dnssec revision c54c1eaf26d5a7fc123c4af3712353156a766df1
d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark AndrewsCopyright (C) 2000, 2001 Internet Software Consortium.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinSee COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinDNSSEC Release Notes
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox UserThis document summarizes the state of the DNSSEC implementation in
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox Userthis release of BIND9.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinOpenSSL Library Required
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox UserTo support DNSSEC, BIND 9 must be linked with version 0.9.5a or newer of
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox Userthe OpenSSL library. As of BIND 9.2, the library is no longer
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Huntincluded in the distribution - it must be provided by the operating
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinsystem or installed separately.
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox UserTo build BIND 9 with OpenSSL, use "configure --with-openssl". If
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinthe OpenSSL library is installed in a nonstandard location, you can
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinspecify a path as in "configure --with-openssl=/var".
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox UserKey Generation and Signing
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinThe tools for generating DNSSEC keys and signatures are now in the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinbin/dnssec directory. Documentation for these programs can be found
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinin doc/arm/Bv9ARM.4.html and the man pages.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsThe random data used in generating DNSSEC keys and signatures comes
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinfrom either /dev/random (if the OS supports it) or keyboard input.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinAlternatively, a device or file containing entropy/random data can be
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox UserServing Secure Zones
14a656f94b1fd0ababd84a772228dfa52276ba15Evan HuntWhen acting as an authoritative name server, BIND9 includes KEY, SIG
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Huntand NXT records in responses as specified in RFC2535 when the request
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox Userhas the DO flag set in the query.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan HuntSecure Resolution
a1ff871f78b7d907d6fc3a382beea2a640fe8423Tinderbox UserBasic support for validation of DNSSEC signatures in responses has
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Huntbeen implemented but should still be considered experimental.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan HuntWhen acting as a caching name server, BIND9 is capable of performing
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Huntbasic DNSSEC validation of positive as well as nonexistence responses.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan HuntThis functionality is enabled by including a "trusted-keys" clause
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Huntin the configuration file, containing the top-level zone key of the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Huntthe DNSSEC tree.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinValidation of wildcard responses is not currently supported. In
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox Userparticular, a "name does not exist" response will validate
f9ce6280cec79deb16ff6d9807aa493ff23e10d9Tinderbox Usersuccessfully even if it does not contain the NXT records to prove the
1ca759b3f5c0672b2a66bc02288fe010cabbfe37Tinderbox Usernonexistence of a matching wildcard.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan HuntProof of insecure status for insecure zones delegated from secure
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Huntzones works when the zones are completely insecure. Privately
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox Usersecured zones delegated from secure zones will not work in all cases,
46472a450e043434d78fa18edc73bca8c47f3981Tinderbox Usersuch as when the privately secured zone is served by the same server
46472a450e043434d78fa18edc73bca8c47f3981Tinderbox Useras an ancestor (but not parent) zone.
46472a450e043434d78fa18edc73bca8c47f3981Tinderbox UserHandling of the CD bit in queries is now fully implemented. Validation
46472a450e043434d78fa18edc73bca8c47f3981Tinderbox Useris not attempted for recursive queries if CD is set.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox UserSecure Dynamic Update
14a656f94b1fd0ababd84a772228dfa52276ba15Evan HuntDynamic update of secure zones has been implemented, but may not be
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox Usercomplete. Affected NXT and SIG records are updated by the server when
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Huntan update occurs. Advanced access control is possible using the
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User"update-policy" statement in the zone definition.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan HuntSecure Zone Transfers
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox UserBIND 9 does not implement the zone transfer security mechanisms of
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox UserRFC2535 section 5.6, and we have no plans to implement them in the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Huntfuture as we consider them inferior to the use of TSIG or SIG(0) to
a1ff871f78b7d907d6fc3a382beea2a640fe8423Tinderbox Userensure the integrity of zone transfers.
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User$Id: dnssec,v 1.17 2002/07/19 03:50:42 marka Exp $