What is new in BIND 9.11?

© Men & Mice http://menandmice.com

BIND 9.11

1

© Men & Mice http://menandmice.com © ISC http://www.isc.org

BIND 9.11

• Catalog Zones

• new rndc functions

• dnssec-keymgr

• CDS/CDNSKEY auto generation

• Negative Trust Anchor

• DNS cookies

• Minimal “any”

2


BIND 9.11 License change•BIND 9.11 is now licensed under the Mozilla Public License (MPL) https://en.wikipedia.org/wiki/Mozilla_Public_License •previous versions of BIND 9 are licensed under ISC License (a variation of the BSD License) https://en.wikipedia.org/wiki/ISC_license

•both licenses are "Open-Source" licenses

•this change does have no impact on users of BIND 9 (including users of the Men & Mice Suite)

•it has an impact of companies that include an adapted version of BIND 9 into their product offerings

3


BIND 9 catalog zones

4


Catalog Zones

•catalog zones are a way to provision DNS zones

•catalog zones are an internet draft (RFC "work in progress) in the IETF https://tools.ietf.org/html/draft-muks-dnsop-dns-catalog-zones

•a "proof-of-concept" implementation for PowerDNS exists

5


Catalog Zones

•a catalog zone works like a normal DNS zone

•it contains the names and configuration metadata of zones that should exist on a secondary server

•the catalog zone is maintained on the master server

• new zones added into the catalog zone on the master are also created on the secondaries receiving the same catalog zone

6


7

Server with Master zones

Server with Slave zones


8

Catalog Zone (master) empty




9




Catalog Zone (slave) empty


10





Production Zone (master) example.com


11

Catalog Zone (master) example.com





new production zone added to the

catalog zone


12




Catalog Zone (slave) example.com


zone transfer


13






production slave zone

configuration is added by

BIND

Production Zone (slave) example.com


14






zone transfer

Production Zone (slave) example.com


Catalog Zones

•empty catalog zone

$TTl 60@ IN SOA authoritative.example.com. hostmaster ( 1001 2h 20m 41d 1h ) IN NS authoritative.example.com. IN NS secondary01.example.com.

15

names should be resolvable via DNS for

notify to work


Catalog Zones

•BIND 9 named.conf with catalog zone on the master server

options { directory "/etc/namedb"; recursion no;};

logging {

channel transfer-log { file "transfer.log" size 200M versions 10; print-time yes; }; category xfer-in { transfer-log; }; category xfer-out { transfer-log; };};

zone "catalog.example" { type master; file "catalog.example";};

16


Catalog Zones

•start BIND 9 on the master

# named-checkconf -zzone catalog.example/IN: loaded serial 1001

# named

# rndc statusversion: BIND 9.11.0b3 <id:a23f742>running on csmobile4.example.com: Linux x86_64 4.6.5-300.fc24.x86_64 #1 SMP Thu Jul 28 01:10:12 UTC 2016 boot time: Tue, 16 Aug 2016 07:29:05 GMTlast configured: Tue, 16 Aug 2016 07:30:49 GMTconfiguration file: /etc/named.confCPUs found: 4worker threads: 4UDP listeners per interface: 3number of zones: 2 (0 automatic)debug level: 0xfers running: 0 xfers deferred: 0soa queries in progress: 0query logging is OFFrecursive clients: 0/900/1000tcp clients: 0/150server is up and running

17


Catalog Zones

• BIND 9 configuration on the secondary

options { directory "/etc/namedb"; recursion no; allow-new-zones yes; catalog-zones { zone "catalog.example" zone-directory "cat-zones" in-memory no default-masters { 172.22.1.196; }; };};

logging { channel transfer-log { file "transfer.log" size 200M versions 10; print-time yes; }; category xfer-in { transfer-log; }; category xfer-out { transfer-log; };};zone "catalog.example" { type slave; file "catalog.example"; masters { 172.22.1.196; };};

18

allow BIND 9 to

dynamically add new zones

definition of the catalog zone

directory for storing new slave zones

IP addresses of the default

masters for new slave zones

write slave zone contents to

disk

catalog zone definition


Catalog Zones

• adding the new zone to the BIND 9 server (Step 1)

