practices on dns management and domain name emerging...
TRANSCRIPT
Practices on DNS Management
and Domain Name
Emerging Topics
Jirasak Jullawat
July 14, 2016
TABLE OFCONTENTS 1. Definition of Domain Name
2. Domain Name Structure
3. Why Domain Name ?
4. .th Management
5. How DNS works ?
6. Things You Should Know for Managing DNS.
7. DNSSEC
8. IDN
9. EAI
10. New gTLDs
DOMAIN NAME ?
Where are domain names ?
URL / URI / Address bar
http://www.thnic.co.th
http://www.google.com
http://แปลภาษาญปน.ไทย
[email protected]@gmail.comยอด@ยอด.ไทย
Then, what does DNS stand for ?
Domain Name System
DNS Structure
uk cc
Root
com kr jp thnet org info biz
ac co go in mi net or
moe gov1 gov2 gov3 ...
Generic Top-Level Domain
(gTLD)
Country Code
Top-Level Domain
(ccTLD)
TLD
SLD
Third Level
Generic top-level domains (gTLDs)
WHY DOMAIN ?
Why DNS’s so important ?
addressweb
nameBRAND
Why DNS’s so important ?
Why DNS’s so important ?
Why DNS’s so important ?
Why DNS’s so important ?
.th History
1988 1993 2007
.th History
July 1988, .th was registered.
December 1991, the first academic meeting on Internet was conducted in AIT which results to the first 4 subdomain: .ac.th, .co.th, .or.th, .go.th
In 1992, the DNS server was placed at Thailand first international gateway: Chulalongkorn University.
In 1993, the volunteer team was called THNIC.
Until 1997, .th service was run by the co-operation of CU & AIT.
In 1998, the primary DNS server was relocated to AIT.
.th History
In 1999, T.H.NIC Co., Ltd. was registered to replace the volunteer model.
In 2001, Thai Name Server Co., Ltd. was registered and in charge of DNS database and services (Registry). While domain name registration service (Registrar) remained at T.H.NIC company.
In 2007, Thai Network Information Center Foundation was established to be .th policy and management body.
.th History
.th Management (& .ไทย)
.th & .ไทย Management
.co .in .ac .or .go .mi
.th
.net
* IPv6 Supported
* DNSSEC enabled
+ IDN.th .ไทย
.th Management
7 subdomains:
.co.th Commercial
.go.th Government
.or.th NGO
.mi.th Military
.ac.th Academic
.net.th Internet or Network Service Providers
.in.th Dot In Thai
.th Management
CU
INET
CAT Telecom
ISC (Anycast)
CommunityDNS (Anycast)
.th Stability
For Thai
Anti-Cyber Squatting
Domain for real uses.
Name restriction.
Number restriction.
.th Policies
Verify the exist of domain owner
Build trust of Thai online commerce.
Why .th & .ไทย
How DNS works ?
Local DNS
Resolver
.THName Server
ROOTName Server
Query
www.moj.go.th
Connect to 203.159.32.56
www.moj.go.th
Return
203.159.32.56
.GO.THName Server
Hierachy
ROOT
TH
GO.TH
Query www.moj.go.th
Refer to .th
Name Server
Query www.moj.go.th
Refer to .go.th
Name Server
Query www.moj.go.thRefer to moj.go.th
Name Server
MOJ.GO.TH
moj.go.thName ServerReturn
203.159.32.56
Query www.moj.go.th
Local DNSwww.moj.go.th
Not in Cache
Things You Need to Know about Managing DNS.
Domain Name Server Locations
http://www.root-servers.org
$ORIGIN example.in.th.
$TTL 7200
@ IN SOA ns1.example.in.th. dnsadmin.example.in.th. (
2016071001 ; serial
7200 ; refresh after 2 hours
3600 ; retry after 1 hour
604800 ; expire after 1 week
7200 ) ; Negative Caching for 1 day
IN NS ns1.example.in.th.
IN NS ns2.example.in.th.
https://tools.ietf.org/html/rfc2308
TTLWhen a caching (recursive) nameserver queries the authoritative nameserver for a resource record, it will cache that record for the time (in seconds) specified by the TTL
$ORIGIN example.in.th.
$TTL 7200
@ IN SOA ns1.example.in.th. dnsadmin.example.in.th. (
2016071001 ; serial
7200 ; refresh after 2 hours
3600 ; retry after 1 hour
604800 ; expire after 1 week
7200 ) ; Negative Caching for 1 day
IN NS ns1.example.in.th.
IN NS ns2.example.in.th.
https://tools.ietf.org/html/rfc2308
Serial
The version number of the original copy of the zone. Zone transfers preserve this value.
$ORIGIN example.in.th.
$TTL 7200
@ IN SOA ns1.example.in.th. dnsadmin.example.in.th. (
2016071001 ; serial
7200 ; refresh after 2 hours
3600 ; retry after 1 hour
604800 ; expire after 1 week
7200 ) ; Negative Caching for 1 day
IN NS ns1.example.in.th.
IN NS ns2.example.in.th.
https://tools.ietf.org/html/rfc2308
Refresh
A time interval before the zone should be refreshed.
$ORIGIN example.in.th.
