dnssec revision 95b6b97ae0942ceb8244693c3d68d2b396af9960
2834197ede0bfaec5b57cb1666e0c21f76408570David LawrenceCopyright (C) 2000 Internet Software Consortium.
2834197ede0bfaec5b57cb1666e0c21f76408570David LawrenceSee COPYRIGHT in the source root or http://www.isc.org/copyright for terms.
1b855974958ebca91882c4b59f66c48dd5784b87Andreas GustafssonDNSSEC Release Notes
1b855974958ebca91882c4b59f66c48dd5784b87Andreas GustafssonThis document summarizes the state of the DNSSEC implementation in
1b855974958ebca91882c4b59f66c48dd5784b87Andreas Gustafssonthis release of BIND9.
95b6b97ae0942ceb8244693c3d68d2b396af9960Andreas GustafssonKey Generation and Signing
1b855974958ebca91882c4b59f66c48dd5784b87Andreas GustafssonThe tools for generating DNSSEC keys and signatures are now in the
1b855974958ebca91882c4b59f66c48dd5784b87Andreas Gustafssonbin/dnssec directory. Documentation for these programs can be found
b2ca1f1bd04a779f15e12e0b2bee6fa95e512f89Brian Wellingtonin doc/arm/Bv9ARM.4.html and the man pages.
9dc499f133042bb8ab6e2089db708be0d13733bfBrian WellingtonThe random data used in generating DNSSEC keys and signatures comes from
b2ca1f1bd04a779f15e12e0b2bee6fa95e512f89Brian Wellingtoneither /dev/random (if the OS supports it) or keyboard input. Alternatively,
1cb5d53b09cded8298285fdcdcc6a261f2b47afbBrian Wellingtona device or file containing entropy/random data can be specified.
95b6b97ae0942ceb8244693c3d68d2b396af9960Andreas GustafssonServing Secure Zones
1b855974958ebca91882c4b59f66c48dd5784b87Andreas GustafssonWhen acting as an authoritative name server, BIND9 includes KEY, SIG
1b855974958ebca91882c4b59f66c48dd5784b87Andreas Gustafssonand NXT records in responses as specified in RFC2535.
1b855974958ebca91882c4b59f66c48dd5784b87Andreas GustafssonResponse generation for wildcard records in secure zones is not fully
1b855974958ebca91882c4b59f66c48dd5784b87Andreas Gustafssonsupported. Responses indicating the nonexistence of a name include a
1b855974958ebca91882c4b59f66c48dd5784b87Andreas GustafssonNXT record proving the nonexistence of the name itself, but do not
1b855974958ebca91882c4b59f66c48dd5784b87Andreas Gustafssoninclude any NXT records to prove the nonexistence of a matching
1b855974958ebca91882c4b59f66c48dd5784b87Andreas Gustafssonwildcard record. Positive responses resulting from wildcard expansion
c81bf797a812236e4a6d13a6473bc029d7ce280aAndreas Gustafssondo not include the NXT records to prove the nonexistence of a
c81bf797a812236e4a6d13a6473bc029d7ce280aAndreas Gustafssonnon-wildcard match or a more specific wildcard match.
95b6b97ae0942ceb8244693c3d68d2b396af9960Andreas GustafssonSecure Resolution
1b855974958ebca91882c4b59f66c48dd5784b87Andreas GustafssonBasic support for validation of DNSSEC signatures in responses has
1b855974958ebca91882c4b59f66c48dd5784b87Andreas Gustafssonbeen implemented but should still be considered experimental.
1b855974958ebca91882c4b59f66c48dd5784b87Andreas GustafssonWhen acting as a caching name server, BIND9 is capable of performing
1b855974958ebca91882c4b59f66c48dd5784b87Andreas Gustafssonbasic DNSSEC validation of positive as well as nonexistence responses.
1b855974958ebca91882c4b59f66c48dd5784b87Andreas GustafssonThis functionality is enabled by including a "trusted-keys" clause
c81bf797a812236e4a6d13a6473bc029d7ce280aAndreas Gustafssonin the configuration file, containing the top-level zone key of the
c81bf797a812236e4a6d13a6473bc029d7ce280aAndreas Gustafssonthe DNSSEC tree.
