INTERNET-DRAFT                                                Peter Koch
Expires: September 2000                           Universitaet Bielefeld
                                                              March 2000

              RIPE DNS WG Guide To Setting Up a DNS Server
                  draft-koch-ripe-dns-setup-guide-00.txt


Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   Comments should be sent to the author or the RIPE DNS WG mailing list
   <dns-wg@ripe.net>.

Abstract

   This document is intended to guide novice and/or part time DNS zone
   administrators in getting their DNS zones up and running. It is not
   sufficiently detailed to replace a book about DNS.

1. Introduction

   The DNS is a distributed, redundant, hierarchical namimg scheme for
   mapping so called "domain names" into addresses and other Internet
   infrastructure elements. You will learn about those later.

   You will normally use two distinct services within the DNS. While
   using your web browser and email software your system will have to
   translate (foreign) domain names into IP addresses. This is called
   "resolving".  The other task is presenting your domain name, once you



Koch                     Expires September 2000                 [Page 1]

INTERNET-DRAFT               RIPE DNS Guide                   March 2000


   have one, to other parties on the Internet to enable them to resolve
   your or your organisation's name into some address. This part is
   called "serving".  While both deal with DNS and both tasks may even
   be carried out by the very same piece of software on your machine,
   they are different. This document is primarily concerned with setting
   up a DNS server, but at the end some information is provided on "DNS
   resolving" issues.

   There are different Top Level Domains (TLDs) to register with, such
   as "COM" or those country-code based like "FR" for France and "DE"
   for Germany. You may also find offers for registration within "new"
   or "private" TLDs, e.g. "WEB". At the moment these are bogus. If in
   doubt, check the official IANA list [IANATLD].

   To register a domain name, in most cases two or more nameservers need
   to be set up to serve the corresponding zones, i.e. answer queries
   dynamically sent in from all over the Internet. "In most cases"
   means, that some Top Level Domain (TLD) registries will allow the
   existence of real data instead of just pointers to nameservers in
   their database. Whether this is the case you should ask your ISP or
   the registry responsible for the TLD you are interested in. Do not
   forget to ask for the cost of making modifications to the data later.

   If your organisation is going to expose only a small number of
   systems to the globally visible Internet, maybe only a web server and
   a mail relay, you will have to publish only a very small set of data
   in the DNS. In this case - but sometimes also in others - it is not
   really necessary to bother with the operation of an own DNS server.
   Your ISP may offer running the DNS server and maintaining the zone
   data for you. This value added service, however, may require an
   additional fee.  While DNS isn't rocket science, it is a mission
   critical service, and there are some trapdoors potentially disturbing
   the proper operation. You may wish to take the opportunity having
   this done by somebody who makes a living out of it.

   For those of you who choose to do the job themselves, we want to help
   you navigate around the most common pitfalls.

   Apart from your own nameserver the DNS protocol requires a set of so
   called "secondary" or "slave" servers, which will publish the same
   data about your zones your server does, but which are placed at other
   parts of the Internet.  In most cases your ISP will offer help in
   locating proper secondary servers or even run one or more of them
   themselves. Again, this service may require an additional fee, so
   please consult your ISP.

   You may find some documentation suggesting to have two nameservers at
   your installation. This is not considered reasonable practice and



Koch                     Expires September 2000                 [Page 2]

INTERNET-DRAFT               RIPE DNS Guide                   March 2000


   will, apart from increasing your work (and even network) load, give
   you nothing.

   Now that you have a domain name, a list of secondaries for serving
   your zone and some address space, you can start constructing a zone.
   Consult the documentation of your DNS server software for where to
   start, this document will assist you in filling in the proper values.

2. DNS Resource Records

   The information in the DNS is handled in pieces of "resource records"
   (RRs).  There are different types of RRs, every resource record is
   bound to a domain name (the "owner"). A single "owner" may own
   several RRs of equal or different types. We will only talk about
   "SOA", "NS", "MX", "A" and "CNAME" RRs.

2.1. The SOA RR Type

   While some people claim the Internet being the end of all
   authorities, one of the first things you will have to enter is a
   "Start Of Authority" record.  There is a single SOA record per zone
   containing some meta information like who the maintainer is and how
   often secondaries should check with the primary for modifications to
   the zone.