$TTL 7200
@ IN SOA ns1.example.in.th. dnsadmin.example.in.th. (
2016071001 ; serial
7200 ; refresh after 2 hours
3600 ; retry after 1 hour
604800 ; expire after 1 week
7200 ) ; Negative Caching for 1 day
IN NS ns1.example.in.th.
IN NS ns2.example.in.th.
https://tools.ietf.org/html/rfc2308
Retry
A time interval that should elapse before a failed refresh should be retried.
$ORIGIN example.in.th.
$TTL 7200
@ IN SOA ns1.example.in.th. dnsadmin.example.in.th. (
2016071001 ; serial
7200 ; refresh after 2 hours
3600 ; retry after 1 hour
604800 ; expire after 1 week
7200 ) ; Negative Caching for 1 day
IN NS ns1.example.in.th.
IN NS ns2.example.in.th.
https://tools.ietf.org/html/rfc2308
Expire
A time value that specifies the upper limit on the time interval that can elapse before the zone is no longer authoritative.
$ORIGIN example.in.th.
$TTL 7200
@ IN SOA ns1.example.in.th. dnsadmin.example.in.th. (
2016071001 ; serial
7200 ; refresh after 2 hours
3600 ; retry after 1 hour
604800 ; expire after 1 week
7200 ) ; Negative Caching for 1 day
IN NS ns1.example.in.th.
IN NS ns2.example.in.th.
https://tools.ietf.org/html/rfc2308
Negative Caching
The TTL for negative caching should be.
$ORIGIN example.in.th.
$TTL 7200
@ IN SOA ns1.example.in.th. dnsadmin.example.in.th. (
2016071001 ; serial
7200 ; refresh after 2 hours
3600 ; retry after 1 hour
604800 ; expire after 1 week
7200 ) ; Negative Caching for 2 hours
IN NS ns1.example.in.th.
IN NS ns2.example.in.th.
DNSSEC
DNS Vulnerability
Google.com
Server #1
End user
(resolver)
Local server
(Caching)
www.google.com A ?
Google.com
Server #2
222.222.222.222
111.111.111.111
Altered zone
Impersonating
master
Cache Impersonation
Cache poisoning
DNSSEC
Local Cache server End User
www.google.com A ?
www.google.com A 209.85.175.104Plus signature by ns1.google.com
Attacker
www.google.com A 203.150.250.254Zoneserver
Digital Signature
MyDomain
Public Key
Private Key
Information signed with Private Key.
Use Public key is only way to read.
IF Trusted “Public Key” can Trusted “Information”.
Walking the Chain of Trust
Walking the Chain of Trust
. (root)
th.
co.th.
thnic.co.th.
TrustedTrusted
Trusted
Trusted
Key
•Zone Signing Key(ZSK) – Used to sign the data within the zone
•Key Signing Key(KSK) – Used to sign the Zone signing key and to create the “Secure Entry Point” for the zone
Delegation Signer (DS)
DNSViz.net
.IDNInternationalized Domain Name
• IDN ccTLD
• IDN = Internationalized Domain Name
• ccTLD = Country-code Top Level Domain
IDN ?
Singapore (sg)
新加坡 (traditional Chinese);
சிஙகபபூர (Tamil)
Sri Lanka (lk):
ලංකා (Sinhalese);
இலஙகக (Tamil)
Syria (sy):
سورية
Taiwan (tw):
台湾 (simplified);
台灣 (traditional);
臺灣 (variant string)
Thailand (th):
ไทย
Tunisia (tn):
تونس
Emerged IDN ccTLDs
• Register together with .th .ไทย
• 1 on 1
• Translation or Transliteration
.ไทย
• Most internet users are able to use English ?
• Thai typing is somehow “hard” and words are “longer” ?
10 - 15 % of Thai have English literacy. (about 7 millions from 70 millions)
Some of them (63 millions) know latin characters but unable to remember words.
Computer / Internet always meddle with English, so leave it!
IDN in Thai ?
Reduce the digital divide which caused by language. Increase Internet penetration in non-native English countries. Local brands in local language which focus on local market,
communicate them using IDN. local SEO benefit.
IDN
58
DNS knows only ASCII
A - Z
0 - 9
“ - “
IDN will be converted to ASCII between the process.
How IDN Works ?
59
How IDN Works ?.ไทย
Name Server
URL: จดโดเมน.ไทย
จดโดเมน.ไทยWeb Server
xn--82cyau3b3mma.xn--o3cw4h
61.19.247.23
.................
........................
...................
..............
EAI(Email Address Internationalization)
EAI
Who are EAI supported ?
• Gmail & Google Apps
• Postfix version 3.0
• Outlook 2016 for Windows
• THNIC
.ไทย EAI service
Thai EAI Set-up Basic Guideline Development
http://interlab.ait.ac.th/eai-wiki-th/index.php/Main_Page
http://interlab.ait.ac.th/eai-wiki/index.php/Main_Page
New gTLDs
ICANN opened for anyone could apply for any Top Level Domain.
$185,000 registration fee.
Application period opened in round.
Round 1 was closed on May 30, 2012.
Total 1,930 Applications submitted.
New gTLDs
New gTLDs Delegated Strings
https://newgtlds.icann.org/en/program-status/delegated-strings
Jirasak Jullawat | [email protected]