# $EDITOR /etc/namedb/example.com

$ttl 1800 @ IN SOA authoritative.example.com. hostmaster 1001 2h 30m 41d 1h IN NS authoritative.example.com. IN NS secondary01.example.com.

authoritative IN A 172.22.1.196 secondary01 IN A 172.22.1.199

19


Catalog Zones


# $EDITOR /etc/namedb/named.conf

options { directory "/etc/namedb"; recursion no;};

logging { channel transfer-log { file "transfer.log" size 200M versions 10; print-time yes; }; category xfer-in { transfer-log; }; category xfer-out { transfer-log; };};zone "example.com" { type master; file "example.com";};zone "catalog.example" { type master; file "catalog.example";};

20

new zone configuration


Catalog Zones


# named-checkconf -z zone example.com/IN: loaded serial 1001 zone catalog.example/IN: loaded serial 1001

21


Catalog Zones

• adding the new zone to the catalog zone

# echo -n "example.com" | openssl sha1(stdin)= 0caaf24ab1a0c33440c06afe99df986365b0781f

# $EDITOR /etc/namedb/catalog.example$TTl 60@ IN SOA authoritative.example.com. hostmaster 1002 ( 2h 20m 41d 1h ) IN NS authoritative.example.com. IN NS secondary01.example.com.

0caaf24ab1a0c33440c06afe99df986365b0781f.zones IN PTR example.com.

22

sha1 hash identifying the

new zone

mapping the hash to the

name of the zone

increment SOA serial

number


Catalog Zones

• BIND 9 log information shows the update of the catalog zone followed by an transfer of the new zone:

named[157]: client 172.22.1.196#60914: received notify for zone 'catalog.example'named[157]: zone catalog.example/IN: notify from 172.22.1.196#60914: serial 1002named[157]: zone catalog.example/IN: Transfer started.named[157]: catz: updating catalog zone 'catalog.example' with serial 1002named[157]: zone catalog.example/IN: transferred serial 1002named[157]: zone catalog.example/IN: sending notifies (serial 1002)named[157]: catz: adding zone 'example.com' from catalog 'catalog.example' - successnamed[157]: zone example.com/IN: Transfer started. named[157]: zone example.com/IN: transferred serial 1001named[157]: zone example.com/IN: sending notifies (serial 1001)

23

new zone is now

available on the secondary


Catalog Zones

• catalog zones can contain configuration information for the new zone (Details in the BIND 9 ARM):

$TTl 60@ IN SOA authoritative.catalog.example. hostmaster 1002 2h 20m 41d 1h IN NS authoritative.example.com. IN NS secondary01.example.com.

0caaf24ab1a0c33440c06afe99df986365b0781f.zones IN PTR example.com.masters.0caaf24ab1a0c33440c06afe99df986365b0781f.zones IN A 172.22.1.196allow-transfer.0caaf24ab1a0c33440c06afe99df986365b0781f.zones IN APL ( 1:172.22.1.196/32 1:172.22.1.199/32 )

24

access control list for zone-transfer

definition of the zones

master server(s)


Catalog Zones

• rndc zonestatus on a zone added via catalog zone:

# rndc zonestatus example.com name: example.com type: slavefiles: cat-zones/__catz___default_catalog.example_example.com.dbserial: 1001nodes: 3last loaded: Thu, 18 Aug 2016 07:29:58 GMT next refresh: Thu, 18 Aug 2016 07:52:54 GMT expires: Mon, 26 Sep 2016 07:54:36 GMT secure: nodynamic: noreconfigurable via modzone: yes

25

zone expiry information for

slave zones

backup file


rndc Remote Name Daemon

Control

26


read-only rndc•a rndc control channel can be configured "read-only"

•all "destructive" rndc commands are blocked ("reload", "reconfigure", "stop", "addzone", "delzone" etc)

•multiple control channels can be configured

•each should have a unique "tsig" key for authenticationkey "rndc-key" { algorithm hmac-md5; secret "ikRtqFL52Inn+7wCE0Bb9A==";};controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; } read-only yes;};

27


Zone provisioning with rndc•in previous BIND 9 versions, it is possible to dynamically add/remove zones to a running configuration with rndc addzone and rndc delzone

•Zone configurations added with rndc addzone can now be changed dynamically with rndc modzone

•rndc delzone can now also remove zones that are configured in named.conf# rndc delzone example.com zone 'example.com' is no longer active and will be deleted. To keep it from returning when the server is restarted, it must also be removed from named.conf.

