📄 rfc1713.txt
字号:
domain administration, who delegated him authority over the domain. From now on the parent name server announces one or more servers for the domain, which will receive queries for something they don't know about. (On the other hand, servers may be added to the list without the parent's servers knowing, thus hiding valuable information from them - this is not a lame delegation, but shouldn't happen either.) Other examples are the inclusion of a name in an NS list without telling the administrator of that host, or when a server suddenly stops providing name service for a domain. To detect and warn DNS administrators all over the world about this kind of problem, Bryan Beecher from University of Michigan wrote lamers, a program to analyze named (the well-known BIND name server) logging information [2]. To produce useful logs, named was applied a patch to detect and log lame delegations (this patch was originally written by Don Lewis from Silicon Systems and is now part of the latest release of BIND thanks to Bryan Beecher, so it is expected to be widely available in the near future). Lamers is a small shell script that simply scans these logs and reports the lame delegations found. This reporting is done by sending mail to the hostmasters of the affected domains, as stated in the SOA record for each of them. If this is not possible, the message is sent to the affected name servers' postmasters instead. Manual processing is needed in case of bounces, caused by careless setup of those records or invalid postmaster addresses. A report of the errors found by the U-M servers is also posted twice a month on the USENET newsgroup comp.protocols.tcp-ip.domains. If you ever receive such a report, you should study it carefully in order to find and correct problems in your domain, or see if your servers are being affected by the spreading of erroneous information. Better yet, lamers could be run on your servers to detect more lame delegations (U-M can't see them all!). Also, if you receive mail reporting a lame delegation affecting your domain or some of yourRomao [Page 5]
RFC 1713 Tools for DNS debugging November 1994 hosts, please don't just ignore it or flame the senders. They're really trying to help! You can get lamers from ftp://terminator.cc.umich.edu/dns/lame- delegations.2.4. DOC Authority information is one of the most significant parts of the DNS data, as the whole mechanism depends on it to correctly traverse the domain tree. Incorrect authority information leads to problems such as lame delegations or even, in extreme cases, the inaccessibility of a domain. Take the case where the information given about all its name servers is incorrect: being unable to contact the real servers you may end up being unable to reach anything inside that domain. This may be exaggerated, but if you're on the DNS business long enough you've probably have seen some enlightened examples of this scenario. To look for this kind of problems Paul Mockapetris and Steve Hotz, from the Information Sciences Institute, wrote a C-shell script called DOC (Domain Obscenity Control), an automated domain testing tool that uses dig to query the appropriate name servers about authority for a domain and analyzes the responses. DOC limits its analysis to authority data since the authors anticipated that people would complain about such things as invasion of privacy. Also, at the time it was written most domains were so messy that they thought there wouldn't be much point in checking anything deeper until the basic problems weren't fixed. Only one domain is analyzed each time: the program checks if all the servers for the parent domain agree about the delegation information for the domain. DOC then picks a list of name servers for the domain (obtained from one of the parent's servers) and starts checking on their information, querying each of them: looks for the SOA record, checks if the response is authoritative, compares the various records retrieved, gets each one's list of NS, compares the lists (both among these servers and the parent's), and for those servers inside the domain the program looks for PTR records for them. Due to several factors, DOC seems to have frozen since its first public release, back in 1990. Within the distribution there is an RFC draft about automated domain testing, which was never published. Nevertheless, it may provide useful reading. The software can be fetched from ftp://ftp.uu.net/networking/ip/dns/doc.2.0.tar.Z.Romao [Page 6]
RFC 1713 Tools for DNS debugging November 19942.5. DDT DDT (Domain Debug Tools) is a package of programs to scan DNS information for error detection, developed originally by Jorge Frazao from PUUG - Portuguese UNIX Users Group and later rewritten by the author, at the time at the Faculty of Sciences of University of Lisbon. Each program is specialized in a given set of anomalies: you have a checker for authority information, another for glue data, mail exchangers, reverse-mappings and miscellaneous errors found in all kinds of resource records. As a whole, they do a rather extensive checking on DNS configurations. These tools work on cached DNS data, i.e., data stored locally after performing zone transfers (presently done by a slightly modified version of BIND's named-xfer, called ddt-xfer, which allows recursive transfers) from the appropriate servers, rather than querying name servers on-line each time they run. This option was taken for several reasons [3]: (1) efficiency, since it reads data from disk, avoiding network transit delays, (2) reduced network traffic, data has to be fetched only once and then run the programs over it as many times as you wish and (3) accessibility - in countries with limited Internet access, as was the case in Portugal by the time DDT was in its first stages, this may be the only practical way to use the tools. Point (2) above deserves some special considerations: first, it is not entirely true that there aren't additional queries