3239N/ACopyright (C) 2000 Internet Software Consortium.
3239N/AThis document summarizes the state of the DNSSEC implementation in
3239N/AThe tools for generating DNSSEC keys and signatures are now in the
3239N/AThe random data used in generating DNSSEC keys and signatures comes from
3239N/AWhen acting as an authoritative name server, BIND9 includes KEY, SIG
3239N/Aand NXT records in responses as specified in RFC2535.
3239N/AResponse generation for wildcard records in secure zones is not fully
4182N/Asupported. Responses indicating the nonexistence of a name include a
5454N/ANXT record proving the nonexistence of the name itself, but do not
3907N/Ainclude any NXT records to prove the nonexistence of a matching
3239N/Awildcard record. Positive responses resulting from wildcard expansion
3239N/Ado not include the NXT records to prove the nonexistence of a
3793N/Anon-wildcard match or a more specific wildcard match.
3239N/ABasic support for validation of DNSSEC signatures in responses has
3239N/Abeen implemented but should still be considered experimental.
3239N/AWhen acting as a caching name server, BIND9 is capable of performing
3239N/Abasic DNSSEC validation of positive as well as nonexistence responses.
3239N/AThis functionality is enabled by including a "trusted-keys" clause
3239N/Ain the configuration file, containing the top-level zone key of the
3239N/AValidation of wildcard responses is not currently supported. In
3239N/Aparticular, a "name does not exist" response will validate
5455N/Asuccessfully even if it does not contain the NXT records to prove the
3239N/Anonexistence of a matching wildcard.
3239N/AProof of insecure status for insecure zones delegated from secure
3239N/Azones works when the zones are completely insecure. Privately
3793N/Asecured zones delegated from secure zones will not work in all cases,
3239N/Asuch as when the privately secured zone is served by the same server
3239N/Aas an ancestor (but not parent) zone.
4244N/AHandling of the CD bit in queries is now fully implemented. Validation
4244N/Ais not attempted for recursive queries if CD is set.
3239N/ADynamic update of secure zones has been implemented, but may not be
3239N/Acomplete. Affected NXT and SIG records are updated by the server when
3239N/Aan update occurs. Advanced access control is possible using the
3239N/A"update-policy" statement in the zone definition.
3239N/APerformance of Cryptographic Operations
3239N/AThe cryptographic primitives used by the BIND 9 DNSSEC implementation
3239N/Aare based on the OpenSSL library. A version of that library is
3239N/Aintegrated into the distribution, but for portability reasons this
3239N/Aversion does not make use of any platform-specific assembly language
3239N/AOn many platforms, particularly i386 and SPARC, a significant
3239N/Aimprovement in signing and verification speed can be achieved linking
4944N/ABIND 9 with a separate OpenSSL library that uses hand-optimized
3239N/Aassembly language routines. To do this, you need to install OpenSSL
3239N/Aversion 0.9.5a or newer separately from the BIND 9 tree prior to
3239N/Abuilding BIND 9, using the default openssl configuration settings
3239N/Awhich will cause it to be built with assembly language routines. Then
3239N/Aspecifying the "--with-openssl" option to the BIND 9 configure script
3239N/Ato make BIND 9 link against the system openssl library rather than its
3239N/A$Id: dnssec,v 1.8 2000/08/03 18:53:53 gson Exp $