   There are seven elements in an SOA record:

   1) The MNAME (master name) must give the name of the primary master
      server for that zone, i.e. the machine you are running your DNS
      server on.  There is no need to reserve a special name, like "ns"
      or "dns" for this system, so use the canonical name of that
      machine.  [XXX explain FQDNs]

   2) The RNAME is to publish a mail address of a person or role account
      dealing with this zone. The "@" must be converted to a "." before
      you enter this, so postmaster@bricks.example becomes
      postmaster.bricks.example.  Be sure to name a working address here
      (NB: your domain is not yet registered, but the local part should
      be defined at your site). Do not accept any default your software
      may suggest without checking its validity. If your addresses
      follow the popular scheme "first.last@canonical.example", although
      technically possible, do not use any of these here. The
      distinction between the "." seperating first and last name and the
      translated "@" will eventually be lost, leading to an unreachable
      email adress due to wrong retranslation. The same caveat holds for
      other addressing schemes with dots in the local part
      ("10000.0815@kangooserve.example").




Koch                     Expires September 2000                 [Page 3]

INTERNET-DRAFT               RIPE DNS Guide                   March 2000


      The best practice is to define (and maintain) a dedicated mail
      alias "hostmaster" [RFC2142] for your DNS operations.

   3) The SERIAL number

      Secondaries have to check with the primary for new versions of a
      DNS zone.  For efficiency reasons, serial numbers are compared
      only. If the serial number at the primary is higher than the
      secondary's local copy, the zone is copied. If the serial at the
      primary is equal to or less than the one at the secondary nothing
      happens. This means that after every modification to the zone you
      have to increase the serial and you should in any case avoid to
      decrease it. Update the serial number even if you make mulltiple
      changes within short intervals, one of the secondaries may have
      fetched its new copy in the meantime.

      The serial number is a an unsigned 32bit integer with no further
      implied meaning. Also, the increments do not have any special
      meaning. You can grow the serial by 1, 10 or 170 every time as
      long as it just always increases. The serial number 0 should be
      avoided due to some problems in certain software versions.

      There is a popular scheme which builds the serial number by using
      the actual date, e.g. 1999012300 for a zone changed at January,
      23rd, 1999.  The trailing two digits leave enough space for 100
      modifications per day.  This scheme is called YYYYMMDDnn, some
      similar are also in use. Be sure to use a four digit year, notice
      that the month precedes the day and do not forget to update the
      year value upon the first change every year.

   4) The REFRESH value

      This value controls how frequently the secondaries will check with
      your primary to see whether your zone was modified and they must
      update their copy. Modern DNS server software will send out
      additional notifications from the primary to the secondaries upon
      reload of a modified zone, so usually the information is
      distributed much faster than this. However, notification packages
      may be lost, so the secondary-initiated checks are still useful. A
      value of one day (86400 seconds) is recommended here.

   5) The RETRY value

      Should a secondary be unable to reach the primary for whatever
      reason, the next attempt is started in intervals given by RETRY
      until the zone could be successfully checked or it expires (see
      below). Any value larger than REFRESH doesn't make sense, usually
      the maximum of two hours and a fraction of 1/6 to 1/4 of REFRESH



Koch                     Expires September 2000                 [Page 4]

INTERNET-DRAFT               RIPE DNS Guide                   March 2000


      are good choices. So, if you followed the recommendation above,
      enter 7200 (two hours) here.

      The lower the values for REFRESH and RETRY, the more load is put
      on the secondary servers. This is not a big deal for a single
      zone, but it has to scale for large nameservers serving several
      thousand zones.  Therefore your ISP resp. the operator(s) of your
      secondaries may give you additional advice and will probably
      recommend different values.  If in doubt, ask them first.

   6) The EXPIRE value

      Should a secondary be unable to check the zone with the primary
      for a period of time specified by EXPIRE, it will just do that -
      expire the zone.  Unfortunately it is not precisely specified what
      that means, but from that time on you can no longer expect that
      secondary to hand out any useful information about your zone. Of
      course, this is a scenario you will want to avoid, because it may
      lead users to wrong addresses or even make them feel your or your
      web site's domain name do no longer exist. There are several
      reasons, why a secondary's check would fail: temporary line
      failures, machine downtimes and most importantly: configuration
      errors at your primary.  To give yourself a chance of detecting
      and repairing such problems, the EXPIRE value should be long
      enough to cover even a short holiday. A value of 3600 hours
      (3600000) is traditionally recommended here. Be especially warned
      that values of a week or less, while having no benefit, have
      drasticly proven to be too short.

