Difference between revisions of "IPv6: BIND DNS Operation"

From OnnoWiki
Jump to navigation Jump to search
Line 2: Line 2:
  
  
BIND (Berkeley Internet Name Domain) is the most widely used implementation of DNS. It is developed by Internet Systems Consortium, Inc. (ISC), and is available as free software at ISC’s Web site, http://www.isc.org/bind/. BIND is also available at ISC’s FTP site, ftp://ftp.isc.org/isc/.
+
BIND (Berkeley Internet Name Domain) adalah aplikasi DNS server yang paling banyak digunakan. Di kembangkan oleh Internet Systems Consortium, Inc. (ISC), dan tersedia secara bebas di
 +
* http://www.isc.org/bind/
 +
* ftp://ftp.isc.org/isc/.  
  
Right now, two major versions of BIND are mainly used: versions 8 and 9 (called BIND8 and BIND9, respectively).
+
Versi terakhir saat tulisan ini dibuat adalah versi 9. Semua versi BIND9 mendukung IPv6.
  
All versions of BIND9 provide IPv6 transport support, as do 8.4 and later versions of BIND8. The implementation status of IPv6 content is a bit complicated. As seen in Section 3.3.6, some new standards of DNS contents for IPv6 were introduced and then deprecated. Some versions of BIND support the deprecated standard, and some others do not, as per the recent change in standardization. In any case, however, it is generally advisable to use the latest versions. The standardization status is now mature, and the latest implementations have already caught up to the latest standards.
+
Secara umum ada tiga (3) operasi DNS:
  
Recall that three types of elements are commonly used in DNS operation: authoritative servers, caching servers, and stub resolvers. Any BIND package contains all three elements. A single network daemon called named provides the server function. The named daemon can act as an authoritative only server, a caching only server, and a server supporting both the roles simultaneously. On the other hand, a separate portable resolver library, often called libbind, provides the stub resolver function. The libbind library is actually adopted in many operating systems including BSD variants, and, in fact, the library routines seen in Section 3.4 were derived from libbind. Conversely, some IPv6 extensions to the original libbind developed by the KAME project were merged back into recent libbind implementations.
+
* Authoritative servers
 +
* Caching servers
 +
* Stub resolvers
  
The rest of this topic will concentrate on the server side of BIND, primarily BIND9. It is the recommended version by ISC, particularly for advanced features such as IPv6 support. The support for IPv6 in BIND8 was provided for users who cannot upgrade to BIND9 for some reason, and is more limited than the IPv6 support in BIND9.10
+
Package BIND berisi ke tiga (3) fungsi tersebut.Daemon named dapat berfungsi sebagai authoritative server saja, atau caching server saja, atau ke dua-nya sekaligus. Sebuah library portable resolver, biasanya dikenal sebagai libbind, dapat memberikan fungsi stub resolver.
  
The latest release version of BIND9, as of this writing, is 9.3, and is the main focus of this topic. The IPv6 support has been massively improved since 9.2, especially about the transport support. For example, BIND9 servers could not listen on a selected subset of IPv6 addresses for queries until 9.3. Also, BIND 9.2 was already in maintenance mode when the IETF obsoleted some IPv6 related protocol standards (Section 3.3.6), and still contains the deprecated protocol features.
+
==BIND9 Secara Umum==
Overview of BIND9
 
  
As already explained, BIND9 is the latest major release of BIND. While the configuration syntax is mostly compatible to BIND8, the implementation is totally different. In fact, BIND9 was designed and implemented from scratch. No code fragment in prior versions was used in the BIND9 implementation; the only exception is the stub resolver implementation, which is a copy of the corresponding part of BIND8. The stub resolver routines based on the BIND8 code is provided with the BIND9 package for the convenience of system developers who want to use the BIND9 program in their system while incorporating the resolver library to the same system.
+
Fitur teknis BIND9, secara umum mempunyai karakteristik berikut:
  
In terms of technical features, BIND9 has the following characteristics:
+
* Full compliance pada standard protocol DNS terakhir
 +
* IPv6 support, untuk transport maupun content
 +
* Support DNS security extension (DNSSEC)
 +
* Thread-based software architecture untuk mendukung mesin dengan multiprocessor
  
