...
This
...
site
...
is
...
in
...
the
...
process
...
of
...
being
...
reviewed
...
and
...
updated.
...
...
5.6. DNS Protocol Provider
...
Introduction
The ApacheDS Domain Name Service (DNS) provider implements
RFC 1034RFC 1034http://www.faqs.org/rfcs/rfc1034.html
...
...
RFC 1035RFC 1035http://www.faqs.org/rfcs/rfc1034.html
...
...
The
...
DNS
...
provider
...
plugins
...
into
...
the
...
Apache
...
Directory
...
server.
...
As
...
a
...
plugin,
...
the
...
DNS
...
provider
...
uses
...
the
...
network
...
layer
...
(MINA)
...
for
...
front-end
...
services
...
and
...
the
...
Apache
...
Directory
...
read-optimized
...
backing
...
store
...
via
...
JNDI
...
for
...
a
...
persistent
...
store.
...
The
...
ApacheDS
...
DNS
...
provider,
...
in
...
conjunction
...
with
...
MINA
...
and
...
the
...
ApacheDS
...
LDAP
...
JNDI
...
store,
...
provides
...
an
...
easy-to-use
...
yet
...
fully-featured
...
name
...
resolution
...
service.
...
As
...
implemented
...
within
...
the
...
Apache
...
Directory,
...
it
...
will
...
provide:
...
- Domain
...
- name
...
- service
...
- (RFC
...
- 1034,
...
- 1035)
...
- Service
...
- location
...
- support
...
- (SRV)
...
- (RFC
...
- 2782)
...
- Certificate
...
- support
...
- (CERT)
...
- (RFC
...
- 2782)
...
- Security
...
- Extensions
...
- (DNSSEC)
...
- (RFC
...
- 2535)
...
- Secure
...
- query
...
- and
...
- dynamic
...
- update
...
- support
...
- (GSS-TSIG)
...
- (RFC
...
- 3645)
...
- LDAP/JMX
...
- management
...
- UDP
...
- and
...
- TCP
...
- Support
...
- (MINA)
...
- Easy
...
- POJO
...
- embeddability
...
- for
...
- containers
...
- such
...
- as
...
- Geronimo,
...
- JBoss,
...
- and
...
- OSGi
...
Basic
...
Testing
...
On
...
Linux,
...
a
...
typical
...
invocation
...
of
...
dig
...
looks
...
like:
...
...
If
...
no
...
type
...
argument
...
is
...
supplied,
...
dig
...
will
...
perform
...
a
...
lookup
...
for
...
an
...
A
...
record.
...
For
...
example:
...
...
ApacheDS schema for storing DNS zones in LDAP
Abstract objectClass used to build all DNS record objectclasses
objectclass | apacheDnsAbstractRecord |
---|---|
apacheDnsName | A sequence of labels representing a domain name or host name |
apacheDnsType | The type of a resource record |
apacheDnsClass | The class of a resource record |
apacheDnsTtl | An integer denoting time to live |
Address (A) record
objectclass | apacheDnsAddressRecord |
---|---|
apacheDnsName | A sequence of labels representing a domain name or host name |
apacheDnsType | The type of a resource record |
apacheDnsClass | The class of a resource record |
apacheDnsTtl | An integer denoting time to live |
apacheDnsIpAddress | A 4 octet IP address |
Pointer (PTR) record
objectclass | apacheDnsPointerRecord |
---|---|
apacheDnsName | A sequence of labels representing a domain name or host name |
apacheDnsType | The type of a resource record |
apacheDnsClass | The class of a resource record |
apacheDnsTtl | An integer denoting time to live |
apacheDnsDomainName | A domain or sequence dotted labels |
Name Server (NS) record
objectclass | apacheDnsNameServerRecord |
---|---|
apacheDnsName | A sequence of labels representing a domain name or host name |
apacheDnsType | The type of a resource record |
apacheDnsClass | The class of a resource record |
apacheDnsTtl | An integer denoting time to live |
apacheDnsDomainName | A domain or sequence dotted labels |
Start Of Authority (SOA) record
objectclass | apacheDnsStartOfAuthorityRecord |
---|---|
apacheDnsName | A sequence of labels representing a domain name or host name |
apacheDnsType | The type of a resource record |
apacheDnsClass | The class of a resource record |
apacheDnsTtl | An integer denoting time to live |
apacheDnsSoaMName | A domain of the server that was the primary source of data for this zone |
apacheDnsSoaRName | The domain which specifies the mailbox of the person responsible for this zone |
apacheDnsSoaSerial | The unsigned 32 bit ver num of the original copy of the zone |
apacheDnsSoaRefresh | A 32 bit time interval before the zone should be refreshed |
apacheDnsSoaRetry | A 32 bit time interval that should elapse before a failed refresh should be retired |
apacheDnsSoaExpire | A 32 bit time value that specifies the upper limit on the time interval that can elapse before the zone is no longer authoritative |
apacheDnsSoaMinimum | The unsigned 32 bit minimum TTL field that should be exported with any RR from this zone. |
Configuring DNS Zones
The STRUCTURAL 'dcObject' objectClass
( 1.3.6.1.4.1.1466.344
...
NAME
...
'dcObject'
...
SUP
...
top
...
AUXILIARY
...
MUST
...
dc
...
)
...
An
...
example
...
entry
...
using
...
the
...
STRUCTURAL
...
objectClass
...
domain
...
...