   7) The MINIMUM value

      There are three different meanings applied to this, of which the
      first appeared in the original protocol specification but was
      never widely implemented. To explain the other two we need to tell
      about yet another DNS feature - caching. DNS servers are queried
      by DNS resolvers, and those resolvers usually remember (cache) any
      results seen for a certain amount of time. This way the total DNS
      traffic on the Internet, the server load and most importantly the
      response times will be reduced. There is both caching of RRs and
      negative caching, which means the knowledge of non-existance of a
      certain name or RR type will be maintained. The predicted lifetime
      (TTL) of such information is to be controlled by the zone
      administrator, every RR will be tagged with a TTL value when used
      to answer a DNS query.  There are different requirements for
      caching and negative caching. While RRs in a well established,
      stable zone can be cached for a day or two without problems,
      negative responses should only be cached in the range of hours.




Koch                     Expires September 2000                 [Page 5]

INTERNET-DRAFT               RIPE DNS Guide                   March 2000


      The remaining real meanings for the MINIMUM field now correspond
      to values for either the default caching TTL or the negative
      caching TTL. We are in a transition phase from the former to the
      latter, and actual interpretation depends on the software running
      on the primary and secondary servers.  If the old default TTL
      meaning is implied, use 172800, otherwise 3600.  If the servers
      run different software, use 172800 here and explicitly set the TTL
      for the SOA RR to 3600.


   A complete example would look like this

   bricks.example. 3600 IN SOA red.bricks.example. hostmaster.bricks.example. (
                                   1999012300
                                   86400
                                   7200
                                   3600000
                                   172800 )

2.2. The A RR Type

   One of the main tasks of the DNS is translating domain names in IP
   adresses.  This is done with A RRs. Their data portion contains a
   single IP address in dotted quad notation, like here:

   yellow.bricks.example.  IN      A 192.168.8.15

   Publishing addresses from the private address space should be
   avoided.  [XXX so why doesn't the example comply?]

2.3. The NS RR Type

   The NS RRs tell the world who is able to give out information about
   your zone.  Enter a single NS RR for every server which is intended
   to provide secondary service for your zone, see the list mentioned
   earlier. Do not enter random nameservers' names just because you have
   seen them somewhere. The administrators may not want to deal with
   that additional load and they may even - as a defense - provide
   explicit non-service.

   Apart from the secondaries you should enter a NS RR for your own name
   server here. However, this will make random sources direct DNS
   queries to your name server. There are several reasons why one might
   want to avoid this. Amongst others, you may live behind a dialup line
   and do not want it to be triggered by avoidable traffic. To
   accomplish this, there's a concept called "stealth" or "hidden"
   primary. It is implemented by not publishing NS RRs for the primary
   (and to be efficient, no NS RRs for any other of your systems,



Koch                     Expires September 2000                 [Page 6]

INTERNET-DRAFT               RIPE DNS Guide                   March 2000


   either). All the DNS queries are then answered by the secondaries.
   This is only useful if the list of nameservers handed to the TLD
   registry does not contain your server, so consult with your ISP
   first. They may or may not support this concept and there may be an
   additional charge.

   The order of the NS RRs is not important, the protocol allows for
   arbitrary reshuffling of RRs of the same type at the same owner. So
   there's neither the need that the primary be the first in this "list"
   nor the guarantee that it will always be handed out in any particular
   position.

   bricks.example. IN      NS      red.bricks.example.

2.4. The MX RR Type

   Not every host is configured to receive mail and some domain names
   represent organisations, not single hosts, and should nonetheless be
   useful in addressing electronic mail. By using MX (mail exchanger)
   RRs you can define which host or group of host mail addressed to a
   certain domain should be sent to. Every MX RR has a precedence, lower
   values resulting in higher priority. The values have no intrinsic
   meaning, they're just for sorting the list.

   In this example

   bricks.example. IN      MX 100  black.bricks.example.
   bricks.example. IN      MX 200  mail-relay.YourISP.example.

   all mail to an address <user@bricks.example> will be sent to the host
   "black.bricks.example". Should that machine be unreachable, the mail
   would delivered to "mail-relay.YourISP.example" instead, which would
   later repeatedly try to bring the message to its destination.

   Do not enter any MX RRs pointing to a mail relay without prior
   agreement from that system's maintainers. They will usually not act
   as a relay for random targets, so your mail me be lost. In general
   your ISP will provide one or more mail relays, so ask them for
   assistance. Note that this relay for incoming mail may be different
   from that machine you send yourt outgoing mail to.

   As a target of an MX or NS resource record only domain names are
   allowed which directly resolve into an address. That means:

   1) The name you enter must exist. Note that your software may let you
      enter names which do not exist without complaining. It is the DNS
      administrators responsibility to check this. A very helpful tool
      for this purpose is "host" [HOST].



