2N/ACopyright (C) 2000 Internet Software Consortium.
2N/AThis document summarizes the state of the DNSSEC implementation in
2N/Athis release of BIND9.
2N/AKey generation and signing
2N/AThe tools for generating DNSSEC keys and signatures are now in the
2N/Abin/dnssec directory. Documentation for these programs can be found
2N/AThe random data used in generating DNSSEC keys and signatures comes from
2N/Aeither
/dev/random (if the OS supports it) or keyboard input. Alternatively,
2N/AWhen acting as an authoritative name server, BIND9 includes KEY, SIG
2N/Aand NXT records in responses as specified in RFC2535.
2N/AResponse generation for wildcard records in secure zones is not fully
2N/Asupported. Responses indicating the nonexistence of a name include a
2N/ANXT record proving the nonexistence of the name itself, but do not
2N/Ainclude any NXT records to prove the nonexistence of a matching
2N/Awildcard record. Positive responses resulting from wildcard expansion
2N/Ado not include the NXT records to prove the nonexistence of a
2N/Anon-wildcard match or a more specific wildcard match.
2N/ABasic support for validation of DNSSEC signatures in responses has
2N/Abeen implemented but should still be considered experimental.
2N/AWhen acting as a caching name server, BIND9 is capable of performing
2N/Abasic DNSSEC validation of positive as well as nonexistence responses.
2N/AThis functionality is enabled by including a "trusted-keys" clause
2N/Ain the configuration file, containing the top-level zone key of the
2N/AValidation of wildcard responses is not currently supported. In
2N/Aparticular, a "name does not exist" response will validate
2N/Asuccessfully even if it does not contain the NXT records to prove the
2N/Anonexistence of a matching wildcard.
2N/AProof of insecure status for insecure zones delegated from secure
2N/Azones works when the zones are completely insecure. Privately
2N/Asecured zones delegated from secure zones will not work in all cases,
2N/Asuch as when the privately secured zone is served by the same server
2N/Aas an ancestor (but not parent) zone.
2N/AHandling of the CD bit in queries is not yet fully implemented;
2N/Avalidation is currently attempted for all recursive queries, even if
Dynamic update of secure zones has been implemented, but may not be
complete. Affected NXT and SIG records are updated by the server when
an update occurs. Advanced access control is possible using the
"update-policy" statement in the zone definition.
$Id: dnssec,v 1.6 2000/07/14 00:03:54 bwelling Exp $