68N/ACopyright (C) 2000 Internet Software Consortium.

68N/ASee COPYRIGHT in the source root or http://www.isc.org/copyright for terms.

68N/A

68N/ADNSSEC Release Notes

68N/A

68N/AThis document summarizes the state of the DNSSEC implementation in

68N/Athis release of BIND9.

68N/A

68N/A

68N/AKey generation and signing

68N/A

68N/AThe tools for generating DNSSEC keys and signatures are now in the

68N/Abin/dnssec directory. Documentation for these programs can be found

68N/Ain doc/arm/Bv9ARM.4.html.

68N/A

68N/AThe random data used in generating DNSSEC keys and signatures comes from

68N/A/dev/random if the OS supports that. Otherwise, the DNSSEC tools must

68N/Abe fed a file containing entropy/random data. Future releases will allow

68N/Aentropy to be entered manually from the keyboard.

68N/A

75N/A

75N/AServing secure zones

68N/A

68N/AWhen acting as an authoritative name server, BIND9 includes KEY, SIG

68N/Aand NXT records in responses as specified in RFC2535.

68N/A

68N/AResponse generation for wildcard records in secure zones is not fully

68N/Asupported. Responses indicating the nonexistence of a name include a

68N/ANXT record proving the nonexistence of the name itself, but do not

68N/Ainclude any NXT records to prove the nonexistence of a matching

68N/Awildcard record. Positive responses resulting from wildcard expansion

68N/Ado not include the NXT records to prove the nonexistence of a

75N/Anon-wildcard match or a more specific wildcard match.

68N/A

68N/A

68N/ASecure resolution

68N/A

68N/ABasic support for validation of DNSSEC signatures in responses has

68N/Abeen implemented but should still be considered experimental.

68N/A

68N/AWhen acting as a caching name server, BIND9 is capable of performing

68N/Abasic DNSSEC validation of positive as well as nonexistence responses.

68N/AThis functionality is enabled by including a "trusted-keys" clause

68N/Ain the configuration file, containing the top-level zone key of the

68N/Athe DNSSEC tree.

83N/A

83N/AValidation of wildcard responses is not currently supported. In

83N/Aparticular, a "name does not exist" response will validate

68N/Asuccessfully even if it does not contain the NXT records to prove the

68N/Anonexistence of a matching wildcard.

68N/A

Proof of insecure status for insecure zones delegated from secure

zones has been partially implemented but should not yet be expected to

work in all cases.

Handling of the CD bit in queries is not yet fully implemented;

validation is currently attempted for all recursive queries, even if

CD is set.

Secure dynamic update

Dynamic update of secure zones has been implemented, but may not be

complete. Affected NXT and SIG records are updated by the server when

an update occurs. Advanced access control is possible using the

"update-policy" statement in the zone definition.

$Id: dnssec,v 1.4 2000/06/22 00:14:36 tale Exp $