Home / Blogs

Cricket Liu Interviewed: DNS and BIND, 5th Edition

Don't miss a thing – sign up for CircleID Weekly Wrap newsletter delivered to your inbox once a week.
By Cricket Liu, Paul Albitz
Fifth Edition May 2006 (est.)
Covers BIND 9.3.2, the most recent release of the BIND 9 series, as well as BIND 8.4.7. BIND 9.3.2 contains further improvements in security and IPv6 support, and important new features such as internationalized domain names, ENUM (electronic numbering), and SPF (the Sender Policy Framework).

In follow-up to recent announcement on the release of the latest edition of the very popular DNS and BIND book — often referred to as the bible of DNS — CircleID has caught up with Cricket Liu, co-author and a world renowned authority on the Domain Name System.

In this interview, Cricket Liu talks about emerging issues around DNS such as security and IPv6 support, and important new features such as internationalized domain names, ENUM (electronic numbering), and SPF (the Sender Policy Framework).

In his current role as the Vice President of Architecture at Infoblox, Cricket helps guide development of the product strategy and service offerings, and serves as a liaison between Infoblox and the technical community. He previously worked for Hewlett-Packard for nearly ten years, where he ran hp.com, one of the largest corporate domains in the world, and helped found HP's Internet consulting business. Cricket later co-founded his own Internet consulting and training company, Acme Byte & Wire. After Network Solutions acquired Acme Byte & Wire, Cricket became Director of DNS Product Management.

* * *

CircleID: Let's start by going over key additions to the upcoming 5th edition of DNS and Bind book. Could you talk a little about the overall updates and additions that the new edition is bringing to the DNS community? (Also perhaps some key factors that have inspired the additions.)

Cricket Liu: I think one of the most significant additions is a new chapter on DNS architecture. Until now, there's been almost no formal coverage of DNS architecture. Administrators have had to learn how to design large-scale DNS infrastructure through trial and error, apprenticeship, or following the relevant mailing lists and newsgroups, hoping for the occasional hint from an expert. Perhaps because of this, the DNS infrastructure on many large networks has no formal, documented design. The chapter I added is by no means comprehensive, but I hope administrators will find it useful and that it can become the basis for more formal treatment of DNS architecture.

Of course, as with any new edition, we cover the latest versions of BIND: BIND 9.3.2 and 8.4.7. And we describe many new extensions to and applications of DNS, including DNSSECbis, ENUM, SPF, Internationalized Domain Names, and more. And, we finally dropped coverage of BIND 4.

CircleID: Obviously today DNS security is an important issue and a lot of focus has been give to measures such as DNS Security Extensions (DNSSEC). Could you expand a little on this topic and critical threats that are faced by administrators today?

Cricket Liu: We're now seeing more frequent attacks against DNS infrastructure. Recently, for example, we saw a spate of what are referred to as "DNS amplification" attacks in which open recursive name servers are used as amplifiers to swamp targets on the Internet. Turns out that name servers are terrific amplifiers — you can get an amplification factor of nearly 100x. These attacks have raised awareness of the vulnerability of Internet name servers, which is possibly the only positive result.

We can address the particular vulnerability that facilitates this attack by limiting access to recursion on Internet-accessible name servers — a measure that's described in the book. (In fact, Infoblox has always shipped its appliances with recursion disabled by default. I understand that ISC will begin shipping BIND with recursion off with the release of BIND 9.4.0.) For other categories of threats, such a cache poisoning, extensions to the DNS protocol such as DNSSEC can help. DNSSEC applies asymmetric cryptography to DNS to allow administrators to digitally sign zones. DNSSEC was fairly extensively rewritten after the fourth edition of the book, so the fifth edition describes this new version of DNSSEC, sometimes called DNSSECbis.

CircleID: Let's move on to the other popular topic that the book is covering — namely Telephone Number Mapping (ENUM). Could you touch on some critical aspects in this area?

Cricket Liu: ENUM is a new application of DNS, which allows DNS to map E.164 numbers to URIs. E.164 is the world standard for telephone numbers, including country code, city or area code, and so on. Basically, the idea behind ENUM is to make it possible for VoIP phones to complete calls over the Internet to other VoIP phones using just a standard phone number, as opposed to a URI (say sip:cricket@infoblox.com).

I think ENUM will present some interesting challenges to DNS administrators. First, the record type ENUM uses, the NAPTR record, is syntactically fairly nasty. Also, ENUM data is really data about people, not the kind of data administrators are accustomed to working with. How often will the data change? Will users need to modify it themselves? How will administrators accommodate that?

