com mailing lists has increasingly been bounced by AOL and Hotmail as spam and header inspection points to lack of PTR record. Setting PTR records at the hosting provider is a relatively new feature, probably added to address this problem.

h3.Notes
h4. A Zone is a Pruned Subtree
4.2 Zone "pruned subtree."
Subtree of 1..n nodes/domainNames
Zones are split by org control
A zone is a set of types.
Highest node contains SOA.  SOA is 1..1 with highest node.
Below SOA is authoritative.
Highest node contains 1..n NS.
Authoritative NS only at top of zone.
A domain name id's a node.
A node is a set of RR's.

NS in leaf is:
- non-authoritative
- referral
- aka "delegation NS RR"

A in leaf is:
- non-authoritative
- aka "glue RR"

Iterative - server refers client (preferred, required)
Recursive - server persues query for client (optional)
Cache - in-memory partition non-authoritative
Authority - points to authority

Non-recursive 4.3.1
# error
# answer
# referral

Unit tests for all 6.2.*
Key algorithm 4.3.1 & 4.3.2

h5. Sender Permitted From
- {link:Sender Permitted From|http://spf.pobox.com/} is a DNS-based method for preventing SMTP spoofing.

h5. Secret Key Transaction Authentication for DNS (TSIG)
- {link:RFC 2845|http://www.faqs.org/rfcs/rfc2845.html}