while processing the information, one of the tools, the authority checker, queries (via dig) each domain's purported name servers in order to test the consistency of the authority information they provide about the domain. Second, it may be argued that when the actual tests are done the information used may be out of date. While this is true, you should note that this is the DNS nature, if you obtain some piece of information you can't be sure that one second later it is still valid. Furthermore, if your source was not the primary for the domain then you can't even be sure of the validity in the exact moment you got it in the first place. But experience shows that if you see an error, it is likely to be there in the next version of the domain information (and if it isn't, nothing was lost by having detected it in the past). On the other side, of course there's little point in checking one month old data... The list of errors looked for includes lame delegations, version number mismatches between servers (this may be a transient problem), non-existing servers, domains with only one server, unnecessary glue information, MX records pointing to hosts not in the analyzed domain (may not be an error, it's just to point possibly strange or expensive mail-routing policies), MX records pointing to aliases, ARomao [Page 7]
RFC 1713 Tools for DNS debugging November 1994 records without the respective PTR and vice-versa, missing trailing dots, hostnames with no data (A or CNAME records), aliases pointing to aliases, and some more. Given the specialized nature of each tool, it is possible to look for a well defined set of errors, instead of having the data analyzed in all possible ways. Except for ddt-xfer, all the programs are written in Perl. A new release may come into existence in a near future, after a thorough review of the methods used, the set of errors checked for and some bug fixing (in particular, a Perl version of ddt-xfer is expected). In the mean time, the latest version is available from ftp://ns.dns.pt/pub/dns/ddt-2.0.1.tar.gz.2.6. The Checker Project The problem of the huge amount of DNS traffic over the Internet is getting researchers close attention for quite some time, mainly because most of it is unnecessary. Observations have shown that DNS consumes something like twenty times more bandwidth than it should [4]. Some causes for this undoubtedly catastrophic scenario lie on deficient resolver and name server implementations spread all over the world, from personal to super-computers, running all sorts of operating systems. While the panacea is yet to be found (claims are made that the latest official version of BIND is a great step forward [5]), work has been done in order to identify sources of anomalies, as a first approach in the search for a solution. The Checker Project is one such effort, developed at the University of Southern California [6]. It consists of a set of C code patched into BIND's named, for monitoring server activity, building a database with the history of that operation (queries and responses). It is then possible to generate reports from the database summarizing activity and identifying behavioral patterns from client requests, looking for anomalies. The named code alteration is small and simple unless you want do have PEC checking enabled (see below). You may find sources and documentation at ftp://catarina.usc.edu/pub/checker. Checker only does this kind of collection and reporting, it does not try to enforce any rules on the administrators of the defective sites by any means whatsoever. Authors hope that the simple exhibition of the evidences is a reason strong enough for those administrators to have their problems fixed. An interesting feature is PEC (proactive error checking): the server pretends to be unresponsive for some queries by randomly choosing some name and start refusing replies for queries on that name during a pre-determined period. Those queries are recorded, though, to tryRomao [Page 8]
RFC 1713 Tools for DNS debugging November 1994 to reason about the retry and timeout schemes used by name servers and resolvers. It is expected that properly implemented clients will choose another name server to query, while defective ones will keep on trying with the same server. This feature seems to be still under testing as it is not completely clear yet how to interpret the results. A PEC-only error checker is available from USC that is much simpler than the full error checker. It examines another name server client every 30 minutes to see if this client causes excessive load. Presently Checker has been running on a secondary for the US domain for more than a year with little trouble. Authors feel confident it should run on any BSD platform (at least SunOS) without problems, and is planned to be included as part of the BIND name server. Checker is part of a research project lead by Peter Danzig from USC, aimed to implement probabilistic error checking mechanisms like PEC on distributed systems [7]. DNS is one such system and it was chosen as the platform for testing the validity of these techniques over the NSFnet. It is hoped to achieve enough knowledge to provide means to improve performance and reliability of distributed systems. Anomalies like undetected server failures, query loops, bad retransmission backoff algorithms, misconfigurations and resubmission of requests after negative replies are some of the targets for these checkers to detect.2.7. Others All the tools described above are the result of systematic work on the issue of DNS debugging, some of them included in research projects. For the sake of completeness several other programs are mentioned here. These, though just as serious, seem to have been developed in a somewhat ad-hoc fashion, without an implicit intention of being used outside the environments where they were born. This impression is, of course, arguable, nevertheless there was no⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -