latest edition of the very popular DNS and BIND book -- often referred to as the bible of DNS -- CircleID has caught up with Cricket Liu, co-author and a world renowned authority on the Domain Name System. In this interview, Cricket Liu talks about emerging issues around DNS such as security and IPv6 support, and important new features such as internationalized domain names, ENUM (electronic numbering), and SPF (the Sender Policy Framework). "Cricket Liu: We're now seeing more frequent attacks against DNS infrastructure. ...Turns out that name servers are terrific amplifiers -- you can get an amplification factor of nearly 100x. These attacks have raised awareness of the vulnerability of Internet name servers, which is possibly the only positive result..."" />
In follow-up to recent announcement on the release of the latest edition of the very popular DNS and BIND book — often referred to as the bible of DNS — CircleID has caught up with Cricket Liu, co-author and a world renowned authority on the Domain Name System.
In this interview, Cricket Liu talks about emerging issues around DNS such as security and IPv6 support, and important new features such as internationalized domain names, ENUM (electronic numbering), and SPF (the Sender Policy Framework).
In his current role as the Vice President of Architecture at Infoblox, Cricket helps guide development of the product strategy and service offerings, and serves as a liaison between Infoblox and the technical community. He previously worked for Hewlett-Packard for nearly ten years, where he ran hp.com, one of the largest corporate domains in the world, and helped found HP's Internet consulting business. Cricket later co-founded his own Internet consulting and training company, Acme Byte & Wire. After Network Solutions acquired Acme Byte & Wire, Cricket became Director of DNS Product Management.
CircleID: Let's start by going over key additions to the upcoming 5th edition of DNS and Bind book. Could you talk a little about the overall updates and additions that the new edition is bringing to the DNS community? (Also perhaps some key factors that have inspired the additions.)
Cricket Liu: I think one of the most significant additions is a new chapter on DNS architecture. Until now, there's been almost no formal coverage of DNS architecture. Administrators have had to learn how to design large-scale DNS infrastructure through trial and error, apprenticeship, or following the relevant mailing lists and newsgroups, hoping for the occasional hint from an expert. Perhaps because of this, the DNS infrastructure on many large networks has no formal, documented design. The chapter I added is by no means comprehensive, but I hope administrators will find it useful and that it can become the basis for more formal treatment of DNS architecture.
Of course, as with any new edition, we cover the latest versions of BIND: BIND 9.3.2 and 8.4.7. And we describe many new extensions to and applications of DNS, including DNSSECbis, ENUM, SPF, Internationalized Domain Names, and more. And, we finally dropped coverage of BIND 4.
CircleID: Obviously today DNS security is an important issue and a lot of focus has been give to measures such as DNS Security Extensions (DNSSEC). Could you expand a little on this topic and critical threats that are faced by administrators today?
Cricket Liu: We're now seeing more frequent attacks against DNS infrastructure. Recently, for example, we saw a spate of what are referred to as "DNS amplification" attacks in which open recursive name servers are used as amplifiers to swamp targets on the Internet. Turns out that name servers are terrific amplifiers — you can get an amplification factor of nearly 100x. These attacks have raised awareness of the vulnerability of Internet name servers, which is possibly the only positive result.
We can address the particular vulnerability that facilitates this attack by limiting access to recursion on Internet-accessible name servers — a measure that's described in the book. (In fact, Infoblox has always shipped its appliances with recursion disabled by default. I understand that ISC will begin shipping BIND with recursion off with the release of BIND 9.4.0.) For other categories of threats, such a cache poisoning, extensions to the DNS protocol such as DNSSEC can help. DNSSEC applies asymmetric cryptography to DNS to allow administrators to digitally sign zones. DNSSEC was fairly extensively rewritten after the fourth edition of the book, so the fifth edition describes this new version of DNSSEC, sometimes called DNSSECbis.
CircleID: Let's move on to the other popular topic that the book is covering — namely Telephone Number Mapping (ENUM). Could you touch on some critical aspects in this area?
