dnssec revision 1b855974958ebca91882c4b59f66c48dd5784b87
3770N/A
18N/A
18N/A
18N/ADNSSEC Release Notes
18N/A
18N/A
18N/A
18N/AThis document summarizes the state of the DNSSEC implementation in
18N/Athis release of BIND9.
18N/A
18N/A
18N/AKey generation and signing
18N/A
18N/AThe tools for generating DNSSEC keys and signatures are now in the
18N/Abin/dnssec directory. Documentation for these programs can be found
18N/Ain doc/arm/Bv9ARM.4.html.
18N/A
18N/AThe random data used in generating DNSSEC keys and signatures
18N/Acurrently contains a significant pseudo-random component and is
18N/Atherefore not cryptographically strong. We do not recommend that keys
18N/Agenerated by the key generation tools in this distribution be used in
5680N/Aproduction.
5680N/A
5242N/A
18N/AServing secure zones
18N/A
3533N/AWhen acting as an authoritative name server, BIND9 includes KEY, SIG
18N/Aand NXT records in responses as specified in RFC2535.
18N/A
18N/AResponse generation for wildcard records in secure zones is not fully
18N/Asupported. Responses indicating the nonexistence of a name include a
18N/ANXT record proving the nonexistence of the name itself, but do not
3533N/Ainclude any NXT records to prove the nonexistence of a matching
18N/Awildcard record. Positive responses resulting from wildcard expansion
5860N/Ado not include the NXT records to prove the nonexistence of a more
18N/Aspecific wildcard match.
42N/A
5860N/A
3533N/ASecure resolution
5860N/A
5860N/ABasic support for validation of DNSSEC signatures in responses has
135N/Abeen implemented but should still be considered experimental.
18N/A
136N/AWhen acting as a caching name server, BIND9 is capable of performing
136N/Abasic DNSSEC validation of positive as well as nonexistence responses.
136N/AThis functionality is enabled by including a "trusted-keys" clause
136N/Ain the configuration file.
136N/A
136N/AValidation of wildcard responses is not currently supported. In
136N/Aparticular, a "name does not exist" response will validate
136N/Asuccessfully even if it does not contain the NXT records to prove the
3533N/Anonexistence of a matching wildcard.
3533N/A
3533N/AProof of insecure status for insecure zones delegated from secure
3533N/Azones has been partially implemented but should not yet be expected to
3533N/Awork.
3533N/A
3533N/AHandling of the CD bit in queries is not yet fully implemented;
3533N/Avalidation is currently attempted for all recursive queries, even if
3533N/ACD is set.
3533N/A
3533N/A$Id: dnssec,v 1.1 2000/05/23 14:34:49 gson Exp $
3533N/A