* Full compliance to the latest DNS protocol standards
+
==Memperoleh BIND9==
* IPv6 support, both for transport and contents
 
* Support for the DNS security extension (DNSSEC)
 
* Views, which can virtually provide multiple servers based on some properties of queries (e.g., source and/or destination address)
 
* Thread-based software architecture for better support for multiprocessor machines
 
Getting BIND9
 
  
BIND9 is, just like prior versions of BIND, open source software and is provided at ISC’s Web and FTP site free of charge. It is distributed under a BSD-style license, so users can freely modify the source code.
+
Secara gratis, bisa di peroleh melalui
 +
* ISC Web
 +
* FTP ftp://ftp.isc.org/isc/bind9/VERSION/
  
BIND9 is available at the following URL via FTP: ftp://ftp.isc.org/isc/bind9/VERSION/ bind-VERSION.tar.gz VERSION is 9.x.y where x and y are the major and minor versions within BIND9. For example, the source code of version 9.3.3 is available at ftp://ftp.isc.org/isc/bind9/ 9.3.3/bind-9.3.3.tar.gz
+
==Build & Install BIND9==
  
In the following discussion, if the BIND9 implementation is referred to as 9.x, the description applies to all 9.x.y versions. Minor versions are specified only when that particular version has some special behavior.
+
Cara paling gampang di Ubuntu menggunakan perintah
  
==Building and Installing BIND9==
+
apt install bind9
  
BIND9 is highly portable, and it is usually easy to build and install. For many major operating systems, the installation procedure simply consists of the following steps:
+
==BIND9 untuk operasi IPv6==
  
tmp22-158_thumb
+
===File named.conf===
  
The configure script should normally work fine without any command line options unless the user wants to specify nondefault install paths. In particular, IPv6 transport support is enabled by default; if there is any reason for disabling IPv6 transport, the —disable-ipv6 option should be specified for configure. The configure script also supports the —with-kame option. It was introduced when BSD did not officially support IPv6 so that BIND9 could be built on a KAME-patched BSD system for IPv6 transport, but this option is now meaningless. It should also be noted that the —disable-ipv6 option only affects the transport protocol for DNS transactions, and is irrelevant to the contents exchanged in the transactions. For example, even if the —disable-ipv6 option is specified, named will return AAAA resource records if it has the records of the query name.
+
File /etc/bind/named.conf bisa di edit untuk mengatur, hal seperti,
  
On FreeBSD, which is the base operating system used in this topic, the BIND9 programs will be installed under /usr/local/bin and /usr/local/sbin by the above procedure. In particular, the named daemon should be available as /usr/local/sbin/named.
+
* Run-time parameter dari named
 +
* Mendefinisikan zone
 +
* dll.
  
BIND9 has been incorporated in FreeBSD as a base component since 5.3-RELEASE. This can be confirmed by invoking /usr/sbin/named with the -v command line option.
+
===Address Match List===
  
==Configuring BIND9 for IPv6 Operation==
+
* Untuk mengontrol DNS transport, daftar address yang match yang bisa berisi IPv4 address, IPv4 prefix, IPv6 address, IPv6 prefix.
 +
* Untuk address IPv6 link-local atau prefix, ikita mengunkan notasi "%". Misalnya sebuah local link IPv6 address fe80::1 yang tersambung ke interface fxp0, maka penulisnya adalah fe80::1%fxp0. Dengan cara yang sama untuk satu subnet fe80::%fxp0/10.
  
This section provides a brief overview of configuring a BIND9 server to support IPv6. Although Section 3.5.6 also provides a complete configuration that can be used in actual operation, neither section intends to provide a comprehensive description of BIND configuration; they concentrate on describing the IPv6-related parts. A general description of BIND configuration is beyond the scope of this topic. Those who need such information should consult other references such as [Liu06] and [Liu02].
 