28


rndc zonestatus

•rndc can now display detail information about a configured zone# rndc zonestatus example.com name: example.com type: master files: example.com serial: 1001 nodes: 3last loaded: Thu, 18 Aug 2016 07:25:06 GMTsecure: nodynamic: noreconfigurable via modzone: no

29


python rndc

•BIND 9.11 contains a python library to access the rndc control channel from within python programs

•python written applications can make use of rndc functions (addzone, manage keys, sign zones etc)

30


DNSSEC

31


dnssec-keymgr

•dnssec-keymgr is a new tool written in Python to manage DNSSEC keys (and the key-rollover)

•the tool will read a policy file (${SYSCONFDIR}/policy.conf) and will create new ZSK/KSK based on the defined policies

•Policies can be defined global, per algorithm and per zone

•Policies can inherit settings from a global policy definition

32


dnssec-keymgr•dnssec-keymgr example policy configuration policy default-dnssec { directory "/etc/namedb/keys"; algorithm rsasha256; key-size zsk 2048; key-size ksk 2560; pre-publish zsk 1w; post-publish zsk 2w; roll-period zsk 2mo; roll-period ksk 0; coverage 364d;};zone example.com { policy default-dnssec; key-size zsk 1536;};

33

inherit the "default-dnssec" policy for the

zone

override a setting inherited from the global

policy

global policy definition


dnssec-keymgr•dnssec-keymgr is designed to be run from a cron-job

•it can be started manually:# dnssec-keymgr example.com# /usr/local/sbin/dnssec-keygen -q -K /etc/namedb/keys -L 3600 -a RSASHA256 -b 1536 example.com # /usr/local/sbin/dnssec-keygen -q -K /etc/namedb/keys -L 3600 -fk -a RSASHA256 -b 2560 example.com # /usr/local/sbin/dnssec-settime -K /etc/namedb/keys -I 20161017081131 -D 20161031081131 Kexample.com.+008+16143 # /usr/local/sbin/dnssec-keygen -q -K /etc/namedb/keys -S Kexample.com.+008+16143 -L 3600 -i 604800 # /usr/local/sbin/dnssec-settime -K /etc/namedb/keys -I 20161216081131 -D 20161230081131 Kexample.com.+008+45825 # /usr/local/sbin/dnssec-keygen -q -K /etc/namedb/keys -S Kexample.com.+008+45825 -L 3600 -i 604800 # /usr/local/sbin/dnssec-settime -K /etc/namedb/keys -I 20170214081131 -D 20170228081131 Kexample.com.+008+58464 # /usr/local/sbin/dnssec-keygen -q -K /etc/namedb/keys -S Kexample.com.+008+58464 -L 3600 -i 604800 # /usr/local/sbin/dnssec-settime -K /etc/namedb/keys -I 20170415081131 -D 20170429081131 Kexample.com.+008+59949 # /usr/local/sbin/dnssec-keygen -q -K /etc/namedb/keys -S Kexample.com.+008+59949 -L 3600 -i 604800 # /usr/local/sbin/dnssec-settime -K /etc/namedb/keys -I 20170614081131 -D 20170628081131 Kexample.com.+008+59589 # /usr/local/sbin/dnssec-keygen -q -K /etc/namedb/keys -S Kexample.com.+008+59589 -L 3600 -i 604800 # /usr/local/sbin/dnssec-settime -K /etc/namedb/keys -I 20170813081131 -D 20170827081131 Kexample.com.+008+47265 # /usr/local/sbin/dnssec-keygen -q -K /etc/namedb/keys -S Kexample.com.+008+47265 -L 3600 -i 604800

34


rndc managed-keys•rndc can now be used to get information about the configured DNSSEC trust-anchor(s)

•useful to track the automatic trust anchor update (RFC 5011) for the upcoming KSK change in the root zonehttps://www.icann.org/resources/pages/ksk-rollover

•Example:# rndc managed-keys statusview: _defaultnext scheduled event: Fri, 19 Aug 2016 08:30:56 GMT name: . keyid: 19036 algorithm: RSASHA256 flags: SEP next refresh: Fri, 19 Aug 2016 08:30:56 GMT trusted since: Thu, 18 Aug 2016 08:30:53 GMT

