dnssec revision 95b6b97ae0942ceb8244693c3d68d2b396af9960
6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob HalleyCopyright (C) 2000 Internet Software Consortium.
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox UserSee COPYRIGHT in the source root or http://www.isc.org/copyright for terms.
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinDNSSEC Release Notes
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater
6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob HalleyThis document summarizes the state of the DNSSEC implementation in
6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halleythis release of BIND9.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews
8a66318e41ed14c5a88130e8c362610e8faa2121Mark AndrewsKey Generation and Signing
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
8a66318e41ed14c5a88130e8c362610e8faa2121Mark AndrewsThe tools for generating DNSSEC keys and signatures are now in the
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrewsbin/dnssec directory. Documentation for these programs can be found
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrewsin doc/arm/Bv9ARM.4.html and the man pages.
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews
6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob HalleyThe random data used in generating DNSSEC keys and signatures comes from
ea94d370123a5892f6c47a97f21d1b28d44bb168Tinderbox Usereither /dev/random (if the OS supports it) or keyboard input. Alternatively,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeina device or file containing entropy/random data can be specified.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinServing Secure Zones
e21a2904f02a03fa06b6db04d348f65fe9c67b2bMark Andrews
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinWhen acting as an authoritative name server, BIND9 includes KEY, SIG
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinand NXT records in responses as specified in RFC2535.
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinResponse generation for wildcard records in secure zones is not fully
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinsupported. Responses indicating the nonexistence of a name include a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinNXT record proving the nonexistence of the name itself, but do not
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeininclude any NXT records to prove the nonexistence of a matching
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinwildcard record. Positive responses resulting from wildcard expansion
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeindo not include the NXT records to prove the nonexistence of a
a1b05dea35aa30b152a47115e18bbe679d3fcf19Mark Andrewsnon-wildcard match or a more specific wildcard match.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox UserSecure Resolution
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinBasic support for validation of DNSSEC signatures in responses has
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinbeen implemented but should still be considered experimental.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinWhen acting as a caching name server, BIND9 is capable of performing
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinbasic DNSSEC validation of positive as well as nonexistence responses.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinThis functionality is enabled by including a "trusted-keys" clause
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinin the configuration file, containing the top-level zone key of the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinthe DNSSEC tree.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinValidation of wildcard responses is not currently supported. In
9fbbfb5757a1e3e86d7dea62c4e63ffc2303ca2bAutomatic Updaterparticular, a "name does not exist" response will validate
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinsuccessfully even if it does not contain the NXT records to prove the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinnonexistence of a matching wildcard.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinProof of insecure status for insecure zones delegated from secure
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinzones works when the zones are completely insecure. Privately
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinsecured zones delegated from secure zones will not work in all cases,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinsuch as when the privately secured zone is served by the same server
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinas an ancestor (but not parent) zone.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinHandling of the CD bit in queries is now fully implemented. Validation
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinis not attempted for recursive queries if CD is set.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinSecure Dynamic Update
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinDynamic update of secure zones has been implemented, but may not be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeincomplete. Affected NXT and SIG records are updated by the server when
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinan update occurs. Advanced access control is possible using the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein"update-policy" statement in the zone definition.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinPerformance of Cryptographic Operations
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinThe cryptographic primitives used by the BIND 9 DNSSEC implementation
a1b05dea35aa30b152a47115e18bbe679d3fcf19Mark Andrewsare based on the OpenSSL library. A version of that library is
a1b05dea35aa30b152a47115e18bbe679d3fcf19Mark Andrewsintegrated into the distribution, but for portability reasons this
a1b05dea35aa30b152a47115e18bbe679d3fcf19Mark Andrewsversion does not make use of any platform-specific assembly language
a1b05dea35aa30b152a47115e18bbe679d3fcf19Mark Andrewsroutines.
a1b05dea35aa30b152a47115e18bbe679d3fcf19Mark Andrews
a1b05dea35aa30b152a47115e18bbe679d3fcf19Mark AndrewsOn many platforms, particularly i386 and SPARC, a significant
a1b05dea35aa30b152a47115e18bbe679d3fcf19Mark Andrewsimprovement in signing and verification speed can be achieved linking
a1b05dea35aa30b152a47115e18bbe679d3fcf19Mark AndrewsBIND 9 with a separate OpenSSL library that uses hand-optimized
a1b05dea35aa30b152a47115e18bbe679d3fcf19Mark Andrewsassembly language routines. To do this, you need to install OpenSSL
a1b05dea35aa30b152a47115e18bbe679d3fcf19Mark Andrewsversion 0.9.5a or newer separately from the BIND 9 tree prior to
a1b05dea35aa30b152a47115e18bbe679d3fcf19Mark Andrewsbuilding BIND 9, using the default openssl configuration settings
a1b05dea35aa30b152a47115e18bbe679d3fcf19Mark Andrewswhich will cause it to be built with assembly language routines. Then
a1b05dea35aa30b152a47115e18bbe679d3fcf19Mark Andrewsspecifying the "--with-openssl" option to the BIND 9 configure script
a1b05dea35aa30b152a47115e18bbe679d3fcf19Mark Andrewsto make BIND 9 link against the system openssl library rather than its
a1b05dea35aa30b152a47115e18bbe679d3fcf19Mark Andrewsown. For example, if openssl was installed under /usr/local, use
a1b05dea35aa30b152a47115e18bbe679d3fcf19Mark Andrews"configure --with-openssl=/usr/local".
a1b05dea35aa30b152a47115e18bbe679d3fcf19Mark Andrews
a1b05dea35aa30b152a47115e18bbe679d3fcf19Mark Andrews
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater$Id: dnssec,v 1.8 2000/08/03 18:53:53 gson Exp $
a1b05dea35aa30b152a47115e18bbe679d3fcf19Mark Andrews