dnssec revision c81bf797a812236e4a6d13a6473bc029d7ce280a
1b855974958ebca91882c4b59f66c48dd5784b87Andreas GustafssonDNSSEC Release Notes
1b855974958ebca91882c4b59f66c48dd5784b87Andreas GustafssonThis document summarizes the state of the DNSSEC implementation in
1b855974958ebca91882c4b59f66c48dd5784b87Andreas Gustafssonthis release of BIND9.
1b855974958ebca91882c4b59f66c48dd5784b87Andreas GustafssonKey generation and signing
1b855974958ebca91882c4b59f66c48dd5784b87Andreas GustafssonThe tools for generating DNSSEC keys and signatures are now in the
1b855974958ebca91882c4b59f66c48dd5784b87Andreas Gustafssonbin/dnssec directory. Documentation for these programs can be found
1b855974958ebca91882c4b59f66c48dd5784b87Andreas GustafssonThe random data used in generating DNSSEC keys and signatures
1b855974958ebca91882c4b59f66c48dd5784b87Andreas Gustafssoncurrently contains a significant pseudo-random component and is
1b855974958ebca91882c4b59f66c48dd5784b87Andreas Gustafssontherefore not cryptographically strong. We do not recommend that keys
1b855974958ebca91882c4b59f66c48dd5784b87Andreas Gustafssongenerated by the key generation tools in this distribution be used in
1b855974958ebca91882c4b59f66c48dd5784b87Andreas GustafssonServing secure zones
1b855974958ebca91882c4b59f66c48dd5784b87Andreas GustafssonWhen acting as an authoritative name server, BIND9 includes KEY, SIG
1b855974958ebca91882c4b59f66c48dd5784b87Andreas Gustafssonand NXT records in responses as specified in RFC2535.
1b855974958ebca91882c4b59f66c48dd5784b87Andreas GustafssonResponse generation for wildcard records in secure zones is not fully
1b855974958ebca91882c4b59f66c48dd5784b87Andreas Gustafssonsupported. Responses indicating the nonexistence of a name include a
1b855974958ebca91882c4b59f66c48dd5784b87Andreas GustafssonNXT record proving the nonexistence of the name itself, but do not
1b855974958ebca91882c4b59f66c48dd5784b87Andreas Gustafssoninclude any NXT records to prove the nonexistence of a matching
1b855974958ebca91882c4b59f66c48dd5784b87Andreas Gustafssonwildcard record. Positive responses resulting from wildcard expansion
c81bf797a812236e4a6d13a6473bc029d7ce280aAndreas Gustafssondo not include the NXT records to prove the nonexistence of a
c81bf797a812236e4a6d13a6473bc029d7ce280aAndreas Gustafssonnon-wildcard match or a more specific wildcard match.
1b855974958ebca91882c4b59f66c48dd5784b87Andreas GustafssonSecure resolution
1b855974958ebca91882c4b59f66c48dd5784b87Andreas GustafssonBasic support for validation of DNSSEC signatures in responses has
1b855974958ebca91882c4b59f66c48dd5784b87Andreas Gustafssonbeen implemented but should still be considered experimental.
1b855974958ebca91882c4b59f66c48dd5784b87Andreas GustafssonWhen acting as a caching name server, BIND9 is capable of performing
1b855974958ebca91882c4b59f66c48dd5784b87Andreas Gustafssonbasic DNSSEC validation of positive as well as nonexistence responses.
1b855974958ebca91882c4b59f66c48dd5784b87Andreas GustafssonThis functionality is enabled by including a "trusted-keys" clause
c81bf797a812236e4a6d13a6473bc029d7ce280aAndreas Gustafssonin the configuration file, containing the top-level zone key of the
c81bf797a812236e4a6d13a6473bc029d7ce280aAndreas Gustafssonthe DNSSEC tree.
1b855974958ebca91882c4b59f66c48dd5784b87Andreas GustafssonValidation of wildcard responses is not currently supported. In
1b855974958ebca91882c4b59f66c48dd5784b87Andreas Gustafssonparticular, a "name does not exist" response will validate
1b855974958ebca91882c4b59f66c48dd5784b87Andreas Gustafssonsuccessfully even if it does not contain the NXT records to prove the
1b855974958ebca91882c4b59f66c48dd5784b87Andreas Gustafssonnonexistence of a matching wildcard.
1b855974958ebca91882c4b59f66c48dd5784b87Andreas GustafssonProof of insecure status for insecure zones delegated from secure
1b855974958ebca91882c4b59f66c48dd5784b87Andreas Gustafssonzones has been partially implemented but should not yet be expected to
c81bf797a812236e4a6d13a6473bc029d7ce280aAndreas Gustafssonwork in all cases.
1b855974958ebca91882c4b59f66c48dd5784b87Andreas GustafssonHandling of the CD bit in queries is not yet fully implemented;
1b855974958ebca91882c4b59f66c48dd5784b87Andreas Gustafssonvalidation is currently attempted for all recursive queries, even if
c81bf797a812236e4a6d13a6473bc029d7ce280aAndreas GustafssonSecure dynamic update
c81bf797a812236e4a6d13a6473bc029d7ce280aAndreas GustafssonDynamic update of secure zones has been implemented, but may not be
c81bf797a812236e4a6d13a6473bc029d7ce280aAndreas Gustafssoncomplete. Affected NXT and SIG records are updated by the server when
c81bf797a812236e4a6d13a6473bc029d7ce280aAndreas Gustafssonan update occurs. Advanced access control is possible using the
c81bf797a812236e4a6d13a6473bc029d7ce280aAndreas Gustafsson"update-policy" statement in the zone definition.
c81bf797a812236e4a6d13a6473bc029d7ce280aAndreas Gustafsson$Id: dnssec,v 1.2 2000/05/23 16:41:25 gson Exp $