35


DNSSEC trust-anchor telemetry

BIND 9 configured as a DNSSEC validating resolver will send specially-formed queries once per day to domains for which trust anchors have been configured via trusted-keys, managed-keys, dnssec-validation auto, or dnssec-lookaside auto

• The query name used for these queries has the form "_ta-xxxx(-xxxx)(...)".<domain>, where each "xxxx" is a group of four hexadecimal digits representing the key ID of a trusted DNSSEC key

• this gives operators of trusted DNSSEC domains feedback on which active trust-anchors are used for the domains they host

• this helps operators to decide when an old key can be removed from the DNSSEC zone

• trust-anchor-telemetry no; will disable this function

36


Automating DNSSEC Delegation Trust Maintenance (RFC 7344)

BIND 9.11 supports the CDS and CDNSKEY resource records

BIND 9.11 can publish new DS via CDS, or new DNSKEY via CDNSKEY, whenever a new KSK is being created

parent zone operator can monitor the childzone and imports new DS and DNSKEY data from the CDS or CDNSKEY records

37


Automating DNSSEC Delegation Trust Maintenance

38

Parent DNS

Child DNS

child.tld. IN SOA …child.tld. IN NS …child.tld. IN DNSKEY …

tld. IN SOA …tld. IN NS …tld. IN DNSKEY …



39

Parent DNS

Child DNS



child.tld. IN DS …


Updating DNSSEC Trust chain today



40

Parent DNS

Child DNS



child.tld. IN CDS …


Updating DNSSEC Trust chain with CDS / CDNSKEY


Automating DNSSEC Delegation Trust Maintenance (RFC 7344)

dnssec-keygen and dnssec-settime now support additional timing information SYNC Publish (when to publish CDS/CDNSKEY) and SYNC Delete (when to remove CDS/CDNSKEY)# dnssec-settime -Psync +3mo /etc/namedb/keys/Kexample.com.+008+58464.key# dnssec-settime -p all /etc/namedb/keys/Kexample.com.+008+58464.key

Created: Thu Aug 18 10:11:31 2016 Publish: Fri Dec 9 09:11:31 2016 Activate: Fri Dec 16 09:11:31 2016 Revoke: UNSETInactive: Tue Feb 14 09:11:31 2017 Delete: Tue Feb 28 09:11:31 2017 SYNC Publish: Wed Nov 16 09:47:45 2016 SYNC Delete: UNSET

41


DNSSEC negative trust anchors

negative trust anchors (nta) disable DNSSEC validation for a specific domain for a certain amount of time • can be used by operators in case a misconfiguration for a remote

DNSSEC signed zone is detected. Care should be take to check that the DNSSEC validation failure is indeed a misconfiguration and not attack

• domains with an NTA are processed as if there is no trust-anchor for that domain

• NTAs are stored and are persistent across BIND 9 restarts

• BIND 9 checks the domain periodically. Once the domain starts validating again, the NTA for the domain is removed

• NTAs have a lifetime (maximum one week) and expire automatically

42



adding an NTA (for 60 seconds): # rndc nta -l 60 fail01.dnssec.works

Negative trust anchor added: fail01.dnssec.works/_default, expires 18-Aug-2016 13:52:19.000

# rndc nta -dump fail01.dnssec.works: expired 18-Aug-2016 13:52:19.000

# ls -l /etc/namedb/_default.nta -rw-r--r--. 1 root root 44 Aug 18 13:51 /etc/namedb/_default.nta

# cat /etc/namedb/_default.nta fail01.dnssec.works. regular 20160818115219

43



removing an NTA:# rndc nta -l 86400 fail02.dnssec.works Negative trust anchor added: fail02.dnssec.works/_default, expires 19-Aug-2016 13:56:22.000

# rndc nta -dump fail02.dnssec.works: expiry 19-Aug-2016 13:56:22.000

# rndc nta -r fail02.dnssec.works Negative trust anchor removed: fail02.dnssec.works/_default

# rndc nta -dump #

44

NTA for one day

NTA removed


DNS Cookies

45


DNS Cookies

DNS Cookies, defined in RFC 7873, create a lightweight session over UDP between a DNS client (can be a DNS resolver) and DNS server

DNS cookies

• can mitigate cache poisoning attacks

• make DNS amplification attacks harder

46


47

DNS cookie secret configured

BIND 9.11 DNS Resolver


48

DNS queryClient Cookie Hash: a56f341Server Cookie Hash: empty



49

DNS queryClient Cookie Hash: a56f341Server Cookie Hash: empty


Error Response:

BADCOOKIE includes

Server Cookie Hash b761a22

Client can cache server

cookie


50

DNS queryClient Cookie Hash: a56f341Server Cookie Hash: b761a22



51

DNS queryClient Cookie Hash: a56f341Server Cookie Hash: b761a22


NOERROR Responseincludes

Server Cookie Hash b761a22


DNS Cookies

DNS cookies are enabled in BIND 9.11 by default (including the dig tool)# dig @localhost menandmice.com; <<>> DiG 9.11.0b3 <<>> @localhost menandmice.com; (2 servers found);; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6448;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 7 ;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096; COOKIE: d22bde1a43ccf88213b35b4257b59343163def237257e622 (good);; QUESTION SECTION:;menandmice.com. IN A;; ANSWER SECTION:menandmice.com. 300 IN A 72.10.32.220

52

DNS cookie


DNS Cookies

Configuration options for DNS cookies in BIND 9.11:

• require-server-cookie - (authoritative server or resolver) Require a valid server cookie before sending a full response to a UDP request from a cookie aware client. BADCOOKIE is sent if there is a bad or no existent server cookie.

• send-cookie - (resolver) If yes, then a COOKIE EDNS option is sent along with the query. If the resolver has previously talked to the server, the COOKIE returned in the previous transaction is sent.

53


DNS Cookies

Configuration options for DNS cookies in BIND 9.11:

• nocookie-udp-size - (authoritative or resolver) Sets the maximum size of UDP responses that will be sent to queries without a valid server COOKIE.

• cookie-algorithm - (authoritative or resolver) Set the algorithm to be used when generating the server cookie. One of "aes", "sha1" or "sha256".

• cookie-secret - (authoritative or resolver) If set, this is a shared secret used for generating and verifying DNS cookies within an anycast cluster. If not set, the system will generate a random secret at startup.

54


Misc

55


new resource record types

BIND 9 now supports the following resource record types: • OPENPGPKEY - stores PGP public keys for email-addresses

• AVC - stores metadata about applications (Cisco DNS-AS - "DNS Authoritative Source")

• TA - DNSSEC Trust Authorities

• TALINK - used by applications that maintain trust anchors for DNS validators

• NINFO - a mechanism in the DNS to publish descriptive information about the status of the zone

• RKEY - publishing arbitrary application keys that could be used to encrypt DNS resource records

• SINK - Kitchen Sink Resource Record (https://tools.ietf.org/html/draft-eastlake-kitchen-sink)

56


Minimal ANY

•a BIND 9 server getting an query with type ANY (QTYPE 255) will answer with all records matching the requested domain name and class

•this can create large UDP DNS answer packets ;; QUESTION SECTION:;menandmice.com. IN ANY ;; ANSWER SECTION:menandmice.com. 86400 IN SOA dns1.menandmice.com. hostmaster.menandmice.com. 2016052701 900 300 604800 900menandmice.com. 3600 IN TXT "HhnTdT3K" menandmice.com. 3600 IN TXT "MS=ms81797768" menandmice.com. 3600 IN TXT "v=spf1 include:spf.protection.outlook.com a:smtp.menandmice.is a:support.menandmice.com a:otrs.menandmice.com a:imap2.skyrr.is a:mx.hysing.is ~all" ns2.c.is. 84985 IN A 213.176.143.102 dns1.menandmice.com. 171385 IN A 217.151.171.7 dns2.menandmice.com. 171385 IN A 217.151.171.21 dns3.menandmice.com. 171385 IN A 45.79.153.125 […];; Query time: 97 msec;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Aug 15 10:49:15 CEST 2016 ;; MSG SIZE rcvd: 719

57

DNS answer

size


Minimal ANY

•starting with BIND 9.11, BIND 9 can be configured to only return the first entry of an matching ANY query