  
===The named.conf Configuration File===
+
===Enable Accept Query IPv6===
  
The BIND9 named daemon usually requires a configuration file. If BIND9 is built as a separate package as previously shown, the default path to the file is /usr/local/etc/named.conf. For those operating systems that incorporate BIND9 in their base systems, the default path depends on the system. On FreeBSD, it is /etc/namedb/named.conf.
+
Untuk membuka akses agar BIND dapat di quiery menggunakan IPv6, kita dapat menggunakan opsi listen-on-v6. sebagai berikut,
  
The configuration file can specify a number of run-time parameters for named to operate and define zones for which the server has the authority. It consists of one or more statements, each of which often contains multiple substatements. Table 3-5 shows a summary of major statements used in the configuration file. These statements will appear in the succeeding examples.
+
listen-on-v6 { any; };
  
===Address Match Lists===
+
atau kalau kita ingin membatasi (hanya localhost), bisa,
  
To control DNS transport, an address match list is often required. In particular, an address match list is used to specify local IPv4 or IPv6 addresses to accept DNS queries. In general, an address match list can contain IPv4 addresses, IPv4 prefixes, IPv6 addresses, or IPv6 prefixes.
+
listen-on-v6 { ::1; );
  
When a link-local IPv6 address or prefix is specified in an address match list, its link identifier must be given as well with the "%" notation.In this case, the BIND9 implementation assumes a one-to-one mapping between links and interfaces like the KAME implementation, and interface names can be used as a link identifier. For example, a link-local address fe80::1 on the link attached to interface fxp0 is represented as fe80::1%fxp0. Similarly, the prefix that contains all link-local addresses on this link is represented as fe80::%fxp0/10.
+
===Access Control===
  
Some predefined keywords can also be used as an address match list element. Keyword any matches any possible address in the context, and none does not match any address. Keyword localhost matches all (IPv4 and IPv6) addresses configured on the system, and localnets matches all (IPv4 and IPv6) addresses covered by prefixes of local subnets.
+
BIND9 named mendukung beberapa opsi untuk kebutuhan access control. Teknik yang digunakan biasanya adalah address match list, contoh
  
TABLE 3-5
+
allow-query { 192.0.2.0/24; 2001 :db8:1::/64; );
  
Statement
+
atau kalau hanya local subnetwork aja, bisa,
 
  
Description
+
allow-query { localnets; };
  
options
+
Cara yang sama berlaku untuk opsi : allow-notify, allow-transfer, allow-recursion, dan allow-update-forwarding.
 
  
Specifies run-time operational parameters, including local IP addresses for incoming queries.
+
===Spesifikasi Source Address===
  
controls
+
BIND9 memungkinkan user untuk menggunakan source address tertentu untuk DNS transport. The configuration options for this purpose are separated for IPv4 and IPv6. In general, options for IPv6 transport have the naming convention xxx-source-v6 where xxx identifies a particular operation. The usage is the same as that of the corresponding options for IPv4.
 
 
 
Specifies control channel interfaces.
 
 
 
zone
 
 
 
 
Defines zones for which the server has the authority.
 
 
 
view
 
 
 
 
Defines a view (see Section 3.5.1).
 
 
 
server
 
 
 
 
Specifies nondefault parameters for a particular remote server.
 
 
 
Some systems do not provide a way to determine local IPv6 subnet prefixes, and on them localnets has the same effect as localhost in terms of IPv6. Fortunately, FreeBSD provides this information and localnets works for IPv6 as expected.
 
 
 
Most of the above description is a new feature of BIND 9.3. Before 9.3, you could specify only any or none as local addresses to accept queries (see later). Also, localhost and localnets worked only for IPv4 addresses.
 
 
 
==Enable Accepting IPv6 Queries==
 
 
 
By default, named does not accept DNS queries over IPv6. The listen-on-v6 option is used to allow such queries. It should be specified in the options statement and/or in view statements.
 
 
 
The listen-on-v6 option takes an address match list containing IPv6 addresses or prefixes. The easiest way to accept queries over IPv6 is to add the following line in an appropriate place:
 
 
 
tmp22-159_thumb
 
 
 
More specific configurations are also available. For example, to limit the local address that accepts queries to the loopback address only, the following configuration should be used instead:
 
 
 
tmp22-160_thumb
 
 
 
==Access Control==
 
 
 
BIND9 named supports several options for access control purposes. These options generally take an address match list as an argument. Since an address match list equally accepts IPv4 and IPv6 addresses or prefixes, access control based on IPv6 addresses can be done just as access control based on IPv4 addresses.
 
