DN42: Hierarchical Domain Name System

From NixNodes wiki
(Redirected from DN42 DNS)
Jump to: navigation, search

The system is split into three tiers (0-2) running across four server groups;

  • Tier 0
    • <a-z>.root-servers.dn42
    • Tier 1
      • <a-z>.zone-servers.dn42 (Forward)
      • <a-z>.in-addr-servers.dn42 (Reverse)
      • Tier 2
        • <a-z>.dn42-servers.dn42

Nameserver and glue information is extracted from registry objects associated with specific server groups.

A set of tools with a wrapper for easy building of zones and bind configuration has been created, including a binary for working with inetnum object files and xuu's subnettr.py (builds ip6 zones). Installation instructions can be found here.

A server monitoring service has been set up, showing registry revision, person handle and time of last update.

Each built zone is required to contain a TXT record with (version) identification, monotone revision last built from and time of last build;

  • ver=<component version>
  • person=<nic-hdl>
  • rev=<revision>
  • ts=<timestamp>


Zonebuild configuration

Assume zonebuild is located at /etc/bind/zonebuild

vi /etc/bind/zonebuild/scripts/config.user

Items in this array define for which IPv4 registry objects zones will be built. It is used globally. Parameters are filenames in data/inetnum.

ARPA_ZONES=(zone1 zone2 ..)

Items in this array define which IPv6 zones will be built. It is used globally. Parameters are zone names without ip6.arpa.

ARPA_IPV6_ZONES=(zone1 zone2 ..)

Defines which arpa tiers will be built.

Flags:

  • 1 - Tier 1 (inetnum)
  • 2 - Tier 2 (rfc2317)
ARPA_TIERS=<flags>

Tier 0


Assume server name is z.root-servers.dn42

This variable will be used in SOA records.

SERVER_NAME_TIER0=z.root-servers.dn42

Get root zone from one of the ICANN root servers listed in $ICANN_AXFR_ENABLED_ROOTS array and merge it into dn42 root zone.

MERGE_ICANN_ROOT=1

ICANN root servers list (IP addresses only)

ICANN_AXFR_ENABLED_ROOTS=(server1 server2 ..)

Tier 1


Forward


Assume server name is z.zone-servers.dn42

SERVER_NAME_TIER1="<a-z>.zone-servers.dn42"

Defines for which zones forward delegations will be built. Requires the zone file to exist in registry.

TIER1_ZONES=(zone1 zone2 ..)

Reverse


Assume server name is z.in-addr-servers.dn42

SERVER_NAME_TIER1_ARPA="z.in-addr-servers.dn42"

Generate C class parent records for RFC2317 zones

BUILD_RFC2317_SUPERNETS=1

Tier 2 (RFC2317)


Assume server name is z.dn42-servers.dn42

SERVER_NAME_TIER2_ARPA="z.dn42-servers.dn42"

Build zones

/etc/bind/zonebuild/scripts/run.sh -[option] <zone> [<zone> ..]

Zones:

  • root - root-servers.dn42
  • zone - zone-servers.dn42
  • arpa - in-addr-servers.dn42
  • res - resolvers.nic.dn42

Options:

  • update - Pull from git repo before building (updates zonebuild package)
  • nosync - Do not pull from monotnone repo before building
  • config <name> - Load scripts/<name> configuration file

BIND configuration

  • For all tiers, configure /etc/resolv.conf:
nameserver 127.0.0.1

Make sure no network init scripts overwrite this setting.

Tier 0


Root

Global options

options {
	listen-on port 53 {
                127.0.0.1;
                172.2x.x.x;
                };        
        recursion yes;
        allow-recursion { 127.0.0.1; };
	allow-query-cache { any; };
        allow-transfer { any; };
	allow-query { any; };
	version "[hidden]";
        dnssec-enable yes;
        root-delegation-only;
        empty-zones-enable no;
        additional-from-auth yes;
        auth-nxdomain no;
        ...
};
  • Include:
include "/etc/bind/tier0/named.conf";

Tier 1


Forward & reverse

Global options

options {
        listen-on port 53 {
                127.0.0.1;
                172.2x.x.x;
        };
        recursion yes;
        allow-recursion { 127.0.0.1; };
	allow-query-cache { any; };
        allow-transfer { any; };
	allow-query { any; };
        version "[hidden]";
        dnssec-enable yes;
        empty-zones-enable no;
        additional-from-auth yes;
        auth-nxdomain no;
        ...
};
  • Include:
include "/etc/bind/tier1/named.conf";

Tier 2


  • Include:
include "/etc/bind/tier2/named.conf";

Resolver


To add a resolver to the anycast pool, configure BIND to listen on 172.23.0.53

Global options

options {
        listen-on port 53 {
                127.0.0.1;                
                172.2x.x.x; //unicast address
                172.23.0.53; //anycast address
        }; 
        ..
        recursion yes;
        allow-recursion { any; };
        ..
};
  • Include:
include "/etc/bind/res/named-forwards.conf";
  • To use the alt-root:
#include "/etc/bind/res/named-forwards.conf";
include "/etc/bind/res/named.conf";

It is possible to use /etc/bind/res/hints.db in a hint zone without RFC1918 forwards, but this causes BIND to disallow RFC1918 replies from the internet. It is probable most other software wouldn't do this.