•this mitigates the problem without causing (too much) breakage of older software (qmail etc)

options { minimal-any yes; };

58


Minimal ANY•same query as before with minimal-any enabled:

# dig menandmice.com any

; <<>> DiG 9.11.0b3 <<>> menandmice.com any;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32396;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096; COOKIE: f0a6921ce7023ebc646d789357b1837a0962c60d534b251e (good);; QUESTION SECTION: ;menandmice.com. IN ANY

;; ANSWER SECTION: menandmice.com. 86033 IN SOA dns1.menandmice.com. hostmaster.menandmice.com. 2016052701 900 300 604800 900

;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Aug 15 10:55:22 CEST 2016;; MSG SIZE rcvd: 123

59

DNS answer size 123 < 719 Byte


adaptive preferred glue

BIND 9.11 now fills the additional section with glue records matching the transport protocol the query was received

• query received over IPv4 - A-Record glue data is preferred

• query received over IPv6 - AAAA-Record glue data is preferred

60


nslookup resolves IPv6 AAAA

nslookup got updated (WHOOO!)

nslookup will now lookup IPv4 and IPv6 information for a hostname # nslookup> menandmice.comServer: 172.22.1.22Address: 172.22.1.22#53Non-authoritative answer:Name: menandmice.comAddress: 72.10.32.220Name: menandmice.comAddress: 2a01:7e00::f03c:91ff:fe89:ed54

61


SERVFAIL Caching

DNS answers with the return code of SERVFAIL are now cached (Default 1 sec)

This reduces the frequency of retries when a query is persistently failing, which can be a burden on recursive servers

Cache-Time for SERVFAIL answers can be configured with the servfail-ttl statement, maximum is 30 seconds

62


new mdig query tool

the new tool mdig (multi-dig) can be used to send multiple queries at once to an DNS server

answers will be printed in order of arrival

63


new mdig query tool# mdig @8.8.8.8 menandmice.com www.menandmice.com info.menandmice.com;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26843;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; QUESTION SECTION:;www.menandmice.com. IN A ;; ANSWER SECTION:www.menandmice.com. 4m59s IN A 72.10.32.220;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61756;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; QUESTION SECTION:;menandmice.com. IN A;; ANSWER SECTION:menandmice.com. 4m59s IN A 72.10.32.220;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23068;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1;; QUESTION SECTION:;info.menandmice.com. IN A ;; ANSWER SECTION:info.menandmice.com. 4m59s IN CNAME 77026.group26.sites.hubspot.net.77026.group26.sites.hubspot.net. 29m59s IN CNAME cos2mdc.hubspot.net.mdc.edgesuite.net.cos2mdc.hubspot.net.mdc.edgesuite.net. 5h57m44s IN CNAME a1711.b.akamai.net.a1711.b.akamai.net. 19s IN A 95.101.90.26a1711.b.akamai.net. 19s IN A 95.101.90.82

64

three queries

Answer for #2

Answer for #1

Answer for #3


dig switchesdig +ttlunits causes dig to print TTL values with time-unit suffixes: w, d, h, m, s for weeks, days, hours, minutes, and seconds: # dig +ttlunits menandmice.com; <<>> DiG 9.11.0b3 <<>> +ttlunits menandmice.com;; global options: +cmd;; Got answer:[…];; ANSWER SECTION:menandmice.com. 4m54s IN A 72.10.32.220

;; AUTHORITY SECTION:menandmice.com. 20h52m59s IN NS ns2.c.is.menandmice.com. 20h52m59s IN NS dns1.menandmice.com.menandmice.com. 20h52m59s IN NS ns0.c.is.menandmice.com. 20h52m59s IN NS dns3.menandmice.com.menandmice.com. 20h52m59s IN NS ns1.c.is.menandmice.com. 20h52m59s IN NS dns2.menandmice.com.;; ADDITIONAL SECTION:dns1.menandmice.com. 21h9m22s IN A 217.151.171.7dns2.menandmice.com. 20h52m59s IN A 217.151.171.21dns3.menandmice.com. 1h29m39s IN A 45.79.153.125

