0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark AndrewsCopyright (C) 2000-2002, 2004, 2016 Internet Systems Consortium, Inc. ("ISC")
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark AndrewsThis Source Code Form is subject to the terms of the Mozilla Public
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark AndrewsLicense, v. 2.0. If a copy of the MPL was not distributed with this
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrewsfile, You can obtain one at http://mozilla.org/MPL/2.0/.
1b855974958ebca91882c4b59f66c48dd5784b87Andreas GustafssonDNSSEC Release Notes
1b855974958ebca91882c4b59f66c48dd5784b87Andreas GustafssonThis document summarizes the state of the DNSSEC implementation in
1b855974958ebca91882c4b59f66c48dd5784b87Andreas Gustafssonthis release of BIND9.
abea3fdc7fafcadf4275a14f261ad6e2332cace4Andreas GustafssonOpenSSL Library Required
dde525678a94746d4ffefd156a98dc20c96c2b3aDanny MayerTo support DNSSEC, BIND 9 must be linked with version 0.9.6e or newer of
abea3fdc7fafcadf4275a14f261ad6e2332cace4Andreas Gustafssonthe OpenSSL library. As of BIND 9.2, the library is no longer
abea3fdc7fafcadf4275a14f261ad6e2332cace4Andreas Gustafssonincluded in the distribution - it must be provided by the operating
abea3fdc7fafcadf4275a14f261ad6e2332cace4Andreas Gustafssonsystem or installed separately.
abea3fdc7fafcadf4275a14f261ad6e2332cace4Andreas GustafssonTo build BIND 9 with OpenSSL, use "configure --with-openssl". If
abea3fdc7fafcadf4275a14f261ad6e2332cace4Andreas Gustafssonthe OpenSSL library is installed in a nonstandard location, you can
abea3fdc7fafcadf4275a14f261ad6e2332cace4Andreas Gustafssonspecify a path as in "configure --with-openssl=/var".
95b6b97ae0942ceb8244693c3d68d2b396af9960Andreas GustafssonKey Generation and Signing
1b855974958ebca91882c4b59f66c48dd5784b87Andreas GustafssonThe tools for generating DNSSEC keys and signatures are now in the
1b855974958ebca91882c4b59f66c48dd5784b87Andreas Gustafssonbin/dnssec directory. Documentation for these programs can be found
b2ca1f1bd04a779f15e12e0b2bee6fa95e512f89Brian Wellingtonin doc/arm/Bv9ARM.4.html and the man pages.
abea3fdc7fafcadf4275a14f261ad6e2332cace4Andreas GustafssonThe random data used in generating DNSSEC keys and signatures comes
abea3fdc7fafcadf4275a14f261ad6e2332cace4Andreas Gustafssonfrom either /dev/random (if the OS supports it) or keyboard input.
abea3fdc7fafcadf4275a14f261ad6e2332cace4Andreas GustafssonAlternatively, a device or file containing entropy/random data can be
95b6b97ae0942ceb8244693c3d68d2b396af9960Andreas GustafssonServing Secure Zones
1b855974958ebca91882c4b59f66c48dd5784b87Andreas GustafssonWhen acting as an authoritative name server, BIND9 includes KEY, SIG
ebb48478db5a40916fb9c01c586838d05c47ab06Brian Wellingtonand NXT records in responses as specified in RFC2535 when the request
ebb48478db5a40916fb9c01c586838d05c47ab06Brian Wellingtonhas the DO flag set in the query.
95b6b97ae0942ceb8244693c3d68d2b396af9960Andreas GustafssonSecure Resolution
1b855974958ebca91882c4b59f66c48dd5784b87Andreas GustafssonBasic support for validation of DNSSEC signatures in responses has
1b855974958ebca91882c4b59f66c48dd5784b87Andreas Gustafssonbeen implemented but should still be considered experimental.
1b855974958ebca91882c4b59f66c48dd5784b87Andreas GustafssonWhen acting as a caching name server, BIND9 is capable of performing
1b855974958ebca91882c4b59f66c48dd5784b87Andreas Gustafssonbasic DNSSEC validation of positive as well as nonexistence responses.
1b855974958ebca91882c4b59f66c48dd5784b87Andreas GustafssonThis functionality is enabled by including a "trusted-keys" clause
c81bf797a812236e4a6d13a6473bc029d7ce280aAndreas Gustafssonin the configuration file, containing the top-level zone key of the
c81bf797a812236e4a6d13a6473bc029d7ce280aAndreas Gustafssonthe DNSSEC tree.
1b855974958ebca91882c4b59f66c48dd5784b87Andreas GustafssonValidation of wildcard responses is not currently supported. In
1b855974958ebca91882c4b59f66c48dd5784b87Andreas Gustafssonparticular, a "name does not exist" response will validate
1b855974958ebca91882c4b59f66c48dd5784b87Andreas Gustafssonsuccessfully even if it does not contain the NXT records to prove the
1b855974958ebca91882c4b59f66c48dd5784b87Andreas Gustafssonnonexistence of a matching wildcard.
1b855974958ebca91882c4b59f66c48dd5784b87Andreas GustafssonProof of insecure status for insecure zones delegated from secure
5b4397d387b89d696b5eb90c328a385e07d4a380Brian Wellingtonzones works when the zones are completely insecure. Privately
5b4397d387b89d696b5eb90c328a385e07d4a380Brian Wellingtonsecured zones delegated from secure zones will not work in all cases,
5b4397d387b89d696b5eb90c328a385e07d4a380Brian Wellingtonsuch as when the privately secured zone is served by the same server
5b4397d387b89d696b5eb90c328a385e07d4a380Brian Wellingtonas an ancestor (but not parent) zone.
1cb5d53b09cded8298285fdcdcc6a261f2b47afbBrian WellingtonHandling of the CD bit in queries is now fully implemented. Validation
1cb5d53b09cded8298285fdcdcc6a261f2b47afbBrian Wellingtonis not attempted for recursive queries if CD is set.
95b6b97ae0942ceb8244693c3d68d2b396af9960Andreas GustafssonSecure Dynamic Update
c81bf797a812236e4a6d13a6473bc029d7ce280aAndreas GustafssonDynamic update of secure zones has been implemented, but may not be
c81bf797a812236e4a6d13a6473bc029d7ce280aAndreas Gustafssoncomplete. Affected NXT and SIG records are updated by the server when
c81bf797a812236e4a6d13a6473bc029d7ce280aAndreas Gustafssonan update occurs. Advanced access control is possible using the
c81bf797a812236e4a6d13a6473bc029d7ce280aAndreas Gustafsson"update-policy" statement in the zone definition.
e4946c508eb331c28ce1f2b05c7e2adfe73fe701Andreas GustafssonSecure Zone Transfers
e4946c508eb331c28ce1f2b05c7e2adfe73fe701Andreas GustafssonBIND 9 does not implement the zone transfer security mechanisms of
e4946c508eb331c28ce1f2b05c7e2adfe73fe701Andreas GustafssonRFC2535 section 5.6, and we have no plans to implement them in the
e4946c508eb331c28ce1f2b05c7e2adfe73fe701Andreas Gustafssonfuture as we consider them inferior to the use of TSIG or SIG(0) to
e4946c508eb331c28ce1f2b05c7e2adfe73fe701Andreas Gustafssonensure the integrity of zone transfers.
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews$Id: dnssec,v 1.19 2004/03/05 05:04:53 marka Exp $