Current location - Quotes Website - Signature design - What is DNS signature authentication?
What is DNS signature authentication?

Correction: The question should be about the DNS protocol. The following is a specific introduction to the DNS protocol:

DNS is the abbreviation of Domain Name System (Domain Name System), which is used to name computers and network services organized into domain hierarchies. A domain name is composed of a string of words or abbreviations separated by dots. Each domain name corresponds to a unique IP address. There is a one-to-one correspondence between domain names and IP addresses on the Internet. DNS is the server that performs domain name resolution. DNS naming is used in TCP/IP networks such as the Internet to find computers and services by user-friendly names. DNS is a core service of the Internet, which serves as a distributed database that can map domain names and IP addresses to each other.

Technical issues:

There are four parts to describe the data of a zone: the authentication data of all nodes in the zone defines the data of the top node in the zone (this data can be considered as authentication part of the data) that describes the data representing the subregion. Access the data of the server's subregion (we also call it "glue" data). All this data is represented in the form of RR. All regions can be set by RR. Format description. By transmitting RR, the entire zone can be transmitted. The specific method can be to transmit the corresponding text file through FTP, or through network message transmission. The authentication data of a zone is all RRs. These RRs are associated with all nodes in the tree, or are associated with the nodes after segmentation. The RR describing the top node is particularly important for zone management. There are two types of these RRs, the name server RR, which describes the server list in the zone; the other is SOARR, which describes the management parameters of the zone.

The RR describing splitting is NSRR, because splitting is performed between nodes, and all RRs are not part of the zone authentication data. It should be consistent with the corresponding top node in the subzone. Because name servers are usually associated with zone boundaries, NSRR is only available at the apex of some zones. In the data that makes up a region, NSRR occurs at top-level nodes and splits at the bottom of the boundary, but not elsewhere.

One goal of the zone structure is that any zone has enough data to establish communication with any sub-zone. That is, the parent zone has enough information to access any name server in the child zone. NSRR names the subzone server, which is not sufficient to complete the above requirements, so it has a name but still does not know the address. In particular, if the name server's name in the subzone is itself, we have no way of knowing anything about what passes through it. To solve this problem, the zone includes an associated RR, which is not part of the authentication authority data, but which represents the address of the server. These RRs are required if the name server name is under sharding.

Management issues:

When some organizations want to take control of their own domain, the first step is to mark the appropriate parent zone and then obtain permission from the management node in the parent zone to manage it. There are no specific technical issues in management, but there are still some rules. Medium-sized districts do not need these regulations, but small ones do not. This article will not discuss this issue in detail. If you are interested, you can refer to the relevant information.

Once a name for a subzone is selected, the new management node for this zone requires redundant name servers to support it. Note: There is no requirement that a zone's servers must be on hosts named in the domain. In many cases, it is best to spread the content out of a section rather than lump it together in order to be more easily accessible. Nowadays, many countries' name servers are placed in other countries, so that when obtaining name resolution, the request does not have to be sent all the way to the remote host. As the last step of configuration, you need to select NSRR and associated RR.

In-depth name server 1. Query and response

In-depth name server

The main content of the name server is to respond to standard queries. Queries and responses have a dedicated format. Queries include QTYPE, QCLASS and QNAME, which describe the type, class and name of the data required. The server's response depends on whether it supports loop query:

The simplest one is that it does not support loop query. It returns either local information or an error code, telling the user that the information you want is not available here. , and then returns the address of a nearby server for the user to check there.

If loop query is supported, then if the name server fails to find the corresponding information locally, it will query other servers on behalf of the user. At this time, it will play the role of resolver on behalf of the user until the final result is obtained. found (or there may be no result at all, then an error is returned), and returned to the user.

Using loop queries requires support from both the client and the server.

This information is exchanged through two bits in the query and response:

If loop queries are allowed, the RA bit is set. The server can set this bit directly regardless of whether the client makes a request

Query If a circular query is requested, the RD bit is set. The client can only make a circular query request after knowing that the server supports circular query

The client can set both the RA and RD bits in the response to confirm whether circular query is supported. ask. Please note: The server will not perform a loop query by itself when the client does not specify the RD bit.

If a loop query is requested and loop query is also supported, the response to the query will be one of the following:

Query how many aliases the specified CNAMERR has?

The specified name server does not exist

Temporary error

If round-robin querying was not requested or is not supported, the response MAY be:

-Certified Authority The server indicates that the name does not exist

-Temporary error

In addition, some information will be provided to indicate whether the RR being queried comes from a zone or whether it is cached; another kind of information Specifying a name server indicates that there is another server with the same record that is closer to the ancestor of the name being queried.

2. Algorithm

The algorithm used by the name server is related to the local operating system and data structure. The following algorithm assumes that RR is organized in several tree structures, and one tree is a zone.

3. Use protocol format

DNS uses TCP protocol when performing zone transfer, and UDP protocol at other times;

DNS specifications stipulate 2 There are two types of DNS servers, one is called the primary DNS server and the other is called the secondary DNS server. In a zone, the primary DNS server reads the zone's DNS data information from its own data file, while the secondary DNS server reads the zone's DNS data information from the zone's primary DNS server. When a secondary DNS server starts, it needs to communicate with the primary DNS server and load data information. This is called a zone transfer.

Why use both TCP and UDP?

First, understand the length limit of TCP and UDP transmission bytes:

The maximum length of UDP message is 512 bytes, while TCP allows the message length to exceed 512 bytes. When the DNS query exceeds 512 bytes, the TC flag of the protocol appears with a deletion mark, and TCP is used to send it. Usually traditional UDP messages are generally not larger than 512 bytes.