 
 
For example, the following configuration limits the source address of a DNS query to the addresses that match 192.0.2.0/24 or 2001 :db8:1::/64:
 
 
 
tmp22-161_thumb
 
 
 
A common access control policy for a caching server is to limit the source of the query to its local subnets. It can be done with the following configuration:
 
 
 
tmp22-162_thumb
 
 
 
Recall that localnets matches both IPv4 and IPv6 addresses of local subnets.
 
 
 
The same configuration notation applies to the following options: allow-notify, allow-transfer, allow-recursion, and allow-update-forwarding.
 
 
 
==Source Address Specification==
 
 
 
BIND9 allows the user to specify a particular source address for some DNS transport operations. The configuration options for this purpose are separated for IPv4 and IPv6. In general, options for IPv6 transport have the naming convention xxx-source-v6 where xxx identifies a particular operation. The usage is the same as that of the corresponding options for IPv4.
 
  
 
For example, in order to specify 2 0 01 :db8::1 as the source address of DNS queries sent from the system, the following should be added:
 
For example, in order to specify 2 0 01 :db8::1 as the source address of DNS queries sent from the system, the following should be added:

Revision as of 09:07, 28 February 2019

sumber: http://what-when-how.com/ipv6-advanced-protocols-implementation/ipv6-dns-operation-with-bind-part-1/


BIND (Berkeley Internet Name Domain) adalah aplikasi DNS server yang paling banyak digunakan. Di kembangkan oleh Internet Systems Consortium, Inc. (ISC), dan tersedia secara bebas di

Versi terakhir saat tulisan ini dibuat adalah versi 9. Semua versi BIND9 mendukung IPv6.

Secara umum ada tiga (3) operasi DNS:

  • Authoritative servers
  • Caching servers
  • Stub resolvers

Package BIND berisi ke tiga (3) fungsi tersebut.Daemon named dapat berfungsi sebagai authoritative server saja, atau caching server saja, atau ke dua-nya sekaligus. Sebuah library portable resolver, biasanya dikenal sebagai libbind, dapat memberikan fungsi stub resolver.

BIND9 Secara Umum

Fitur teknis BIND9, secara umum mempunyai karakteristik berikut:

  • Full compliance pada standard protocol DNS terakhir
  • IPv6 support, untuk transport maupun content
  • Support DNS security extension (DNSSEC)
  • Thread-based software architecture untuk mendukung mesin dengan multiprocessor

Memperoleh BIND9

Secara gratis, bisa di peroleh melalui

Build & Install BIND9

Cara paling gampang di Ubuntu menggunakan perintah 

apt install bind9

BIND9 untuk operasi IPv6

File named.conf

File /etc/bind/named.conf bisa di edit untuk mengatur, hal seperti,

  • Run-time parameter dari named
  • Mendefinisikan zone
  • dll.

Address Match List

  • Untuk mengontrol DNS transport, daftar address yang match yang bisa berisi IPv4 address, IPv4 prefix, IPv6 address, IPv6 prefix.
  • Untuk address IPv6 link-local atau prefix, ikita mengunkan notasi "%". Misalnya sebuah local link IPv6 address fe80::1 yang tersambung ke interface fxp0, maka penulisnya adalah fe80::1%fxp0. Dengan cara yang sama untuk satu subnet fe80::%fxp0/10.


Enable Accept Query IPv6

Untuk membuka akses agar BIND dapat di quiery menggunakan IPv6, kita dapat menggunakan opsi listen-on-v6. sebagai berikut, 

listen-on-v6 { any; };

atau kalau kita ingin membatasi (hanya localhost), bisa, 

listen-on-v6 { ::1; );

Access Control

BIND9 named mendukung beberapa opsi untuk kebutuhan access control. Teknik yang digunakan biasanya adalah address match list, contoh 

allow-query { 192.0.2.0/24; 2001 :db8:1::/64; );

atau kalau hanya local subnetwork aja, bisa, 

allow-query { localnets; };

Cara yang sama berlaku untuk opsi : allow-notify, allow-transfer, allow-recursion, dan allow-update-forwarding.