65


multiple named processes

BIND 9.11 prevents the named process to start accidentally more than once

named refuses to start if

• it cannot bind to any network interface

• if the Lock-File /var/run/named/named.lock already exists

66


multiple named processes# named -g18-Aug-2016 13:31:16.929 starting BIND 9.11.0b3 <id:a23f742>18-Aug-2016 13:31:16.929 running on Linux x86_64 4.6.6-300.fc24.x86_64 #1 SMP Wed Aug 10 21:07:35 UTC 2016 18-Aug-2016 13:31:16.929 built with '--sysconfdir=/etc/namedb'18-Aug-2016 13:31:16.929 running as: named -g18-Aug-2016 13:31:16.929 ----------------------------------------------------18-Aug-2016 13:31:16.929 BIND 9 is maintained by Internet Systems Consortium,18-Aug-2016 13:31:16.929 Inc. (ISC), a non-profit 501(c)(3) public-benefit18-Aug-2016 13:31:16.929 corporation. Support and training for BIND 9 are18-Aug-2016 13:31:16.929 available at https://www.isc.org/support18-Aug-2016 13:31:16.929 ----------------------------------------------------18-Aug-2016 13:31:16.929 adjusted limit on open files from 65536 to 104857618-Aug-2016 13:31:16.929 found 4 CPUs, using 4 worker threads18-Aug-2016 13:31:16.929 using 3 UDP listeners per interface18-Aug-2016 13:31:16.929 using up to 4096 sockets18-Aug-2016 13:31:16.938 loading configuration from '/etc/namedb/named.conf'18-Aug-2016 13:31:16.939 reading built-in trusted keys from file '/etc/namedb/bind.keys' 18-Aug-2016 13:31:16.939 using default UDP/IPv4 port range: [32768, 60999]18-Aug-2016 13:31:16.939 using default UDP/IPv6 port range: [32768, 60999]18-Aug-2016 13:31:16.941 listening on IPv6 interfaces, port 5318-Aug-2016 13:31:16.948 binding TCP socket: address in use18-Aug-2016 13:31:16.948 listening on IPv4 interface lo, 127.0.0.1#5318-Aug-2016 13:31:16.949 binding TCP socket: address in use18-Aug-2016 13:31:16.949 listening on IPv4 interface mv-p3p1, 172.22.1.129#5318-Aug-2016 13:31:16.950 binding TCP socket: address in use18-Aug-2016 13:31:16.950 unable to listen on any configured interfaces18-Aug-2016 13:31:16.950 loading configuration: failure18-Aug-2016 13:31:16.950 exiting (due to fatal error)

67


more changes

The BIND 9.11 change log file has additional information on all the changes http://ftp.isc.org/isc/bind9/9.11.0b3/RELEASE-NOTES-bind-9.11.0b3.txt

68


Upcoming training classes

KEA-DHCP

October 13 – 14, 2016 - West Coast, USA

October 17 – 18, 2016 - East Coast, USA

November 21 – 22, 2016 - Amsterdam, The Netherlands

Two days - Hands-On training

US$ 1795

69

https://www.menandmice.com/support-training/training/kea-dhcp-training/


more training

•October 3 – 5, 2016 Introduction to DNS & BIND Hands-On class Arlington (VA), USA

•October 3 – 7, 2016 Introduction & Advanced DNS and BIND Topics Hands-on class Arlington (VA), USA

•October 5 – 7, 2016 DNSSEC Technical Workshop – Implementation and Deployment Arlington (VA), USA

•October 10-14, 2014 "DNS und BIND / DNS Sicherheit" (German) @ Linuxhotel, Essen, Germany

70

https://www.menandmice.com/support-training/training/


our next webinar A secure BIND 9 – best practices

When operating a DNS server, a secure configuration is paramount. BIND 9 experts from the Men & Mice team will answer questions about BIND 9 security.

Learn more on:

• “chroot” vs. “container”

• separating resolving and authoritative services for security

• BIND 9 configuration hardening

• monitoring BIND 9 for security issues

August 31st, 2016 4:00pm CEST/ 2:00pm GMT/ 10:00am EDT/ 7:00am PDT

71

https://www.menandmice.com/resources/educational-resources/webinars/a-secure-bind-9-best-practices/

© Men & Mice http://menandmice,com

Thank you!

Questions? Comments?

72

http://www.menandmice.com

What is new in BIND 9.11?

Technology