Storing this type of data in DNS also brings up data privacy and integrity issues. How do we maintain the integrity of ENUM data? Do we need to use DNSSEC to sign ENUM zones? How can we grant access to our ENUM data only to authorized individuals? DNS implementations may not provide the granularity of control we need.

CircleID: Internationalized Domain Names or IDN is another particularly hot and complicated debate that has been going on for sometime now. What are your views on IDN's current and upcoming developments?

Cricket Liu: I'm as eager as anyone to see whether Internationalized Domain Names catch on. With the release of IE 7.0 later this year, we'll have support for Internationalized Domain Names in all of the major browser platforms. That should provide the potential audience to induce companies to invest in the registration and setup of these domain names — assuming they have any interest at all.

The homograph issue — the risk of confusing visually identical but distinct characters — hasn't yet been solved. At least one browser, I believe, actually displays Internationalized Domain Names in their ACE-encoded format, which I think is aesthetically awful. But I haven't come up with any brilliant solutions myself.

CircleID: Despite various theories around the lifetime of IPv4, the shift to IPv6 is inevitable and perhaps even sooner than anticipated according to a recent report by CAIDA. The new edition of DNS and BIND also touches on the subject matter. Could you tell us about the future of DNS from an IPv6 standpoint?

Cricket Liu: DNS and BIND both have been ready for IPv6 for some time. One of the drivers behind BIND 9's development was support for IPv6, both the complex A6- and bitstring-label-based mappings and IPv6 as a transport. (IPv6 forward and reverse mapping since been simplified.) Support for an IPv6 transport was even grafted into BIND 8 with 8.3.

IPv6 will undoubtedly make the management of IP addresses more cumbersome. Simply entering a AAAA record (an IPv6 address record) correctly is a challenge, as is reverse mapping. I expect this will drive up demand for DNS management products, as people realize they can't make do with vi any more.

CircleID: Are there any other thoughts that you would like to share with the community?

Cricket Liu: I think it's clear that all these new applications of and extensions to DNS obsolete the traditional way of managing name servers and zone data with text-based configuration and zone data files. The only change we've seen thus far that's given us even an inkling of what's to come is the advent of dynamic update, NOTIFY and IXFR. Now we're looking at ENUM, DNS-based email authentication and authorization mechanisms, IPv6, Internationalized Domain Names and DNSSEC. If only two of these gain widespread adoption, we're still looking at a major overhaul of the way we manage name servers and zone data. This will only be possible if vendors provide the tools administrators need.

Finally, I'd like to just say "thanks." "DNS and BIND" has been more successful than I ever dreamed it would be, and the readers I meet are always gracious and kind. I really appreciate them and hope they find the new edition helpful — and worth the wait.

* * *

Free Book Release Webinar:

The Next Chapter in DNS and BIND — May 11, 2006 Cricket Liu, along with Paul Vixie — author and primary architect of BIND 8 and president of the ISC — will cover emerging best practices in name server architecture as well as advanced topics in DNS that could mean big changes in how the Domain Name System is deployed and used. Whether you're an administrator involved with DNS on a daily basis or a user who wants to be more informed about the Internet and how it works, this webinar will bring you up to date with the latest changes in this crucial network service.

By CircleID Reporter

Related topics: DNS, DNS Security, Enum, IP Addressing, IPv6, Multilinguism, Privacy, Security, Spam, Telecom, VoIP



Re: Cricket Liu Interviewed: DNS and BIND, 5th Edition Jothan Frakes  –  May 11, 2006 2:41 PM PDT

Cricket, on behalf of the many, many of us that have DNS&BIND 1-4 (as well as the cookbook) on our bookshelves, I'd like to express gratitude to you that you have continued your excellence in authoring these great reference materials.

Re: Cricket Liu Interviewed: DNS and BIND, 5th Edition Cricket Liu  –  May 12, 2006 4:10 PM PDT

Thank you very much, Jothan!  I really appreciate it!

While I'm replying to an interview with myself, I may as well correct a mistake I made:  my understanding is that BIND 9.4.0 limits recursion to the built-in localnets ACL by default.

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Sponsored Topics

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Boston Ivy Gets Competitive With Its TLDs, Offers Registrars New Wholesale Pricing

With a mission to make its top-level domains available to the broadest market possible, Boston Ivy has permanently reduced its registration, renewal and transfer prices for .Broker, .Forex, .Markets and .Trading. more»

Industry Updates – Sponsored Posts

Leading Internet Associations Strengthen Cooperation

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Neustar to be Acquired by Private Investment Group Led by Golden Gate Capital

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Radix Adds Dyn as a DNS Service Provider

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Dyn Partners with the Internet Systems Consortium to Host Global F-Root Nameservers

Verisign Announces .コム Domain Names Are Now Available for Anyone to Register