Spesifikasi Source Address

BIND9 memungkinkan user untuk menggunakan source address tertentu untuk DNS transport. The configuration options for this purpose are separated for IPv4 and IPv6. In general, options for IPv6 transport have the naming convention xxx-source-v6 where xxx identifies a particular operation. The usage is the same as that of the corresponding options for IPv4.

For example, in order to specify 2 0 01 :db8::1 as the source address of DNS queries sent from the system, the following should be added:

tmp22-163_thumb

Similarly, the following option specifies the IPv6 address 20 01 :db8::2 as the source address for zone transfers:

tmp22-164_thumb

The same notation also applies to the options notify-source-v6 and alt-transfer-source-v6. Server Address Specifications

In some cases, the IP address(es) of a remote DNS server must be specified in the configuration file. For example, to perform zone transfer, the IP address(es) of the master (primary) server must be specified in a zone-specific configuration. Both IPv4 and IPv6 addresses can be specified for these cases.

The following is an example of the zone transfer case. It specifies an IPv4 address 192.0.2.1 and an IPv6 address 2001 :db8::1 as master (primary) servers of a zone for which this system is acting as a slave (secondary):

tmp22-165_thumb

In a masters statement an arbitrary number of IPv4 or IPv6 addresses can be specified. Of course, it can consist of addresses of a single address family, either IPv4 or IPv6.

This notation works for also-notify, forwarders, and dual-stack-servers. Similarly, either an IPv4 or an IPv6 address can be specified for a server statement, which defines characteristics of a particular remote server. For example, the following specifies not to use EDNS0 with the server that has an IPv6 address 2 0 01 :db8::1:

tmp22-166_thumb Other IPv6-Related Options

The following are other options that are related to the IPv6 operation.

preferred-glue This option specifies the preference of glue resource records when not all of them can be stored in a single UDP response due to the size limitation (see Section 3.3.4). For example, consider a zone kame.example that contains the following delegation:

tmp22-167_thumb

That is, there are nine nameservers for a delegated zone child.kame.example, each of which has one A and one AAAA glue resource records.

The default limitation of UDP responses is usually too small to store all the glue resource records. By default, a BIND9 server returns some A records and some AAAA records when it returns a delegation to the child.kame.example zone. But if the following line is specified in the options statement:

tmp22-168_thumb

then the response would contain all the A resource records and (possibly) some AAAA resource records.

Similarly, if the following line is specified:

tmp22-169_thumb

then the response would probably contain as many AAAA records as possible and no A records.

This is a new feature in BIND 9.3. BIND 9.2 does not support this option.

Today it is generally advisable to specify the A record for preferred-glue. In fact, since most of the DNS (caching) server implementations that support IPv6 transport also support EDNS0 and responses to such servers will always contain a full set of glue records, this preference effectively does not have any negative impact on the caching servers; the cost at the authoritative server to handle the preference should be negligible. On the other hand, preferring A records will help older implementations that do not support IPv6 transport or EDNS0 when a response is large and some glue records must be omitted. In this case glue records of type A are clearly much more useful than AAAA glue records for these caching servers.

dual-stack-servers This option specifies the last resort forwarder for a single stack (i.e., either only IPv4 or only IPv6) caching server. Unlike the forwarders option, the caching server system normally tries to resolve names by itself in a recursive manner. However, if the system detects that a remote server cannot be reached due to address family mismatch (e.g., when the local system only has IPv4 connectivity but the remote server only has AAAA glue records), a forwarder specified in dual-stack-servers that has the missing connectivity will be used. This option does not have any effect on a dual stack node.

Note that in this context dual stack means the system can open both AF_INET and AF_INET6 sockets. This is always the case for the generic FreeBSD kernel even if the node does not have an IP address for the corresponding address family. Therefore, named must either be built with —disable-ipv6 or be invoked with the -4 option (see below for this option) in order to act as an IPv4-only node; similarly, named must be invoked with the -6 option in order to act as an IPv6-only node. Otherwise, it will be treated as a dual stack node and dual-stack-servers will not work as expected.

FIGURE 3-24

FIGURE 3-24


Referensi


Pranala Menarik

Retrieved from "https://onnocenter.or.id/wiki/index.php?title=IPv6:_BIND_DNS_Operation&oldid=55668"