For the past few days, I’ve spent most of my reading time with a new book titled DNSSEC Mastery. The author of the book is Michael W. Lucas, again (from my not too long ago book review blog post, Absolute OpenBSD 2nd Edition). He’s now one of my favorite tech book author, upgraded from “favorite blog author”. The “upgrade” was done after reading another of his new book published by No Starch Press, Absolute OpenBSD 2nd Edition. This review is the result of my reading of DNSSEC Mastery. It may not be the whole truth, but at least this is what I’ve understand from it.
Here it goes:
In the first few chapters of DNSSEC Mastery, you’ll learn the different parts that make up DNSSEC. The author does a good job in explaining the details in plain simple terms in english with no nonsense attached. As usual, humors are part of it. Here’s a teaser, do you know where’s Farawayistan? I get to know it by reading the introductions. I’m telling you, don’t skip any chapters like what you would do normally on other books. You might miss some good lessons in the author’s writings.
I used to think the “dig” command output is “noisy” and straight away look at the “ANSWER SECTION” every time I execute it. After reading these chapters, all the noise has turn into useful information. Quoting from one of the lines in chapter 5: “Most people skip directly to this response, but everything before it is important.”
Although the technical aspect of setting up & maintaining DSNSEC has been written in a tutorial style (which is much easy to follow and execute), you’re advised to understand the basics of how things works in DNSSEC. This is important because it would help a lot later when going through the setup & maintenance of DNSSEC. If something goes wrong while implementing it, the debugging would required the understanding of these basics covered in these chapters.
Starting chapter 6, 7 and 8, the real work begins. The book will walk you through on how to implement DNSSEC onto your domain. As I’ve mentioned it before, the steps are written in a tutorial style so you won’t have trouble following it. In between the steps, the author advises best practices as well as explaining some of important details of KSK & ZSK. It also covers the necessary DNS resource records (RR) that DNSSEC needs. Different methods will also be discuss on how it can be implemented.
Chapter 9, debugging. The author have taken great effort in identifying different cases that might cause problem when setting up & deploying a DNSSEC zone. Scenarios are covered in very plaintext fashion that makes it easy to dissect the problem. Even by reading it without hands-on trying these scenarios, I’ve learned much from it. This is coming from me, an DNS administrator setup & maintain more then a dozen of DNS servers.
Chapter 10, maintenance to DNSSEC zones. Yup, there’s maintenance over DNSSEC zones. These proactive measures applied to KSK & ZSK keys are equally important compare to the authenticities of zone records (DNSSEC). The best part is, it covers the aspects on how to reduce the down time of DNSSEC keys maintenance.
Chapter 11, talks about implementing DNSSEC in subdomain & private IP address. These zones are not part of the Chain of Trust and thus required another way to implement DNSSEC, Islands of Trust.
Chapter 12, bonus area. Making use of DNSSEC records to improve security area and making your user’s life easier. E.g. SSHFP. Hint, something to do with VPN. Another interesting part of this chapter, there’s another alternative to expensive CA authority SSL cert, by using DANE TLSA to validate certificate with DNSSEC TLSA record.
I recommend this book to anyone who wish to understand, then implement DNSSEC. This book will save you hours of trial & error before reaching where you wanna be. The author have make this book an easy to follow tutorial style. So that the reader can follow the setup with minimum difficulties.
Another value of reading this book is, the author did the homework of research and understanding the boring part on how DNSSEC works and present it in a manner that we can easily pickup and know how it works. This is one of the reason why I always love the author’s books because I have bought & read enough books to know that most of these are written in a reference styled (text books styled?). It dulls my mind so much that some times my brain refuse to acknowledge what my eyes is reading. The author’s writing make it easy for my brain to absorb, so that my eyes don’t whine about repeatingly reading the same paragraph again & again.
His writing style got the most points of why I’m attracted to his tech books. But to be fair, the way he narrated the technical knowledge of the books, are so much simple to read and understand. Often, to acquire the same level of knowledge, I would need a lot of reading plus trial & error. The author always do this right.
Pickup this book if you want an easy way to dive into DNSSEC.
*** Disclaimer, I got this copy of e-book from Michael himself. Nothing else. As I’ve mentioned earlier, I’m doing this review mainly hoping that Michael W. Lucas’s books would sell well and motivate him to write more great technical books. Also, I’m a big fan of Michael W. Lucas online blog (http://blather.michaelwlucas.com/), his blunt yet humorous way of conveying facts have always been an interesting read.