1b855974958ebca91882c4b59f66c48dd5784b87Andreas GustafssonValidation of wildcard responses is not currently supported. In
1b855974958ebca91882c4b59f66c48dd5784b87Andreas Gustafssonparticular, a "name does not exist" response will validate
1b855974958ebca91882c4b59f66c48dd5784b87Andreas Gustafssonsuccessfully even if it does not contain the NXT records to prove the
1b855974958ebca91882c4b59f66c48dd5784b87Andreas Gustafssonnonexistence of a matching wildcard.
1b855974958ebca91882c4b59f66c48dd5784b87Andreas GustafssonProof of insecure status for insecure zones delegated from secure
5b4397d387b89d696b5eb90c328a385e07d4a380Brian Wellingtonzones works when the zones are completely insecure. Privately
5b4397d387b89d696b5eb90c328a385e07d4a380Brian Wellingtonsecured zones delegated from secure zones will not work in all cases,
5b4397d387b89d696b5eb90c328a385e07d4a380Brian Wellingtonsuch as when the privately secured zone is served by the same server
5b4397d387b89d696b5eb90c328a385e07d4a380Brian Wellingtonas an ancestor (but not parent) zone.
1cb5d53b09cded8298285fdcdcc6a261f2b47afbBrian WellingtonHandling of the CD bit in queries is now fully implemented. Validation
1cb5d53b09cded8298285fdcdcc6a261f2b47afbBrian Wellingtonis not attempted for recursive queries if CD is set.
95b6b97ae0942ceb8244693c3d68d2b396af9960Andreas GustafssonSecure Dynamic Update
c81bf797a812236e4a6d13a6473bc029d7ce280aAndreas GustafssonDynamic update of secure zones has been implemented, but may not be
c81bf797a812236e4a6d13a6473bc029d7ce280aAndreas Gustafssoncomplete. Affected NXT and SIG records are updated by the server when
c81bf797a812236e4a6d13a6473bc029d7ce280aAndreas Gustafssonan update occurs. Advanced access control is possible using the
c81bf797a812236e4a6d13a6473bc029d7ce280aAndreas Gustafsson"update-policy" statement in the zone definition.
95b6b97ae0942ceb8244693c3d68d2b396af9960Andreas GustafssonPerformance of Cryptographic Operations
95b6b97ae0942ceb8244693c3d68d2b396af9960Andreas GustafssonThe cryptographic primitives used by the BIND 9 DNSSEC implementation
95b6b97ae0942ceb8244693c3d68d2b396af9960Andreas Gustafssonare based on the OpenSSL library. A version of that library is
95b6b97ae0942ceb8244693c3d68d2b396af9960Andreas Gustafssonintegrated into the distribution, but for portability reasons this
95b6b97ae0942ceb8244693c3d68d2b396af9960Andreas Gustafssonversion does not make use of any platform-specific assembly language
95b6b97ae0942ceb8244693c3d68d2b396af9960Andreas GustafssonOn many platforms, particularly i386 and SPARC, a significant
95b6b97ae0942ceb8244693c3d68d2b396af9960Andreas Gustafssonimprovement in signing and verification speed can be achieved linking
95b6b97ae0942ceb8244693c3d68d2b396af9960Andreas GustafssonBIND 9 with a separate OpenSSL library that uses hand-optimized
95b6b97ae0942ceb8244693c3d68d2b396af9960Andreas Gustafssonassembly language routines. To do this, you need to install OpenSSL
95b6b97ae0942ceb8244693c3d68d2b396af9960Andreas Gustafssonversion 0.9.5a or newer separately from the BIND 9 tree prior to
95b6b97ae0942ceb8244693c3d68d2b396af9960Andreas Gustafssonbuilding BIND 9, using the default openssl configuration settings
95b6b97ae0942ceb8244693c3d68d2b396af9960Andreas Gustafssonwhich will cause it to be built with assembly language routines. Then
95b6b97ae0942ceb8244693c3d68d2b396af9960Andreas Gustafssonspecifying the "--with-openssl" option to the BIND 9 configure script
95b6b97ae0942ceb8244693c3d68d2b396af9960Andreas Gustafssonto make BIND 9 link against the system openssl library rather than its
95b6b97ae0942ceb8244693c3d68d2b396af9960Andreas Gustafssonown. For example, if openssl was installed under /usr/local, use
95b6b97ae0942ceb8244693c3d68d2b396af9960Andreas Gustafsson"configure --with-openssl=/usr/local".
95b6b97ae0942ceb8244693c3d68d2b396af9960Andreas Gustafsson$Id: dnssec,v 1.8 2000/08/03 18:53:53 gson Exp $