[rbldnsd] Re: TODOs for rbldnsd
Bruce Gingery
rbldnsd@corpit.ru
Sun, 9 Mar 2003 03:17:55 -0700 (MST)
You wrote:
> I had written:
>> In this patch, both the opening of the PID file and the write+close
>> are conditioned on !nodaemon -- so that foreground operation ignores
>> the added "-p </abspath/pidfile.pid>" parameter, even if given.
> Umm... why ignore parameter if it is given?
Because it's not applicable, and shell aliases are convenient
for commandlines -- but could have an "-n" appended ...
alias dorbld="rbldnsd \$1 [flags] [zones] ..."
dorbld -n
Since it's the PID of the _backgrounded_daemon_process_ that is
written to the pidfile, and there is no such backgrounded daemon
when "-n", it just fits the definition.
> For debugging, there is just no need to specify a pidfile, right? It
> may be used when rbldnsd is started from some "watcher" process (but I
> don't know if there is a need to write pid file in this case).
Exactly.
[]
> TCP is mostly for AXFR. Normal DNS answers are limited to 512 bytes..
Well, UDP answers are limited to 512 bytes by single-packet reply
definitions. But, no! TCP is for any response that will not fit
in one packet. Add 6 NS records with poorly compressable long names
to one-or-more A records (or CNAMEs if implemented) and potentially
AAAA records, and a long TXT or more, and it quickly grauates to TCP.
In 1998 or so, many people were starting to discover firewalls. There
were bizzare generic instructions that could still be found on the web,
I think, that recommended blocking TCP to nameservers except from
hosts that are allowed AXFRs. It was wrong advice. Broke MANY
inexpertly administered services. My guess is that quite a number
of SERVFAILs are still because of that.
[]
> The only problem is that, at the same time, I want to be able
> to "derive" SOA serial number from the date of data file, and
> it's not obvious how to avoid clash with SOA specified in
> "generic" zonedata, and where to find other fields required
> for SOA if only one zonefile is given like currently.
I would still prefer that zone serial numbers be generated
externally from the daemon. But a sub-zone file does NOT
(in BIND) need to have the same serial as the parent zone.
A new SOA interposes where it exists in the dot-divided
hierarchy.
$TTL 3H
$ORIGIN example.com
@ IN SOA ns1.example.com. dnsadmin.example.com (
2003010600 ; Serial YYYYMMDD##
3H ; Refresh every 3 hours
1H ; Retry every hour
1D ; Expire in 24 hours
3H ) ; Minimum TTL 3 hours
TXT "Abuse complaints to abuse@example.com"
; Note automatic append of @ to RHS names in most cases...
NS secure.alpha-bet-soup.milwaukee.wisconson
NS secure.alpha-bet-soup.moscow.russia
NS secure.alpha-bet-soup.kiev.ukraine
NS secure.alpha-bet-soup.bangalore.india
MX 5 mx01.texarkana.texas
MX 10 mx02.sanjose.california
MX 10 mx03.vsnl.net.in.bangalore.india
; Now, private networks, then hosts in parent domain
$ORIGIN private.example.com
NS secure.internalhosts.milwaukee.wisconson
NS secure.internalhosts.moscow.russia
NS secure.internalhosts.bangalore.india
NS secure.sanjose.california
NS secure.texarkana.texas
; in-addr zone is target of CNAMEs from various ranges
$ORIGIN in-addr.example.com
NS secure.ipfour-ipsix.161
NS ...
Then on the *.internationalhosts.*.example.com nameservers
$TTL 3H
$ORIGIN private.example.com
@ IN SOA ns1.example.com. dnsadmin.example.com (
2003030927 ; Serial YYYYMMDD##
3H ; Refresh every 3 hours
1H ; Retry every hour
1D ; Expire in 24 hours
3H ) ; Minimum TTL 3 hours
NS secure.internalhosts.milwaukee.wisconson.example.com.
