[BALUG-Talk] [BALUG-Admin] balug.org DNS review
Rick Moen
rick@linuxmafia.com
Wed Sep 27 22:30:32 PDT 2017
Quoting Michael Paoli (Michael.Paoli@cal.berkeley.edu):
> Yea departing DreamHost.com!!! (A.k.a. nightmare host <sigh>).
It's funny how they tempt the Irony Fairy.
[add'l auth nameservers:]
> Or, ... even not bother a friend and ...
> There are some free/complementary DNS slave services out there for the
> taking by any and/or all ... most of 'em suck (perhaps some exceptions?)
Either of the options you discussed seem pretty reasonable. As to the
he.net quirk of needing to provide authority before they provide
service, I've noticed that the practical effect on a domain of one or
two auth nameservers doing RCODE SERVFAIL for a while is not serious.
> As for DNS server identifying its software/version ... what
> [il]legitimate uses for that?
Legitimate uses the CHAOSnet _hostname_ (or server_id) RR I've heard of
involve edge cases with multiple auth nameservers behind a load
balancer. Publishing that RR lets you more quickly determine which
nameserver is giving you problems in some scenarios.
Legitimate use of the CHAOSnet _version_ RR? Never heard of one. Use
your imagination, and maybe you can contrive some scenario where there's
legitimate, beneficial use for programmatically determining what
nameserver/version a query is being answered from.
In fairness, the software/version of a nameserver can probably also be
determined pretty well by probing it with DNS fingerprinting methods,
such as using the fpdns utility. https://github.com/kirei/fpdns
But the same can be said of other public-facing daemons, such as httpds
-- yet I would rather not make it easy for the bad guys, so I make mine
say as little as possible about its software/version/configuration.
Same logic.
> Is it entirely (or mostly) unique to BIND?
No. BIND merely had the reference implementation. CHAOSnet (originally
invented for completely different purposes involving coax connections
among LISP machines in the 1970s) is just one of many, mostly very
obscure, DNS class types that are in theory all valid for any and all
nameservers. The CH class identity is just an IANA-assigned encoded
16-bit value sent along with RRs. We think of class 'IN' (Internet) as
the regular and default class, but to nameserver sofware that's just a
two-byte binary-encoded value. Once in a blue moon, you might come
across the Hesiod class (HS) from Project Athena
(http://en.wikipedia.org/wiki/Hesiod_(name_service) ).
RFC2929 says:
Dec Hex Description
0 0x0000 Assignment requires an IETF Standards Action.
1 0x0001 Internet (IN)
2 0x0002 Available for assignment by IETF Consensus as a
data CLASS.
3 0x0003 Chaos (CH)
4 0x0004 Hesiod (HS)
5-127 0x0005-0x007F Available for assignment by IETF Consensus as
data CLASSes only.
128-253 0x0080-0x00FD Available for assignment by IETF Consensus as
QCLASSes only.
254 0x00FE QCLASS None
255 0x00FF QCLASS Any
256-32767 0x0100-0x7FFF Assigned by IETF Consensus.
32768-65280 0x8000-0xFEFF Assigned based on Specification Required as defined
in RFC 2434
65280-65534 0xFF00-0xFFFE Private Use.
65535 0xFFFF Can only be assigned by an IETF Standards Action.
Those are all valid DNS class values. In theory, IETF could roll out
any of them in accordance with its bureaucratic process. In practice,
IN, CH, and HS are the limit for now. Probably, any nameserver can
handle them, but I am not going to go around setting up Hesiod in order
to try (let alone a bunch of LISP machines on antique coax networking).
;->
Disclaimer: Specifically, I haven't checked _every_ auth nameserver
package to see if they default to certain CHAOS class 'hostname' and
'version' values the way BIND9 does. NSD does. Unbound does. The
PowerDNS suite does. djbdns does. MaraDNS does (IIRC). I don't know
about the others.
More information about the BALUG-Talk
mailing list