The AUXILIARY 'domain'
...
objectClass
...
(
...
0.9.2342.19200300.100.4.13
...
NAME
...
'domain'
...
SUP
...
top
...
STRUCTURAL
...
MUST
...
dc
...
MAY
...
(
...
userPassword
...
$
...
searchGuide
...
$
...
seeAlso
...
$
...
businessCategory
...
$
...
x121Address
...
$
...
registeredAddress
...
$
...
destinationIndicator
...
$
...
preferredDeliveryMethod
...
$
...
telexNumber
...
$
...
teletexTerminalIdentifier
...
$
...
telephoneNumber
...
$
...
internationaliSDNNumber
...
$
...
facsimileTelephoneNumber
...
$
...
street
...
$
...
postOfficeBox
...
$
...
postalCode
...
$
...
postalAddress
...
$
...
physicalDeliveryOfficeName
...
$
...
st
...
$
...
l
...
$
...
description
...
$
...
o
...
$
...
associatedName
...
)
...
)
...
An
...
example
...
entry
...
using
...
the
...
AUXILIARY
...
objectClass
...
dcObject
...
...
Resources
RFC 2247 - Using Domains in LDAP/X.500 Distinguished NamesRFC 2247 - Using Domains in LDAP/X.500
...
Distinguished
...
Names
...
http://www.faqs.org/rfcs/rfc2247.html
...
DNS Best Practices
DNS Testing Tool
Useful tool for testing DNS configuration:
www.dnsreport.comwww.dnsreport.com
...
http://www.dnsreport.com/
...
There
...
are
...
other
...
tools
...
available
...
from
...
the
...
same
...
people,
...
at
www.dnsstuff.comwww.dnsstuff.com
...
http://www.dnsstuff.com/
...
...
- MX
...
- -
...
- Change
...
- MX
...
- records
...
- from
...
- CNAME's
...
- to
...
- A
...
- records.
...
- This
...
- is
...
- supposed
...
- to
...
- improve
...
- lookup
...
- speed
...
- and
...
- MX
...
- pointing
...
- to
...
- CNAME's
...
- is
...
- an
...
- RFC
...
- violation.
...
- SOA
...
- -
...
- Change
...
- SOA
...
- values
...
- to
...
- come
...
- in
...
- line
...
- with
...
- recommended
...
- values,
...
- per
...
- dnsreports.com.
...
- PTR
...
- -
...
- Add
...
- PTR
...
- records
...
- for
...
- server1.example.com.
...
- This
...
- is
...
- to
...
- address
...
- an
...
- error
...
- being
...
- generated
...
- by
...
- AOL
...
- and
...
- Hotmail,
...
- which
...
- use
...
- reverse
...
- lookups
...
- on
...
...
- servers
...
- to
...
- weed
...
- out
...
- spam.
...
...
- on
...
- the
...
- example.com
...
- mailing
...
- lists
...
- has
...
- increasingly
...
- been
...
- bounced
...
- by
...
- AOL
...
- and
...
- Hotmail
...
- as
...
- spam
...
- and
...
- header
...
- inspection
...
- points
...
- to
...
- lack
...
- of
...
- PTR
...
- record.
...
- Setting
...
- PTR
...
- records
...
- at
...
- the
...
- hosting
...
- provider
...
- is
...
- a
...
- relatively
...
- new
...
- feature,
...
- probably
...
- added
...
- to
...
- address
...
- this
...
- problem.
...
Notes
A Zone is a Pruned Subtree
4.2
...
Zone
...
"pruned
...
subtree."
...
Subtree
...
of
...
1..n
...
nodes/domainNames
...
Zones
...
are
...
split
...
by
...
org
...
control
...
A
...
zone
...
is
...
a
...
set
...
of
...
types.
...
Highest
...
node
...
contains
...
SOA.
...
SOA
...
is
...
1..1
...
with
...
highest
...
node.
...
Below
...
SOA
...
is
...
authoritative.
...
Highest
...
node
...
contains
...
1..n
...
NS.
...
Authoritative
...
NS
...
only
...
at
...
top
...
of
...
zone.
...
A
...
domain
...
name
...
id's
...
a
...
node.
...
A
...
node
...
is
...
a
...
set
...
of
...
RR's.
...
NS
...
in
...
leaf
...
is:
...
- non-authoritative
...
- referral
- aka "delegation
...
- NS
...
- RR"
...
A
...
in
...
leaf
...
is:
...
- non-authoritative
...
- aka
...
- "glue
...
- RR"
...
Iterative
...
-
...
server
...
refers
...
client
...
(preferred,
...
required)
...
Recursive
...
-
...
server
...
persues
...
query
...
for
...
client
...
(optional)
...
Cache
...
-
...
in-memory
...
partition
...
non-authoritative
...
Authority
...
-
...
points
...
to
...
authority
...
Non-recursive
...
4.3.1
...
- error
- answer
- referral
Unit tests for all 6.2.*
...
Key
...
algorithm
...
4.3.1
...
&
...
4.3.2
...
Sender Permitted From
Sender Permitted FromSender Permitted Fromhttp://spf.pobox.com/
...
- is
...
- a
...
- DNS-based
...
- method
...
- for
...
- preventing
...
- SMTP
...
- spoofing.
...
Secret
...
Key
...
Transaction
...
Authentication
...
for
...
DNS
...
(TSIG)
...
RFC 2845RFC 2845http://www.faqs.org/rfcs/rfc2845.html
...