NS secure.internalhosts.moscow.russia.example.com.
NS secure.internalhosts.bangalore.india.example.com.
NS secure.sanjose.california.example.com.
NS secure.texarkana.texas.example.com.
TXT "These services are limited-access."
_SUBMISSION._TCP SRV 0 0 587 jato.internalmail.example.com.
_IMAPS._TCP SRV 5 1 993 mailhost301.example.com.
SRV 5 2 993 mailhost302.example.com.
SRV 5 3 993 mailhost303.example.com.
SRV 5 4 993 mailhost304.example.com.
etc. Although NS records are provided, the hosts carrying the
parent zone(s) may NOT be authoritative for given sub-zones.
The NS records in the parent zone for a subzone, SHOULD match
the NS records in the subzone for the subzone.
Cacheing Mirrors MAY try to follow all the trails, for AXFRs,
and raise errors when they're unable to access a sub-zone for
which they're not authoritative. That's a bug (e.g. in bind).
> Currently, rbldnsd (and DJB's rbldns) just refuses the request, and if
> sendmail is asking local named cache, named returns SERVFAL and the whole
> system does not work.
Why not return NXDOMAIN for any specific query for which you don't
support the record type?
Here's some notes you might find useful ...
host A dotted-quad
Type=1 Internet Address
(dotted-quad is a subnet masque in in-addr.arpa)
name AAAA xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
::xxxx:xxxx or
::FFFF:xxx.xxx.xxx.xxx for IPv4 reps
Type=28 IPv6 Address. Reverse DNS is
hex-byte-reversed
<owner> AFSDB <subtype> <hostname>
Type=18 Andrew File System Database
owner ATMA <atm_address>
Type=34
name CERT <type> <tag> <alg> <cert/CRL>
Type=37 DNSSEC Certificate Record
The key tag field is the 16 bit value computed for
the key embedded in the certificate as specified in
the DNSSEC Standard [RFC 2535]. Tag zero is
required
for meaningless keys
type 0 reserved
type 1 PKIX X.509
type 2 SPKI
type 3 PGP - RFC2440
type 4-252 unassigned
type 253 URI private
type 254 OID private
type 255-65534 unassigned
type 65535 reserved
ALG (see KEY), zero required for meaningless keys
nick CNAME host
Type=5 Canonical Name
nick may not appear in any other kind of record
owner DNAME <target-domain-name>
Type=39 Substitution of targer for owner as a suffix
domain name (RFC-2672). When there is data for
<owner>, it may not be CNAME nor DNAME, and no
subs of <owner> may have data (in the same class)
except that implied by the DNAME -- that is, no
explicit data whatsoever. Clients synghesize a
CNAME for each of DNAME's target's subs with a TTL=0
GID
No info
ISDN <ISDN-address> <sa>
Type=20 ISDN Number
Contains a telephone number and optional subaddress
host HINFO <hardware> <software>
Type=13 Host Info
KEY <flag> <proto> <alg> <public key>
Type=25 Cryptographic Public Key?
The KEY RR is not intended for storage of
certificates
and a separate certificate RR has been developed for
that purpose, defined in RFC-2538.
ALG 0 - rserved
ALG 1 - RSA/md5 (recommended)
ALG 2 - Diffie-Hellman (optional, key only)
ALG 3 - DSA (manditory?)
ALG 4 - Eliptical Curve
ALG 252 - Reserved for indirecto keys
ALG 253 - Private - domain name
ALG 254 - Private - OID
ALG 255 - reserved
PROTO 0 - None
PROTO 1 - TLS
PROTO 2 - EMAIL
PROTO 3 - DNSSEC
PROTO 4 - IPSEC
PROTO 5 - ALL
LOC d [m [s]] N|S d [m [s]] E|W metresAlt [prc][hp["m"]]
[cp["m"]]
Type=29 Location
MB
Type=7 Mailbox
(MD) obsolete
Type=3 Mail Destination
A <domain-name> which specifies a host which has a
mail agent for the domain which should be able to
deliver mail for the domain.
