Introduction
The ApacheDS Domain Name Service (DNS) provider implements RFC 1034 and RFC 1035 to service DNS Protocol requests.
The DNS provider plugins into the Apache Directory server. As a plugin, the DNS provider uses the network layer (MINA) for front-end services and the Apache Directory read-optimized backing store via JNDI for a persistent store.
The ApacheDS DNS provider, in conjunction with MINA and the ApacheDS LDAP JNDI store, provides an easy-to-use yet fully-featured name resolution service. As implemented within the Apache Directory, it will provide:
- Domain name service (RFC 1034, 1035)
- Service location support (SRV) (RFC 2782)
- Certificate support (CERT) (RFC 2782)
- Security Extensions (DNSSEC) (RFC 2535)
- Secure query and dynamic update support (GSS-TSIG) (RFC 3645)
- LDAP/JMX management
- UDP and TCP Support (MINA)
- Easy POJO embeddability for containers such as Geronimo, JBoss, and OSGi
Basic Testing
On Linux, a typical invocation of dig looks like:
dig @server name type
If no type argument is supplied, dig will perform a lookup for an A record. For example:
bash-2.05b# dig @localhost www.example.com
ApacheDS schema for storing DNS zones in LDAP
Abstract objectClass used to build all DNS record objectclasses
| objectclass | apacheDnsAbstractRecord |
|---|---|
| apacheDnsName | A sequence of labels representing a domain name or host name |
| apacheDnsType | The type of a resource record |
| apacheDnsClass | The class of a resource record |
| apacheDnsTtl | An integer denoting time to live |
Address (A) record
| objectclass | apacheDnsAddressRecord |
|---|---|
| apacheDnsName | A sequence of labels representing a domain name or host name |
| apacheDnsType | The type of a resource record |
| apacheDnsClass | The class of a resource record |
| apacheDnsTtl | An integer denoting time to live |
| apacheDnsIpAddress | A 4 octet IP address |
Pointer (PTR) record
| objectclass | apacheDnsPointerRecord |
|---|---|
| apacheDnsName | A sequence of labels representing a domain name or host name |
| apacheDnsType | The type of a resource record |
| apacheDnsClass | The class of a resource record |
| apacheDnsTtl | An integer denoting time to live |
| apacheDnsDomainName | A domain or sequence dotted labels |
Name Server (NS) record
| objectclass | apacheDnsNameServerRecord |
|---|---|
| apacheDnsName | A sequence of labels representing a domain name or host name |
| apacheDnsType | The type of a resource record |
| apacheDnsClass | The class of a resource record |
| apacheDnsTtl | An integer denoting time to live |
| apacheDnsDomainName | A domain or sequence dotted labels |
Start Of Authority (SOA) record
| objectclass | apacheDnsStartOfAuthorityRecord |
|---|---|
| apacheDnsName | A sequence of labels representing a domain name or host name |
| apacheDnsType | The type of a resource record |
| apacheDnsClass | The class of a resource record |
| apacheDnsTtl | An integer denoting time to live |
| apacheDnsSoaMName | A domain of the server that was the primary source of data for this zone |
| apacheDnsSoaRName | The domain which specifies the mailbox of the person responsible for this zone |
| apacheDnsSoaSerial | The unsigned 32 bit ver num of the original copy of the zone |
| apacheDnsSoaRefresh | A 32 bit time interval before the zone should be refreshed |
| apacheDnsSoaRetry | A 32 bit time interval that should elapse before a failed refresh should be retired |
| apacheDnsSoaExpire | A 32 bit time value that specifies the upper limit on the time interval that can elapse before the zone is no longer authoritative |
| apacheDnsSoaMinimum | The unsigned 32 bit minimum TTL field that should be exported with any RR from this zone. |
Configuring DNS Zones
The STRUCTURAL 'dcObject' objectClass
( 1.3.6.1.4.1.1466.344 NAME 'dcObject' SUP top AUXILIARY MUST dc )
An example entry using the STRUCTURAL objectClass domain
dn: dc=tcp,dc=example,dc=com objectClass: top objectClass: domain dc: tcp description: a placeholder entry used with SRV records
The AUXILIARY 'domain' objectClass
( 0.9.2342.19200300.100.4.13 NAME 'domain' SUP top STRUCTURAL
MUST dc
MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
x121Address $ registeredAddress $ destinationIndicator $
preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $
street $ postOfficeBox $ postalCode $ postalAddress $
physicalDeliveryOfficeName $ st $ l $ description $ o $
associatedName ) )
An example entry using the AUXILIARY objectClass dcObject
dn: dc=example,dc=com objectClass: top objectClass: organization objectClass: dcObject dc: example o: Example Inc.
Resources
DNS Best Practices
DNS Testing Tool
Useful tool for testing DNS configuration: www.dnsreport.com
There are other tools available from the same people, at www.dnsstuff.com, but I have not tested any of them.
- MX - Change MX records from CNAME's to A records. This is supposed to improve lookup speed and MX pointing to CNAME's is an RFC violation.
- SOA - Change SOA values to come in line with recommended values, per dnsreports.com.
- PTR - Add PTR records for server1.example.com. This is to address an error being generated by AOL and Hotmail, which use reverse lookups on mail servers to weed out spam. Mail on the example.com mailing lists has increasingly been bounced by AOL and Hotmail as spam and header inspection points to lack of PTR record. Setting PTR records at the hosting provider is a relatively new feature, probably added to address this problem.
Notes
A Zone is a Pruned Subtree
4.2 Zone "pruned subtree."
Subtree of 1..n nodes/domainNames
Zones are split by org control
A zone is a set of types.
Highest node contains SOA. SOA is 1..1 with highest node.
Below SOA is authoritative.
Highest node contains 1..n NS.
Authoritative NS only at top of zone.
A domain name id's a node.
A node is a set of RR's.
NS in leaf is:
- non-authoritative
- referral
- aka "delegation NS RR"
A in leaf is:
- non-authoritative
- aka "glue RR"
Iterative - server refers client (preferred, required)
Recursive - server persues query for client (optional)
Cache - in-memory partition non-authoritative
Authority - points to authority
Non-recursive 4.3.1
- error
- answer
- referral
Unit tests for all 6.2.*
Key algorithm 4.3.1 & 4.3.2
Sender Permitted From
- Sender Permitted From is a DNS-based method for preventing SMTP spoofing.