training & consulting |  about the author |  forums |  Mail Me 

If you are comfortable thats OK but your browser may be giving you less than optimum performance on our site. We recommend using a version 5 browser including Mozilla

Pro DNS and BIND

This page contains my supplementary notes (marked N) and any discovered errata (marked E) under each chapter and appendix. Unless otherwise noted if an error affects a file or a fragment, the latest copy of the files (on left hand menu) will include the correction - see Change Log in readme.txt for details.

Notes and Errata

Chapter 1, "An Introduction to DNS" (18 pages)

(E) First Note on Page 5. Those skilled in simple arithmetic who read this before the year 2013 will note that 'over a quarter of a century' is not correct. If you will allow a modest bit of hyperbole perhaps I could get away with 'almost a quarter of a century'. In any case the last sentence of this note holds true. A core, heavily used Internet technology, is still in every day use after all this time.

(N) Page 9. Root DNS Operations. The book was written before the most recent controversy over the US Dept. of Commerce's statements on ICANN oversight embodied in the MOU. The historic 'light rein' approach taken by the Dept. of Commerce, which has apparently now ended, probably requires a more thorough - but short - explanation of the relationship with the detail added to Appendix A

Chapter 2,"Zone Files and Resource Records" (18 pages)

(E) Page 24. Figure 2-1. The text on the top left hand side of the figure should read "example.com site Location A".

Chapter 3,"DNS Operations" (20 pages)

(E) The PTR RR description on page 30 confuses good practice with functionality. The text incorrectly states that only one PTR RR may be defined for any IP address. As with most other RRs, multiple PTR RRs (an RRset) may be defined. However a number of tests were run during the writing of the book on a captive network including the use of multiple PTR RRs in a variety of sequences. If the mail server PTR record was not the first then the test SMTP system (a popular Open Source system) refused to accept mail. In the case where multiple PTR RRs were returned the test SMTP server did not iterate through the RRset. It has been brought to the author's attention that not all SMTP systems would fail in this way. Nevertheless, to be absolutely safe it is recommended that to ensure all SMTP servers will handle mail correctly that where a host provides multiple services, one of which is mail, then a single PTR RR defining the name of the mail host should appear in the reverse map zone file.

Chapter 4,"DNS Types" (14 pages)

Chapter 5, "DNS and IPv6" (13 pages)

(E) Page 80 Missing colon. The following example is incorrect:

# omitting multiple zeros in address
2001:db8:0:0:0:0:0:3f
# can be written as
2001:db8:3f
The second colon, necessary when omitting all zero address elements, has been incorrectly left out in this example. The other 6 examples on this page, all illustrating the same point are, however, correct. The last line of the above example should have a second colon and should read:
2001:db8::3f

Chapter 6, "Installing BIND" (21 pages)

Chapter 7,"BIND Type Samples" (32 pages)

Many thanks for the helpful comments received on this chapter from Florian Dazinger.

(N) General. A pid-file statement should be added to each general options clause in case the distribution/configure was incorrectly defined. All samples should show a Closed DNS (disallowing recursive queries from non-local sources unless required). The sample configuration files have been enhanced.

(E) Slave DNS Server Page 136 brackets () in masters statement in example.con zone clause should be braces {}:

 // shown as masters (192.168.254.2;); should be
 masters {192.168.254.2;};

(E) Fowarding DNS Server Page 140 missing semi-colon in allow-transfers statement in main options clause:

 // shown as allow-transfer {"none"}; should be
 allow-transfer {"none";};

(E) Authoritative-only DNS Server Page 146 missing semi-colon in allow-transfers statement in main options clause:

 // shown as allow-transfer {"none"}; should be
 allow-transfer {"none";};

Corrections added to downloadable files.

(E) Page 148 4th bullet should reference the "goodguys" viw not the "badguys". My thanks to Evi Nemeth for pointing out this and a number of other errors and typos. Great eyes and attention to detail speaks to the high quality of her own books in the field of systems administration.

Chapter 8, "Common DNS Tasks" (25 pages)

(E) Define an SPF Record section, pages 173, 174 (macro-expansion) and page 177 (macro expansion example) all use parenthesis as the enclosing method - this is incorrect and should be replaced with braces - curly brackets {}.

(E) Out-of-Sequence Serial Numbers section (page 179). In the sentence beginning "Assuming the changed serial number was set to 2004022900" the serial number is incorrect and should read "Assuming the changed serial number was set to 2003022900" but does not otherwise affect the described corrective action.

Chapter 9, "DNS Diagnostics and Tools" (47 pages)

Chapter 10,"DNS Secure Configurations" (41 pages)

(E) Figure 10-2 incorrectly reproduces Figure 10-1. The author's original (highly non-professional) diagram is reproduced here to illustrate the use of shared-secret cryptography.

shared-secret cryptography

Figure 10-2 Symmetric, or shared-secret, cryptography

Chapter 11,"DNSSEC" (44 pages)

(E) Page 295 Bullet point 2. The text incorrectly refers to the fact there are two NSEC records to cover the last A RRset in the signed zone file. NSEC and RRSIG records always cover RRsets not individual RRs as stated in the following bullet.

(E) Page 305. The record following the NSEC ldap._tcp.example.com is incorrectly defined as RSIG and should be RRSIG.