(MF) obsolete
Type=4 Mail Forwarder
A <domain-name> which specifies a host which has a
mail agent for the domain which will accept mail for
forwarding to the domain.
MG
Type=8 Mail Group Member
A <domain-name> which specifies a mailbox which is
responsible for the mailing list or mailbox,
followed by a mailbox which is to receive error
messages related to the mailing list or mailbox
MINFO
Type=14 Mailbox/Mail List Info
MR
Type=9 Mail Rename Domain Name
A ,domain-name> which specifies a mailbox which is
the proper rename of the specified mailbox.
name MX priority name
Type=15 Mail Exchanger
A 16-bit integer which specifies the preference
given to this RR, with lower values preferred,
followed by a <domain-name> which specifies a
host willint to act as a mail=-exchanger for the
owner name.
NAPTR
I don't have details. Used by Sprint for
ATM-to-IP or some such, IIRC.
domain NS name
Type=2 Name Server
A <domain-name> which specifies a host which should
be authoritative for the specified class and domain.
NSAP <nsap-addr>
Type=22 Network Service Access Point
Reverse-NSAP is deon in NSAP.INT, digit-by-digit
inverse NSAP-PTR <nsap-pointer>
Type=23
NULL
Type=10 Null RR
Not allowed in master files.
NXT
Type=30
There will only ever be one NXT record in a zone
for a particular label. Automatically generated,
NOT configured, but see RFC2308! host. rectypes...
domain OPT
Type= EDNS group of options records RFC-2671
spname PTR name
Type=12 Pointer
A <domain-name> which points to some location in
the domain namespace.
PX Cmp Priority
Type=26 X.400 mail mapping information. RFC 2163
RP <mbox-dname> <txt-dname>
Type=17 Responsible Person
The <mbox-dname> is a domain name that specifies
the mailbox for the responsible person, in a way
(dot-for-@) as in the SOA. If it is ajust a dot,
then there is none. The <txt-dname> is a domain
name which has a TXT record giving the info
RT <preference> <intermediate-host>
Type=21 Route Through
Should also have at least one A, X.25 or ISDN
zone SOA origin. person (
serial 32-bit-int
refresh 32-bit-time in seconds 28800/8hr recomm
retry 32-bit-time in seconds 7200/2hr recomm
expire 32-bit-time in seconds 604800/7dy recomm
minimum-ttl) ..time in seconds 86400/1dy recomm
Type=6 Start of Authority
SIG
Type=24 Cryptgraphic Public-Key based Signature
proname SRV <priority> <weight> <port> <host>
Type=33 Server Distribution (RFC-2052)
Where <proname> is _<service>._<protocol>
and service if defined in rfc1700 MUST use that
name. Protocol normally LHS name in /etc/protocols
Priority is as in MX, Weight is a load balancing
factor. Port is NORMALLY /etc/services value.
May require glue A/AAAA/etc. records. SMTP fallback
is to RFC974.
TXT string
Type=16 Miscellaneous Text
One or more character strings.
UID
UINFO
name WKS dotted-quad <protocol> [service list bitmap]
Type=11 Well Known Services
PROTOCOL is an IP protocol number, the
bitmap has the first 32 ports (0-31)
X25 <PSDN-address-string>
Type=19 X.25 Binding
======================================================================
AXFR QueryType=252
MAILB QueryType=253
MAILA QueryType=254
* QueryType=255
IXFR QueryType=6 ??? rfc1995
======================================================================
Class IN 1 Internet
Class CS 2 CSNet (obsolete)
Class CH 3 CHAOS
Class HS 4 Hesiod
Class * 255 All/Any Class -- invalidated in BIND as of
v8.something because of a security hole I
pointed out to Vixie. Might have been a temp
disabling.