Cricket Liu: ENUM is a new application of DNS, which allows DNS to map E.164 numbers to URIs. E.164 is the world standard for telephone numbers, including country code, city or area code, and so on. Basically, the idea behind ENUM is to make it possible for VoIP phones to complete calls over the Internet to other VoIP phones using just a standard phone number, as opposed to a URI (say sip:email@example.com).
I think ENUM will present some interesting challenges to DNS administrators. First, the record type ENUM uses, the NAPTR record, is syntactically fairly nasty. Also, ENUM data is really data about people, not the kind of data administrators are accustomed to working with. How often will the data change? Will users need to modify it themselves? How will administrators accommodate that?
Storing this type of data in DNS also brings up data privacy and integrity issues. How do we maintain the integrity of ENUM data? Do we need to use DNSSEC to sign ENUM zones? How can we grant access to our ENUM data only to authorized individuals? DNS implementations may not provide the granularity of control we need.
CircleID: Internationalized Domain Names or IDN is another particularly hot and complicated debate that has been going on for sometime now. What are your views on IDN's current and upcoming developments?
Cricket Liu: I'm as eager as anyone to see whether Internationalized Domain Names catch on. With the release of IE 7.0 later this year, we'll have support for Internationalized Domain Names in all of the major browser platforms. That should provide the potential audience to induce companies to invest in the registration and setup of these domain names — assuming they have any interest at all.
The homograph issue — the risk of confusing visually identical but distinct characters — hasn't yet been solved. At least one browser, I believe, actually displays Internationalized Domain Names in their ACE-encoded format, which I think is aesthetically awful. But I haven't come up with any brilliant solutions myself.
CircleID: Despite various theories around the lifetime of IPv4, the shift to IPv6 is inevitable and perhaps even sooner than anticipated according to a recent report by CAIDA. The new edition of DNS and BIND also touches on the subject matter. Could you tell us about the future of DNS from an IPv6 standpoint?
Cricket Liu: DNS and BIND both have been ready for IPv6 for some time. One of the drivers behind BIND 9's development was support for IPv6, both the complex A6- and bitstring-label-based mappings and IPv6 as a transport. (IPv6 forward and reverse mapping since been simplified.) Support for an IPv6 transport was even grafted into BIND 8 with 8.3.
IPv6 will undoubtedly make the management of IP addresses more cumbersome. Simply entering a AAAA record (an IPv6 address record) correctly is a challenge, as is reverse mapping. I expect this will drive up demand for DNS management products, as people realize they can't make do with vi any more.
CircleID: Are there any other thoughts that you would like to share with the community?
Cricket Liu: I think it's clear that all these new applications of and extensions to DNS obsolete the traditional way of managing name servers and zone data with text-based configuration and zone data files. The only change we've seen thus far that's given us even an inkling of what's to come is the advent of dynamic update, NOTIFY and IXFR. Now we're looking at ENUM, DNS-based email authentication and authorization mechanisms, IPv6, Internationalized Domain Names and DNSSEC. If only two of these gain widespread adoption, we're still looking at a major overhaul of the way we manage name servers and zone data. This will only be possible if vendors provide the tools administrators need.
Finally, I'd like to just say "thanks." "DNS and BIND" has been more successful than I ever dreamed it would be, and the readers I meet are always gracious and kind. I really appreciate them and hope they find the new edition helpful — and worth the wait.
Free Book Release Webinar:
The Next Chapter in DNS and BIND — May 11, 2006 Cricket Liu, along with Paul Vixie — author and primary architect of BIND 8 and president of the ISC — will cover emerging best practices in name server architecture as well as advanced topics in DNS that could mean big changes in how the Domain Name System is deployed and used. Whether you're an administrator involved with DNS on a daily basis or a user who wants to be more informed about the Internet and how it works, this webinar will bring you up to date with the latest changes in this crucial network service.
|Data Center||Policy & Regulation|
|DNS Security||Regional Registries|
|Domain Names||Registry Services|
|Intellectual Property||Top-Level Domains|
|Internet of Things||Web|
|Internet Protocol||White Space|
Minds + Machines
Afilias - Mobile & Web Services