883N/ACopyright (C) 2000, 2001 Internet Software Consortium.
883N/AThis document summarizes the state of the DNSSEC implementation in
883N/AOpenSSL Library Required
883N/ATo support DNSSEC, BIND 9 must be linked with version 0.9.6e or newer of
883N/Athe OpenSSL library. As of BIND 9.2, the library is no longer
883N/Aincluded in the distribution - it must be provided by the operating
883N/Asystem or installed separately.
883N/ATo build BIND 9 with OpenSSL, use "configure --with-openssl". If
883N/Athe OpenSSL library is installed in a nonstandard location, you can
883N/Aspecify a path as in "configure --with-openssl=/var".
883N/AKey Generation and Signing
883N/AThe tools for generating DNSSEC keys and signatures are now in the
883N/AThe random data used in generating DNSSEC keys and signatures comes
883N/AWhen acting as an authoritative name server, BIND9 includes KEY, SIG
883N/Aand NXT records in responses as specified in RFC2535 when the request
883N/Ahas the DO flag set in the query.
883N/ABasic support for validation of DNSSEC signatures in responses has
883N/Abeen implemented but should still be considered experimental.
883N/AWhen acting as a caching name server, BIND9 is capable of performing
883N/Abasic DNSSEC validation of positive as well as nonexistence responses.
883N/AThis functionality is enabled by including a "trusted-keys" clause
883N/Ain the configuration file, containing the top-level zone key of the
883N/AValidation of wildcard responses is not currently supported. In
883N/Aparticular, a "name does not exist" response will validate
883N/Asuccessfully even if it does not contain the NXT records to prove the
883N/Anonexistence of a matching wildcard.
883N/AProof of insecure status for insecure zones delegated from secure
883N/Azones works when the zones are completely insecure. Privately
883N/Asecured zones delegated from secure zones will not work in all cases,
883N/Asuch as when the privately secured zone is served by the same server
883N/Aas an ancestor (but not parent) zone.
883N/AHandling of the CD bit in queries is now fully implemented. Validation
883N/Ais not attempted for recursive queries if CD is set.
883N/ADynamic update of secure zones has been implemented, but may not be
883N/Acomplete. Affected NXT and SIG records are updated by the server when
883N/Aan update occurs. Advanced access control is possible using the
883N/A"update-policy" statement in the zone definition.
883N/ABIND 9 does not implement the zone transfer security mechanisms of
883N/ARFC2535 section 5.6, and we have no plans to implement them in the
883N/Afuture as we consider them inferior to the use of TSIG or SIG(0) to
883N/Aensure the integrity of zone transfers.
883N/A$Id: dnssec,v 1.18 2002/08/09 02:34:07 mayer Exp $