dnssec revision 1cb5d53b09cded8298285fdcdcc6a261f2b47afb
2f5f997e354e7f4a02b6818bdc68fbece5cb237dJohn SmithCopyright (C) 2000 Internet Software Consortium.
2f5f997e354e7f4a02b6818bdc68fbece5cb237dJohn SmithSee COPYRIGHT in the source root or http://www.isc.org/copyright for terms.
2f5f997e354e7f4a02b6818bdc68fbece5cb237dJohn SmithDNSSEC Release Notes
2f5f997e354e7f4a02b6818bdc68fbece5cb237dJohn SmithThis document summarizes the state of the DNSSEC implementation in
2f5f997e354e7f4a02b6818bdc68fbece5cb237dJohn Smiththis release of BIND9.
2f5f997e354e7f4a02b6818bdc68fbece5cb237dJohn SmithKey generation and signing
2f5f997e354e7f4a02b6818bdc68fbece5cb237dJohn SmithThe tools for generating DNSSEC keys and signatures are now in the
2f5f997e354e7f4a02b6818bdc68fbece5cb237dJohn Smithbin/dnssec directory. Documentation for these programs can be found
2f5f997e354e7f4a02b6818bdc68fbece5cb237dJohn Smithin doc/arm/Bv9ARM.4.html and the man pages.
2f5f997e354e7f4a02b6818bdc68fbece5cb237dJohn SmithThe random data used in generating DNSSEC keys and signatures comes from
2f5f997e354e7f4a02b6818bdc68fbece5cb237dJohn Smitheither /dev/random (if the OS supports it) or keyboard input. Alternatively,
ecc6aeb3d58e1a1089fec93c4acf1b99b10e7b2fJabiertxofa device or file containing entropy/random data can be specified.
2f5f997e354e7f4a02b6818bdc68fbece5cb237dJohn SmithServing secure zones
2f5f997e354e7f4a02b6818bdc68fbece5cb237dJohn SmithWhen acting as an authoritative name server, BIND9 includes KEY, SIG
2f5f997e354e7f4a02b6818bdc68fbece5cb237dJohn Smithand NXT records in responses as specified in RFC2535.
2f5f997e354e7f4a02b6818bdc68fbece5cb237dJohn SmithResponse generation for wildcard records in secure zones is not fully
2f5f997e354e7f4a02b6818bdc68fbece5cb237dJohn Smithsupported. Responses indicating the nonexistence of a name include a
2f5f997e354e7f4a02b6818bdc68fbece5cb237dJohn SmithNXT record proving the nonexistence of the name itself, but do not
2f5f997e354e7f4a02b6818bdc68fbece5cb237dJohn Smithinclude any NXT records to prove the nonexistence of a matching
2f5f997e354e7f4a02b6818bdc68fbece5cb237dJohn Smithwildcard record. Positive responses resulting from wildcard expansion
2f5f997e354e7f4a02b6818bdc68fbece5cb237dJohn Smithdo not include the NXT records to prove the nonexistence of a
be0acd278c68b7331b0b83f8355aabeb44d98ca1Jabiertxofnon-wildcard match or a more specific wildcard match.
a4142717644b885998f4de2b27be4e8648315decMarkus EngelSecure resolution
9836787d16b657453784c30809d330f50d9bc6d8Liam P. WhiteBasic support for validation of DNSSEC signatures in responses has
9836787d16b657453784c30809d330f50d9bc6d8Liam P. Whitebeen implemented but should still be considered experimental.
a4142717644b885998f4de2b27be4e8648315decMarkus EngelWhen acting as a caching name server, BIND9 is capable of performing
a4142717644b885998f4de2b27be4e8648315decMarkus Engelbasic DNSSEC validation of positive as well as nonexistence responses.
be0acd278c68b7331b0b83f8355aabeb44d98ca1JabiertxofThis functionality is enabled by including a "trusted-keys" clause
be0acd278c68b7331b0b83f8355aabeb44d98ca1Jabiertxofin the configuration file, containing the top-level zone key of the
4b8d4136cf15a6811025301fa66d549200e1b99ajabiertxofthe DNSSEC tree.
2f5f997e354e7f4a02b6818bdc68fbece5cb237dJohn SmithValidation of wildcard responses is not currently supported. In
be0acd278c68b7331b0b83f8355aabeb44d98ca1Jabiertxofparticular, a "name does not exist" response will validate
be0acd278c68b7331b0b83f8355aabeb44d98ca1Jabiertxofsuccessfully even if it does not contain the NXT records to prove the
2f5f997e354e7f4a02b6818bdc68fbece5cb237dJohn Smithnonexistence of a matching wildcard.
2f5f997e354e7f4a02b6818bdc68fbece5cb237dJohn SmithProof of insecure status for insecure zones delegated from secure
04815a0cf96245b9aeeb973e3ade866a4c124f44JazzyNicozones works when the zones are completely insecure. Privately
04815a0cf96245b9aeeb973e3ade866a4c124f44JazzyNicosecured zones delegated from secure zones will not work in all cases,
04815a0cf96245b9aeeb973e3ade866a4c124f44JazzyNicosuch as when the privately secured zone is served by the same server
3b055804cfd5043eab6e00c390cd921698d59d29Krzysztof Kosińskias an ancestor (but not parent) zone.
2f5f997e354e7f4a02b6818bdc68fbece5cb237dJohn SmithHandling of the CD bit in queries is now fully implemented. Validation
2f5f997e354e7f4a02b6818bdc68fbece5cb237dJohn Smithis not attempted for recursive queries if CD is set.
f61c94c27c8fcea295c259f65d3142546072c2b0jabiertxofSecure dynamic update
26bcda9b99d8270014ae8a009dcca3747f747f48jabiertxofDynamic update of secure zones has been implemented, but may not be
be0acd278c68b7331b0b83f8355aabeb44d98ca1Jabiertxofcomplete. Affected NXT and SIG records are updated by the server when
a2c41b9ce62797ad4033ee47f1ee255c70089ac1Jabiertxofan update occurs. Advanced access control is possible using the
be0acd278c68b7331b0b83f8355aabeb44d98ca1Jabiertxof"update-policy" statement in the zone definition.
f61c94c27c8fcea295c259f65d3142546072c2b0jabiertxof$Id: dnssec,v 1.7 2000/07/29 00:24:06 bwelling Exp $