84ab085a13f931bc78e7415e7ce921dbaa14fcb3mwsCopyright (C) 2000, 2001 Internet Software Consortium.

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mwsSee COPYRIGHT in the source root or http://isc.org/copyright.html for terms.

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mws

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mwsDNSSEC Release Notes

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mws

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mwsThis document summarizes the state of the DNSSEC implementation in

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mwsthis release of BIND9.

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mws

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mws

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mwsKey Generation and Signing

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mws

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mwsThe tools for generating DNSSEC keys and signatures are now in the

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mwsbin/dnssec directory. Documentation for these programs can be found

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mwsin doc/arm/Bv9ARM.4.html and the man pages.

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mws

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mwsThe random data used in generating DNSSEC keys and signatures comes from

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mwseither /dev/random (if the OS supports it) or keyboard input. Alternatively,

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mwsa device or file containing entropy/random data can be specified.

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mws

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mws

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mwsServing Secure Zones

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mws

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mwsWhen acting as an authoritative name server, BIND9 includes KEY, SIG

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mwsand NXT records in responses as specified in RFC2535 when the request

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mwshas the DO flag set in the query.

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mws

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mwsResponse generation for wildcard records in secure zones is not fully

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mwssupported. Responses indicating the nonexistence of a name include a

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mwsNXT record proving the nonexistence of the name itself, but do not

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mwsinclude any NXT records to prove the nonexistence of a matching

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mwswildcard record. Positive responses resulting from wildcard expansion

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mwsdo not include the NXT records to prove the nonexistence of a

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mwsnon-wildcard match or a more specific wildcard match.

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mws

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mws

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mwsSecure Resolution

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mws

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mwsBasic support for validation of DNSSEC signatures in responses has

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mwsbeen implemented but should still be considered experimental.

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mws

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mwsWhen acting as a caching name server, BIND9 is capable of performing

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mwsbasic DNSSEC validation of positive as well as nonexistence responses.

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mwsThis functionality is enabled by including a "trusted-keys" clause

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mwsin the configuration file, containing the top-level zone key of the

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mwsthe DNSSEC tree.

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mws

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mwsValidation of wildcard responses is not currently supported. In

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mwsparticular, a "name does not exist" response will validate

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mwssuccessfully even if it does not contain the NXT records to prove the

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mwsnonexistence of a matching wildcard.

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mws

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mwsProof of insecure status for insecure zones delegated from secure

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mwszones works when the zones are completely insecure. Privately

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mwssecured zones delegated from secure zones will not work in all cases,

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mwssuch as when the privately secured zone is served by the same server

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mwsas an ancestor (but not parent) zone.

84ab085a13f931bc78e7415e7ce921dbaa14fcb3mws

Handling of the CD bit in queries is now fully implemented. Validation

is not attempted for recursive queries if CD is set.

Secure Dynamic Update

Dynamic update of secure zones has been implemented, but may not be

complete. Affected NXT and SIG records are updated by the server when

an update occurs. Advanced access control is possible using the

"update-policy" statement in the zone definition.

Performance of Cryptographic Operations

The cryptographic primitives used by the BIND 9 DNSSEC implementation

are based on the OpenSSL library. A version of that library is

integrated into the distribution, but for portability reasons this

version does not make use of any platform-specific assembly language

routines.

On many platforms, particularly i386 and SPARC, a significant

improvement in signing and verification speed can be achieved by

linking BIND 9 with a separate OpenSSL library that uses hand-optimized

assembly language routines. To do this, you need to install OpenSSL

version 0.9.5a or newer separately from the BIND 9 tree prior to

building BIND 9, using the default openssl configuration settings

which will cause it to be built with assembly language routines. Then

specify the "--with-openssl" option to the BIND 9 configure script

to make BIND 9 link against the system openssl library rather than its

own. For example, if openssl was installed under /usr/local, use

"configure --with-openssl=/usr/local".

$Id: dnssec,v 1.11 2001/02/05 20:15:28 bwelling Exp $