Cross Reference: /bind-9.11.3/doc/misc/dnssec

	dnssec revision 2834197ede0bfaec5b57cb1666e0c21f76408570
18727N/ACopyright (C) 2000  Internet Software Consortium.
13608N/ASee COPYRIGHT in the source root or http://www.isc.org/copyright for terms.
14357N/A
14357N/ADNSSEC Release Notes
14357N/A
14357N/AThis document summarizes the state of the DNSSEC implementation in
14357N/Athis release of BIND9.
14357N/A
14357N/A
14357N/AKey generation and signing
13608N/A
13608N/AThe tools for generating DNSSEC keys and signatures are now in the
14357N/Abin/dnssec directory.  Documentation for these programs can be found
14357N/Ain doc/arm/Bv9ARM.4.html.
14357N/A
14357N/AThe random data used in generating DNSSEC keys and signatures comes from
14357N/A/dev/random if the OS supports that.  Otherwise, the DNSSEC tools must
14357N/Abe fed a file containing entropy/random data.  Future releases will allow
13608N/Aentropy to be entered manually from the keyboard.
14357N/A
14357N/A
14357N/AServing secure zones
14357N/A
14386N/AWhen acting as an authoritative name server, BIND9 includes KEY, SIG
13608N/Aand NXT records in responses as specified in RFC2535.
14357N/A
14357N/AResponse generation for wildcard records in secure zones is not fully
supported.  Responses indicating the nonexistence of a name include a
NXT record proving the nonexistence of the name itself, but do not
include any NXT records to prove the nonexistence of a matching
wildcard record.  Positive responses resulting from wildcard expansion
do not include the NXT records to prove the nonexistence of a
non-wildcard match or a more specific wildcard match.


Secure resolution

Basic support for validation of DNSSEC signatures in responses has
been implemented but should still be considered experimental.

When acting as a caching name server, BIND9 is capable of performing
basic DNSSEC validation of positive as well as nonexistence responses.
This functionality is enabled by including a "trusted-keys" clause
in the configuration file, containing the top-level zone key of the
the DNSSEC tree.

Validation of wildcard responses is not currently supported.  In
particular, a "name does not exist" response will validate
successfully even if it does not contain the NXT records to prove the
nonexistence of a matching wildcard.

Proof of insecure status for insecure zones delegated from secure
zones has been partially implemented but should not yet be expected to
work in all cases.

Handling of the CD bit in queries is not yet fully implemented;
validation is currently attempted for all recursive queries, even if
CD is set.


Secure dynamic update

Dynamic update of secure zones has been implemented, but may not be
complete.  Affected NXT and SIG records are updated by the server when
an update occurs.  Advanced access control is possible using the
"update-policy" statement in the zone definition.


$Id: dnssec,v 1.4 2000/06/22 00:14:36 tale Exp $