Koch                     Expires September 2000                 [Page 7]

INTERNET-DRAFT               RIPE DNS Guide                   March 2000


   2) The name must really be a name. The DNS will not understand IP
      addresses here. Note however, that again your software may let you
      make the mistake but that it will definitely not bring you the
      results you wanted. Use only domain names here.

   3) The domain name used must directly resolve into an address, which
      means you must not use an alias name here and an A resource record
      must exist for that name. Note that unless the name is part of
      your namespace you must not enter that A record yourself.

2.5. The CNAME RR Type

   It is possible to specify alias names for machines, e.g. if your
   machine "yellow.bricks.example" is also your web server, you can
   define an alias "www.bricks.example" to point to the canonical name,
   "yellow.bricks.example" in this case.

   www.bricks.example.     IN      CNAME yellow.bricks.example.

   The name at the right hand side is the canonical name, whereas the
   owner on the left turns out to be the alias name. There are some
   caveats:  CNAME RRs, like sharks, eat all their siblings before they
   become visible, or in more formal wording: if a CNAME RR exists for
   an owner, no other RR for that owner may exist, neither CNAME nor any
   other type. [XXX DNSSEC] This means you not only do not need to, but
   you must not define any other RR in parallel. All RRs at the
   canonical name will equally be valid for the alias. In the example
   above, a query for an MX RR for "www.bricks.example" will return the
   MX RRs for "yellow.bricks.example" if there are any, which better be
   the case.

   If you want your web server to be addressable by "bricks.example" in
   addition to "www.bricks.example", resist the temptation to define a
   CNAME RR for the owner "bricks.example" pointing to
   "www.bricks.example" (or anywhere else). This would invalidate your
   zone, because the necessary SOA and NS RRs cannot coexist with the
   CNAME RR. Your software may let you do this, but it will lead to
   unfortunate results, including zone expiry at the secondaries.

   Use CNAME RRs with care, and have them point to your own systems
   only.

2.6. Wildcard owners

   Apart from the owner names seen so far, the DNS supports "wildcard"
   owners, which cover all names "below" a paricular domain name, unless
   such owner name is explicitly defined.




Koch                     Expires September 2000                 [Page 8]

INTERNET-DRAFT               RIPE DNS Guide                   March 2000


   *.bricks.example.       IN      MX 100  red.bricks.example.

   This will make the DNS server return an appropriate response for
   queries for MX RRs for "green.bricks.example", "blue.red-
   bricks.example" and even "light.blue.bricks.example". However, the
   wildcard has two counter-intuitive properties:

   1) It does not cover any owner name for which *any* type of RR is
      explicitly defined. If you associate an A RR with the name
      "blue.bricks.example", the wildcard above will not lead to an MX
      RR defined for "blue.bricks.example". It is even worse: the
      wildcard would not even work for "blue.bricks.example" if you just
      defined any record for "dark.blue.bricks.example".

   2) It does not cover the name itself, which trivially follows from
      the previous paragraph. So, the wildcard above does not cover
      "red-bricks.example".

   Use of wildcard owners is most common, but not restricted to, for
   defining MX RRs. However, due to the problems described above and
   some other problems your mail server may encounter when it lives in a
   zone with wildcard MX RRs, they should be avoided. [XXX so list
   useful cases]

3. Valid hostnames

   There has been a lot of confusion on which characters are valid in
   hostnames.  Partly this has come from the question what a hostname
   is. A good rule of thumb is to consider every domain name with an A
   RR attached to it and every domain name expected to have an A RR
   attached to it (like targets in MX and NS RRs) a hostname.

   For domain names in general, no character restrictions apply.
   Hostnames are restricted to letters (since the DNS is case
   insensitive, no further distinction is necessary), digits, the hyphen
   and, of course, the dot to separate names on different domain levels
   (labels). A hyphen must not be the first or last character in a
   label.  The underscore "_" is not a valid character for hostnames,
   neither are the ampersand or a space, to name a few. There's nothing
   magic about the "_", it is just that it seems to be popular but was
   not included in the allowed set once it was defined.

   TLD registries will usually, although registering domain names
   instead of just hostnames, enforce hostname restrictions. They may
   also define additional syntax requirements. [XXX IDNS pointers]

4. Reverse Mapping




Koch                     Expires September 2000                 [Page 9]

INTERNET-DRAFT               RIPE DNS Guide                   March 2000


4.1. Conventional Reverse Mapping

   TBD

4.2. Classless Delegation

   TBD

4.3. 127.0.0.1 and "localhost" handling

   TBD

5. Mistakes to avoid

   Practice has been showing that novice DNS administrators tend to make
   some particular mistakes more often than others. The following list
   deals with the most common misunderstandings.

