(the UK's Unix & Open Systems User Group)

Home

Events

About UKUUG

UKUUG Diary

Membership

Book Discounts

Other Discounts

Mailing lists

Sponsors

Newsletter

Consulting

DNS and BIND, 4th Edition Paul Albitz and Cricket Liu Published by O'Reilly and Associates ISBN:0-596-00158-4 576 pages £ 31.95 Published: April 2001 reviewed by Raza Rizvi    in the December 2001 issue (pdf), (html)

Coming in at two hundred pages more than the first edition, this worthy tome includes information on versions of BIND up to v9.1, going as far back as 4.8.3 which is still included in some vendor implementations. It has been a long time coming, the previous edition was issued in 1998, and many a DNS administrator has attempted to struggle with BIND 9 and cursed the lack of available documentation.

I will concentrate on the newer parts of the book as it carries the same chapters (albeit with updated content) as the previous editions - why, what, and where DNS fits in, setting up DNS name servers, Mail services using MX records, host configurations, day to day operations, sub-domains, DNS tools, debugging, and troubleshooting.

Chapter 10 covers `Advanced Features' starting with the use of access lists. These detail the permitted (and occasionally list the restricted) sources of access. Their first application is in DNS Dynamic Update, a process which permits the authorised modification of a set of records on an authoritative name server, in accordance with RFC 2136. Although this is of most importance to DHCP implementations striving to get DNS to reflect the DHCP lease pool, it can also be used to, say, modify a single record for a load balancing application.

In order that a server with changed data can reflect the new information on the secondary servers, there is now a notification mechanism which also supports incremental zone transfer. Known bogus name servers can be ignored (although there is still no BIND mechanism to prevent zone spoofing).

A good explanation of system tuning leads to the final topic in this mish-mash of a chapter, IPv6 -- which is supported directly by BIND v9.

Chapter 11 details the security changes, primarily TSIG, which (from BIND v8.2) allows the use of Transaction Signatures to authenticate DNS messages. Security Extensions (DNSSEC) additionally permit the secure exchange of keys using public key cryptography.

Usefully, the rest of chapter 11 covers how to minimise the risks caused by unauthorised zone transfers, or indeed queries, together with specific firewall issues. The splitting of DNS function for serving and resolving is covered in detail, including a section on particular configurations for internal DNS roots.

I mentioned dynamic update earlier, and you will no doubt be pleased that Windows 2000 clients, servers, and domain controllers use this feature heavily. Well, the authors have included information towards the back part of the book on how to live in such an environment. There in fact an other O'Reilly text that deals exclusively with DNS and Windows issues.

This book is as useful now as it was back in the mid 90's. Buy it if you have to do any more than be a simple user of DNS. As a measure of how times change, the appendices no longer show you how to compile and install BIND on a Sun operating system, it is now shown with Linux.

Back to reviews list

(the UK's Unix & Open Systems User Group)

Home

Events

About UKUUG

UKUUG Diary

Membership

Book Discounts

Other Discounts

Mailing lists

Sponsors

Newsletter

Consulting

DNS and BIND, 4th Edition Paul Albitz and Cricket Liu Published by O'Reilly and Associates ISBN:0-596-00158-4 622 pages £ 31.95 Published: April 2001 reviewed by Joel Smith    in the December 2001 issue (pdf), (html)

This book has been the bible for DNS administration since 1992. It goes without saying that this is the book to help you set up and administer DNS servers. This fourth edition brings it up to date and it now covers BIND 9.1.0 and 8.2.3, occasionally mentioning the older 4.9 versions.

The book as a whole has been updated with examples changed to cover the more recent versions of BIND. It also has a fair amount of new information, primarily in the areas of Advanced Features and Security, but also covers accommodating Windows 2000 clients, servers and Domain Controllers within a BIND DNS domain.

There is more extensive coverage of dynamic update and NOTIFY (zone change notification), including signed dynamic updates and BIND 9's new update-policy mechanism. Incremental zone transfer, and forward zones (which support conditional forwarding) are introduced, as well as support for IPv6 forward and reverse mapping using the new A6 and DNAME records.

The security section now covers TSIG or transaction signatures which is a new mechanism for authenticating transactions. There is an expanded section on securing name servers and expanded coverage of dealing with firewalls. There is also a section dealing with the DNS Security Extensions (DNSSEC), which allows DNS servers verify their authority using public key cryptography. I am sure that this will become far more important as attackers on the internet find ever more imaginative ways of interrupting service.

The section on dealing with Windows 2000 is useful because although Microsoft has now decided to drop WINS in favour of DNS, Win2000 clients and DHCP servers have a nasty habit of deleting address records owned by the same domain name as the clients or servers. For example, a Win2000 client booting up with the same name as one of the pre-existing DNS records would attempt to delete the conflicting record and replace it with its own. If the name in question happened to be one of your servers, this could cause quite a disruption. (For some reason, I can't help thinking about Invasion of the Body Snatchers!) Thankfully there are several suggested workarounds.

I can't fault this new edition of the book. The first edition served me well when I was setting up my first DNS server. The book still achieves what it sets out to do, and explains DNS and BIND. This has got more complicated (sorry, feature rich!) over the years, but this book still explains it in clear terms. O'Reilly rightly made their name through publishing titles like this.

As ever, Administrators starting to set up their own DNS servers would be well advised to have a copy of this book. Similarly if you are considering the migration to BIND 9, it would be useful to have a copy of this new edition to explore the new features. Whether it is worth replacing your older copy will be down to your budget and your needs.

Back to reviews list