dnssec revision e4946c508eb331c28ce1f2b05c7e2adfe73fe701
d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark AndrewsCopyright (C) 2000, 2001 Internet Software Consortium.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsSee COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsDNSSEC Release Notes
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox UserThis document summarizes the state of the DNSSEC implementation in
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox Userthis release of BIND9.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsOpenSSL Library Required
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsTo support DNSSEC, BIND 9 must be linked with version 0.9.5a or newer of
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox Userthe OpenSSL library. As of BIND 9.2, the library is no longer
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Huntincluded in the distribution - it must be provided by the operating
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox Usersystem or installed separately.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsTo build BIND 9 with OpenSSL, use "configure --with-openssl". If
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrewsthe OpenSSL library is installed in a nonstandard location, you can
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrewsspecify a path as in "configure --with-openssl=/var".
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsKey Generation and Signing
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsThe tools for generating DNSSEC keys and signatures are now in the
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updaterbin/dnssec directory. Documentation for these programs can be found
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrewsin doc/arm/Bv9ARM.4.html and the man pages.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsThe random data used in generating DNSSEC keys and signatures comes
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrewsfrom either /dev/random (if the OS supports it) or keyboard input.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsAlternatively, a device or file containing entropy/random data can be
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsServing Secure Zones
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox UserWhen acting as an authoritative name server, BIND9 includes KEY, SIG
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox Userand NXT records in responses as specified in RFC2535 when the request
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox Userhas the DO flag set in the query.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox UserResponse generation for wildcard records in secure zones is not fully
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrewssupported. Responses indicating the nonexistence of a name include a
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox UserNXT record proving the nonexistence of the name itself, but do not
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox Userinclude any NXT records to prove the nonexistence of a matching
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox Userwildcard record. Positive responses resulting from wildcard expansion
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox Userdo not include the NXT records to prove the nonexistence of a
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrewsnon-wildcard match or a more specific wildcard match.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox UserSecure Resolution
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsBasic support for validation of DNSSEC signatures in responses has
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox Userbeen implemented but should still be considered experimental.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox UserWhen acting as a caching name server, BIND9 is capable of performing
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox Userbasic DNSSEC validation of positive as well as nonexistence responses.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox UserThis functionality is enabled by including a "trusted-keys" clause
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox Userin the configuration file, containing the top-level zone key of the
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox Userthe DNSSEC tree.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox UserValidation of wildcard responses is not currently supported. In
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox Userparticular, a "name does not exist" response will validate
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox Usersuccessfully even if it does not contain the NXT records to prove the
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox Usernonexistence of a matching wildcard.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox UserProof of insecure status for insecure zones delegated from secure
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox Userzones works when the zones are completely insecure. Privately
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox Usersecured zones delegated from secure zones will not work in all cases,
7e71f05d8643aca84914437c900cb716444507e4Tinderbox Usersuch as when the privately secured zone is served by the same server
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox Useras an ancestor (but not parent) zone.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsHandling of the CD bit in queries is now fully implemented. Validation
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Huntis not attempted for recursive queries if CD is set.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsSecure Dynamic Update
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsDynamic update of secure zones has been implemented, but may not be
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrewscomplete. Affected NXT and SIG records are updated by the server when
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox Useran update occurs. Advanced access control is possible using the
b2f07642fd712c8fda81a116bcdde229ab291f33Tinderbox User"update-policy" statement in the zone definition.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan HuntSecure Zone Transfers
b2f07642fd712c8fda81a116bcdde229ab291f33Tinderbox UserBIND 9 does not implement the zone transfer security mechanisms of
b2f07642fd712c8fda81a116bcdde229ab291f33Tinderbox UserRFC2535 section 5.6, and we have no plans to implement them in the
b2f07642fd712c8fda81a116bcdde229ab291f33Tinderbox Userfuture as we consider them inferior to the use of TSIG or SIG(0) to
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrewsensure the integrity of zone transfers.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews$Id: dnssec,v 1.16 2001/11/20 23:32:09 gson Exp $