Skip to main content.

2016-01-16 BIND DNS book

This last month, we published another BIND DNS book. Our second edition of our custom extended and improved reference manual. The first book was printed in September 2007. Since then we published around nine other books (including a printed DNSSEC specifications book) — and I started working full time in the DNS field (probably because the first edition helped me in the door). For the first few years, we sold lots of the book and it was given to many BIND DNS students throughout the world. We were asked several times for an updated edition, but each time we got started, we ended up getting far behind as the technology (and book) changed. The first edition was done in LyX without any real revision control. The second edition was done in Docbook using Git.

Since the first edition, BIND added many new features, including:

  1. dlz search
  2. logging file versions
  3. DSCP support for traffic classification for quality of service
  4. managed-keys for automated updates of DNSSEC trust anchors
  5. rndc addzone, delzone (and allow-new-zones)
  6. rndc flushtree to selective remove zones from cache
  7. auto-dnssec for automated signing
  8. rndc signing
  9. rndc scan and automatic-interface-scan
  10. bindkeys-file
  11. check-dup-records
  12. check-spf
  13. deny-answer-addresses and deny-answer-aliases for content filtering to prevent DNS rebinding attacks
  14. disable-ds-digests
  15. dns64 for AAAA queries to IPv4 mapping
  16. dnssec-loadkeys-interval
  17. dnssec-secure-to-insecure
  18. dnssec-update-mode
  19. dnssec-validation auto
  20. filter-aaaa and filter-aaaa-on-v4 and filter-aaaa-on-v6
  21. GeoIP (and geoip-directory)
  22. inline-signing
  23. max-recursion-depth and max-recursion-queries
  24. max-rsa-exponent-size
  25. max-zone-ttl
  26. no-case-compress
  27. nosit-udp-size
  28. prefetch to requery for popular lookups to keep in cache
  29. rate-limit (with 15 options)
  30. request-nsid
  31. reserved-sockets
  32. resolver-query-timeout
  33. response-policy (with 9 policies)
  34. rndc secroots and secroots-file
  35. serial-update-method
  36. session-keyalg, session-keyfile, and session-keyname
  37. sig-signing-nodes, sig-signing-signatures, sig-signing-type, and sig-validity-interval
  38. tkey-gssapi-keytab
  39. use-v4-udp-ports and use-v6-udp-ports
  40. dnssec-dnskey-kskonly
  41. masterfile-format to keep zone files in raw or memory instead of text
  42. named changed behavior to remember the case which could be turned off with no-case-compress
  43. dlz
  44. in-view to share master files
  45. static-stub zones
  46. redirect zones
  47. additional update-policy policies: local, tcp-self, 6to4-self, zonesub, and external
  48. server-addresses and server-names
  49. rndc sync
  50. rndc zonestatus
  51. delv tool
  52. dnssec-checkds tool
  53. dnssec-coverage tool
  54. dnssec-dsfromkey tool
  55. dnssec-importkey tool
  56. dnssec-keyfromlabel tool
  57. dnssec-revoke tool
  58. dnssec-settime tool
  59. dnssec-verify tool
  60. named-journalprint tool
  61. named-rrchecker tool
  62. ddns-confgen tool
  63. arpaname tool
  64. genrandom tool
  65. isc-hmac-fixup tool
  66. nsec3hash tool

In addition, some features were deprecated or changed:

Our book also covers several other bleeding edge features like:

  1. dyndb (dynamic database) for external data source
  2. buffered logging
  3. lwres-clients and lwres-tasks
  4. DNS cookies with cookie-algorithm, cookie-secret, nocookie-udp-size, require-server-cookie, send-cookie
  5. fetch-quota-params, fetches-per-server, fetches-per-zone
  6. limit of files concurrently open/li>
  7. geoip-use-ecs
  8. keep-response-order
  9. masterfile-style
  10. notify-rate and startup-notify-rate
  11. rndc nta for Negative Trust Anchors to temporarily disable DNSSEC validation (with nta-lifetime and nta-recheck)
  12. nxdomain-redirect
  13. request-expire
  14. response-policy log
  15. serial-update-method date
  16. servfail-ttl to cache SERVFAIL responses
  17. v6-bias
  18. edns-version
  19. tcp-only
  20. rndc managed-keys
  21. rndc modzone and showzone

The BIND DNS Administration Reference book is the only printed book covering all these topics. Note that the most popular DNS book is ten years old so cannot cover the above features as covered in our book. Our book also includes installation, examples of using vendor packages, and lots of other original content, plus detailed indexing and additional cross-referencing.

Book details are at http://www.reedmedia.net/books/bind-dns/ or order it from your favorite book store.