Status of DNS

David Lawrence, Nominum, Inc.

Mathias Koerber, Nominum, Inc.

ammended 24aug2001

David Conrad, Nominum, Inc.

Overview

• Name space hierarchy• Multilingual DNS• Software status

New generic TLDs

• ICANN adopted 7 new gTLDs• .aero (Air-tranport industry)• .biz (businesses)• .coop( cooperatives)• .info (unrestricted use)• .museum (museums)• .name (individuals)• .pro (accountants, lawyers etc)

• Expected to take up operation later this year

Root servers

• Root servers handle just the root zone• TLD's moved to separate servers

Multilinugual DNS, IETF

• Current IETF track focusing on application-only solutions

• Based on consensus of working group at San Diego IETF

• Will use an ASCII-Compatible Encoding (ACE) of Unicode.

• New IETF IDN WG task force formed to pick an ACE.

Multilingual DNS, IETF (2)

• IETF is committed to the principle of a single unified root for the Internet.

• Fast-tracked IDN within IETF.• Expect final standard in late 2001.

Multilingual DNS, Other Organizations

• MINC - Multilingual Internet Names Consortium• JET- Joint Engineering Taskforce

• CNNIC, JPNIC, KRNIC and TWNIC

• CDNC - Chinese Domain Name Consortium• CNNIC, HKNIC, MONIC, and TWNIC

• AINC - Arabic Internet Names Consortium• INFITT - Int'l Forum for IT in Tamil• ... more to come!

Multilingual DNS, MINC

• Formed early summer, 2000.• Working on both interoperability testing and

registration policy.• Testing plan is being developed now

• Intent is to contract one more organizations to perform testing on the behalf of MINC.

• Would certify software with a MINC seal as being IDN-compatible.

Software Status

• BIND-9.1.3 released• full BIND-9 release• complete re-write (no code from BIND-8 remains)• improved security (no glue-fetching by default, always

uses ID-pool for query/reply identification)• 9.2 in release candidate stage, Final in two weeks?

BIND-9 highlights:

• Multi-threading support (on MT-capable OSes)• Views• EDNS0 support (for future additions)• Full IPv6 & DNSSEC support• Zone transfers built-in (no separate executable)• named-checkconf & named-checkzone scripts

help zone-checking

BIND-9.1.x

• lightweight resolver• library• lwresd daemon• required for IPv6 (DNAME chaining, A6 record

handling)

• rndc remote nameserver administration tool• improved control over dynamic updates: update-

policy• new algorithm scheduling SOA queries - scales

better• hooks for DB backend

upgrade to BIND-9

• changes in named.conf syntax may require changes to backend tools

• changes to logging categories etc.• default TTL handling has changed• stricter zonefile syntax checking• stricter named.conf syntax checking• statistics will be available through rndc

Software status

• bugfix releases• 8.2.3: fixes vulnerability, exploits publically available!• recommended not to run BIND <= 8.2.2p7 anymore• 4.9.8: vulnerability fix for 4.9.7• BIND-9 not affected (new codebase!)• use of BIND-4 is not recommended!• 8.2.5 is in RC stage• 8.2.4 recommended for those who CAN’T migrate to 9• 8.2, 8.2.1, 8.2.2 all have publicly available exploits

new developments will be made to BIND-9

• BIND-9.2 has:• no SNMP support (DNS MIBS are historic)• BIND 8 resolver library for backward compatability• Internal parser to catch “corner” cases.• cache-size cap• AAAA synthesis if only A6 exists

Summary

• DNS is a critical part of the Internet Infrastructure• A successful Internet needs a well-run DNS

• Internet Enhancements (IPv6, security etc) require DNS enhancements• A lot of progress is being made in DNS

• On-going testbeds provide participants with valuable experience for upcoming implementation

Summary (cont.)

• Keep up to date with current versions!• better security (and bugfixes)• new features -> new services

Future…

• ISC will continue to track IETF DNS activities• OPT-IN, Delegation Signer, IDN, etc.

• Code continues to evolve• Genetic diversity encourages interoperability testing• Bug Fixes, Portability, Code contributions• Tool developments

• Do you want a feature?• ISC will be glad to consider your request… have cash

or check ready… :)