(E) Page 314. The subdomain file contains errors in the SOA and both NS RRs and the corrected version is reproduced here:

$TTL 86400 ; 1 day
$ORIGIN sub.example.com.
@            IN SOA ns3.sub.example.com. hostmaster.example.com. (
                     2005032902 ; serial
                     10800      ; refresh (3 hours)
                     15         ; retry (15 seconds)
                     604800     ; expire (1 week)
                     10800      ; minimum (3 hours)
                     )
              IN NS ns3.sub.example.com.
              IN NS ns4.sub.example.com.
              IN MX 10 mail.example.com.
ns3           IN A 10.2.3.4
ns4           IN A 10.2.3.5
fred          IN A 10.1.2.1
$INCLUDE Ksub.example.com.+005+48560.key ; ZSK
$INCLUDE Ksub.example.com.+005+64536.key ; KSK

The correct version of this file is also shown in the signed extract on pages 314-315.

(E) Page 320. The dnssec-keygen command line has a gratuitous 1024 after the -f KSK argument. The command should be:

dnssec-keygen -a rsasha1 - b 1024 -f KSK -n zone example.com

(E) Figure 11-7 Page 323. The diagram contains the text div.example.net in two locations. This should be dlv.example.net which is referenced in the text.

(E) Pages 325, 326, 327 the dnssec-lookaside statements all contain refrences to 'trusted-anchor' this should be replaced with 'trust-anchor'. The dnssec-lookaside statement defined on page 397 is correct and should be used as the definite source for this statement.

(E) Page 327. The third dnssec-lookaside statement is wrong and should read:

dnssec-lookaside "example.org" trust-anchor "dlv.example.com";

Chapter 12,"BIND Configuration Reference" (72 pages)

(N) Table 12-6 Pages 359 - 363. Since the release of BIND 9.3.x a number of statements are now allowed in the server clause. As of BIND 9.6.1 this list includes:

edns-udp-size (new to server clause)
max-udp-size (new - post BIND 9.3.x)
notify-source (new to server clause)
notify-source-v6 (new to server clause)
query-source (new to server clause)
query-source-v6 (new to server clause)

(E) Page 392. forward statement. The last sentence should read 'This statement may be used in a zone, view or global options clause.'

(E) Page 395. The sortlist statement example is missing a level of braces. The statement in the book is syntactically correct but will not give the desired results as described in the following text. The following is correct and contains further comments to assist readers. Many thanks to David Nolan for pointing this out.

options {
    ....
    sortlist {
    {// 1st preference block start
     192.168.4/24;  // 1st client IP selection matches any of these
     {10.2/16;   // return any of these response IPs as 1st preference
      172.17.4/24;  // 2nd preference
     };
    }; // end first block
    { // second preference block
     192.168.5/24;  // 1st client IP selection matches any of these
     {192.168.4/24;   // return any of these response IPs as 1st preference
      172.17.4/24;  // 2nd preference
      10.2/16;  // 3rd preference
     };
    }; // end second block
   }; // end sortlist
};

Chapter 13,"Zone File Reference" (66 pages)

(N) Page 415. In the description of the name field the third bullet is incomplete. When a blank (tab) or space is used the $ORIGIN is substituted only on its first occurrence. Following a subsequent $ORIGIN, for instance when defining a subdomain, a blank name field will substitute the previous name value only. In order to force use of the preceding $ORIGIN in this case an @ must be used. The following zone file fragment illustrates this in more detail:

; zone file
$TTL 2d
$ORIGIN example.com.
; $ORIGIN is substituted in the following RR
        SOA ns1 hostmaster (....)
; could also be written as 
@       SOA ns1 hostmaster (....)
...
www     A 192.158.2.1
$ORIGIN sub.example.com.
    NS   ns1
; in the above RR the name (label) substituted will be www.example.com
; NOT sub.example.com
; in order to force the $ORIGIN an @ must be used as follows
@   NS   ns1
; in the above RR the label substituted will be sub.example.com

(N) DLV is described in RFC 4431 which has Informational status only.

Chapter 14,"BIND APIs and Resolver Libraries" (31 pages)

(E) Page 498. The second last line should read ".. , respectively getaddrinfo() and getnameinfo() should be used for all new"

Chapter 15,"DNS Messages and Records" (23 pages)

Appendix A,"Domain Name Registration" (8 pages)

(N) Additional FAQ about the ICANN/US Dept. of Commerce MOU.

Appendix B,"DNS RFCs" (3 pages)

Additional Material

In addition, the author maintains a web site about the book (www.netwidget.net/books/ apress/dns) that covers additional material, including links to alternative DNS software, resolver language bindings, and background reading on various topics covered in the book, which may be of use to the reader.



Problems, comments, suggestions, corrections (including broken links) or some thing to add? Please take the time from a busy life to 'mail me' (at top of screen), the webmaster (below) or info-support at netwidget. You will have a warm inner glow for the rest of the day.

Copyright © 2003 - 2017 NetWidget, Inc.
All rights reserved. Legal and Privacy
 
site by zytrax
Questions to web-master at netwidget
Page modified: July 11 2011.

Stuff

training courses

book stuff

home
short contents
full contents
notes & errata
files (1.1) zip
files (1.1) tarball

where to buy

Apress
amazon.com
barnes & noble
bookpool.com

book links

governance
dns software
libraries
security
dnssec
ipv6
dns telephony

articles

index
death of hope
Open DNS
DNSBLs
DLV
commercial DNSSEC
why DNSSEC?
short TTLs

Failover Strategies
TTLs revisited
DNSSEC Adds Value?

useful stuff

zytrax dns info
dnssec.net
bind9.net