ExaBGP

Consider using ExaBGP to monitor the resolver and announce/withdraw the anycast route as the server's running state/operational status changes. Instructions with examples below.

Installation

cd /opt
git clone git://github.com/Exa-Networks/exabgp.git
mkdir /etc/exabgp

# Edit and save config/scripts described below

chmod +x /etc/exabgp/dn42-anycast-watchdog.sh 
chmod +x /opt/exabgp/run.sh

  • Install and edit scripts and configuration files:

/etc/exabgp/dn42-anycast-watchdog.sh

#!/bin/bash
DIG=dig
TARGETS=( "172.23.0.53" )
ZONE=dn42
ROUTE='172.23.0.48/28'
NEXTHOP='172.2x.x.11' # own ip

INTERVAL=60

VALIDATE_KEYWORD='NS.*zone-servers\.dn42\.'

###########################

RUN_STATE=0

sleep 5

check_targets() {
        for item in "${TARGETS[@]}"; do
                ${DIG} @${item} ${ZONE} ANY | egrep -q "${VALIDATE_KEYWORD}" ||
                return 1
        done
	return 0
}

while [ 1 ]; do
        if [ ${RUN_STATE} -eq 0 ]; then
                check_targets && {
                        RUN_STATE=1
                        echo "announce route ${ROUTE} next-hop ${NEXTHOP}"
                }
        else
            	check_targets || {
                        RUN_STATE=0
                        echo "withdraw route ${ROUTE} next-hop ${NEXTHOP}"
                }
        fi

	sleep ${INTERVAL}

done

exit 0


/etc/exabgp/exabgp.conf

group dn42-anycast-dns {

  neighbor 172.2x.x.10 {
    router-id 172.23.0.53;
    local-address 172.2x.x.11;
    local-as <as>;
    peer-as <as>;

  }
  process watch-dn42-anycast-dns {
     run /etc/exabgp/dn42-anycast-watchdog.sh;
  }

}

/opt/exabgp/run.sh

#!/bin/bash

PID_FILE=/var/run/exaBGP/exabgp_PID

######################################

EXA_PATH=/opt/exabgp/sbin/exabgp
EXA_LOG=/var/log/exabgp.log
CONF=/etc/exabgp/exabgp.conf

mkdir -p /var/run/exaBGP || exit 2

start() {
	[ -f ${PID_FILE} ] && {
                echo "WARNING: `cat ${PID_FILE}`: exabgp already running"; return 1
        }
	${EXA_PATH} ${CONF} &> ${EXA_LOG} &
        cpid=$!
        [ ${cpid} -eq 0 ] && {
                echo "ERROR: could not start process: ${cpid}"; return 1
        }
	echo ${cpid} > ${PID_FILE}
}

stop(){
       	[ -f ${PID_FILE} ] || return 1
        pkill -9 -P $(cat ${PID_FILE})
        kill -9  $(cat ${PID_FILE})
        rm -f ${PID_FILE}
}

case ${1} in
    start )
	start
    ;;
    stop )
	stop
   ;;
    restart )
	stop
	sleep 1
        start
   ;;
esac

exit 0

  • Run:
/opt/exabgp/run.sh <start|restart|stop>

Monitor and wait for the session to establish;

tail -f /var/log/exabgp.log

Remove any static routes to 172.23.0.48/28 in your network, make the route propagate dynamically as recieved from Exa.

Zone information

  • ICANN - Indicates whether parts of the zone information were extracted from the public domain name system.
  • Auth - Relevant zones for which this zone is authorative
  • Delegate - Servers to which Auth zone(s) (is|are) delegated
Tier Zone ICANN Auth Delegate
0 . 1 dn42. <a-z>.zone-servers.dn42
hack.
fffh.
172.in-addr.arpa. 1 20.172.in-addr.arpa. <a-z>.in-addr-servers.dn42
21.172.in-addr.arpa.
22.172.in-addr.arpa.
23.172.in-addr.arpa.
31.172.in-addr.arpa.
10.in-addr.arpa. 0 <1-255>.10.in-addr.arpa. <a-z>.in-addr-servers.dn42
d.f.ip6.arpa. 0 <0-f>.d.f.ip6.arpa. <a-z>.in-addr-servers.dn42
root-servers.dn42. 0 <a-z>.root-servers.dn42
zone-servers.dn42.
in-addr-servers.dn42.
dn42-servers.dn42.
1 dn42. 0 <a-z>.zone-servers.dn42
hack.
ffhh.
20.172.in-addr.arpa. 0 <a-z>.in-addr-servers.dn42
21.172.in-addr.arpa.
22.172.in-addr.arpa.
23.172.in-addr.arpa.
31.172.in-addr.arpa.
10.in-addr.arpa.
d.f.ip6.arpa.
2 *.in-addr.arpa. (RFC2317) 0 <a-z>.dn42-servers.dn42