5.1. Missing trailing dots

   TBD

5.2. Secondaries not necessarily act as resolvers or forwarders

   As mentioned earlier, there is a difference between serving DNS zones
   and resolving DNS queries. Both services may be offered by the same
   machine, but for security, performance and various operational
   reasons, your ISP may have dedicated different systems to either
   task. [...]

5.3. Zone transfer restrictions can be too strict

   A zone transfer (AXFR) is a bulk transfer of all the DNS data
   contained in a DNS zone. Secondaries copy the zone data from the
   primary by the way of an AXFR query. On several occasions, malicious
   individuals or groups have been using this zone transfer for
   harvesting names and addresses. Later they probe each system found
   for well known security holes to find victims for system breakins. To
   avoid this, some people suggest to restrict outgoing zone transfers
   on your DNS server. While this "information hiding" may stop some
   kids, it will increase your system security be exactly zero.  First,
   to work, this scheme would have to be implemented at all your
   secondaries, too. You can't be sure about that and doing so would
   sometimes be infeasible for the respective server maintainers. Even
   worse, nobody could stop a harvester from querying for particular or
   popular names within your zone, like "www", "mail" or "ftp". At last,
   an intruder would not have to bother with asking the DNS in advance.
   They just scan complete IP address ranges for vulnerable systems. So,



Koch                     Expires September 2000                [Page 10]

INTERNET-DRAFT               RIPE DNS Guide                   March 2000


   to be safe, protect your end systems and network infrastructure, do
   not just hide information.

   However, even if you choose to restrict AXFR, you must not prevent
   your zone's secondary servers from transferring the data. In addition
   the TLD registry and your ISP may require to AXFR your zone data for
   validation purposes.

   A last word on this: not all AXFR attempts will show you some hacker
   is looking at your data. Sometimes there are just curious
   individuals, somebody tracking down a problem or one of the various
   projects, which scan through the DNS to produce statistics (the
   monthly RIPE DNS hostcount is a prominent example). If in doubt,
   consult your ISP.

5.4. WINS lookup enabled

   TBD

6. Security Considerations

   [XXX DNSSEC, usual caveats]

7. Acknowledgements

   TBD

8. References


   [ALLIU98]   Albitz,P., Larson,M., Liu,C., "DNS and BIND", O'Reilly,
               3rd ed., September 1998

   [ALLAL98]   Albitz,P., Larson,M., Liu,C., "DNS on Windows NT",
               O'Reilly, November 1998

   [DNSRD]     Salamon,A., "DNS Resources Directory (DNSRD)",
               http://www.dns.net/dnsrd/

   [HOST]      Wassenaar,E., "host",
               http://www.nikhef.nl/user/e07/tools/host.html

   [IANATLD]   Internet Assigned Numbers Authority, "Top-Level Domains",
               http://www.iana.org/top-level-domains.html

   [RFC1034]   Mockapetris,P., "Domain Names - Concepts and Facilities",
               RFC 1034, STD 13, November 1987




Koch                     Expires September 2000                [Page 11]

INTERNET-DRAFT               RIPE DNS Guide                   March 2000


   [RFC1035]   Mockapetris,P., "Domain Names - Implementation and Specif-
               ication", RFC 1035, STD 13, November 1987

   [RFC1537]   Beertema,P., "Common DNS Data File Configuration Errors",
               RFC 1537, October 1993

   [RFC1912]   Barr,D., "Common DNS Operational and Configuration
               Errors", RFC 1912, February 1996

   [RFC2219]   Hamilton,M., Wright,R., "Use of DNS Aliases for Network
               Services", RFC 2219, BCP 17, October 1997

   [RFC2142]   Crocker,D., "MAILBOX NAMES FOR COMMON SERVICES, ROLES AND
               FUNCTIONS", RFC 2142, May 1997

   [RIPE192]   RIPE DNS working group, "Simple DNS Configuration Exam-
               ple", RIPE 192, February 2000

   [RIPE203]   Koch,P., "Recommendations for DNS SOA Values", RIPE 203,
               November 1999


9. Author's Address

   Peter Koch
   Universitaet Bielefeld
   Technische Fakultaet
   D-33594 Bielefeld
   Germany
   +49 521 106 2902
   <pk@TechFak.Uni-Bielefeld.DE>




















Koch                     Expires September 2000                [Page 12]