2000-06-22 00:14:39 +00:00
|
|
|
Copyright (C) 2000 Internet Software Consortium.
|
|
|
|
|
See COPYRIGHT in the source root or http://www.isc.org/copyright for terms.
|
2000-05-23 14:34:49 +00:00
|
|
|
|
|
|
|
|
DNSSEC Release Notes
|
|
|
|
|
|
|
|
|
|
This document summarizes the state of the DNSSEC implementation in
|
|
|
|
|
this release of BIND9.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Key generation and signing
|
|
|
|
|
|
|
|
|
|
The tools for generating DNSSEC keys and signatures are now in the
|
|
|
|
|
bin/dnssec directory. Documentation for these programs can be found
|
|
|
|
|
in doc/arm/Bv9ARM.4.html.
|
|
|
|
|
|
2000-06-14 23:03:21 +00:00
|
|
|
The random data used in generating DNSSEC keys and signatures comes from
|
|
|
|
|
/dev/random if the OS supports that. Otherwise, the DNSSEC tools must
|
|
|
|
|
be fed a file containing entropy/random data. Future releases will allow
|
|
|
|
|
entropy to be entered manually from the keyboard.
|
2000-05-23 14:34:49 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
Serving secure zones
|
|
|
|
|
|
|
|
|
|
When acting as an authoritative name server, BIND9 includes KEY, SIG
|
|
|
|
|
and NXT records in responses as specified in RFC2535.
|
|
|
|
|
|
|
|
|
|
Response generation for wildcard records in secure zones is not fully
|
|
|
|
|
supported. Responses indicating the nonexistence of a name include a
|
|
|
|
|
NXT record proving the nonexistence of the name itself, but do not
|
|
|
|
|
include any NXT records to prove the nonexistence of a matching
|
|
|
|
|
wildcard record. Positive responses resulting from wildcard expansion
|
2000-05-23 16:41:25 +00:00
|
|
|
do not include the NXT records to prove the nonexistence of a
|
|
|
|
|
non-wildcard match or a more specific wildcard match.
|
2000-05-23 14:34:49 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
Secure resolution
|
|
|
|
|
|
|
|
|
|
Basic support for validation of DNSSEC signatures in responses has
|
|
|
|
|
been implemented but should still be considered experimental.
|
|
|
|
|
|
|
|
|
|
When acting as a caching name server, BIND9 is capable of performing
|
|
|
|
|
basic DNSSEC validation of positive as well as nonexistence responses.
|
|
|
|
|
This functionality is enabled by including a "trusted-keys" clause
|
2000-05-23 16:41:25 +00:00
|
|
|
in the configuration file, containing the top-level zone key of the
|
|
|
|
|
the DNSSEC tree.
|
2000-05-23 14:34:49 +00:00
|
|
|
|
|
|
|
|
Validation of wildcard responses is not currently supported. In
|
|
|
|
|
particular, a "name does not exist" response will validate
|
|
|
|
|
successfully even if it does not contain the NXT records to prove the
|
|
|
|
|
nonexistence of a matching wildcard.
|
|
|
|
|
|
|
|
|
|
Proof of insecure status for insecure zones delegated from secure
|
|
|
|
|
zones has been partially implemented but should not yet be expected to
|
2000-05-23 16:41:25 +00:00
|
|
|
work in all cases.
|
2000-05-23 14:34:49 +00:00
|
|
|
|
|
|
|
|
Handling of the CD bit in queries is not yet fully implemented;
|
|
|
|
|
validation is currently attempted for all recursive queries, even if
|
|
|
|
|
CD is set.
|
|
|
|
|
|
2000-05-23 16:41:25 +00:00
|
|
|
|
|
|
|
|
Secure dynamic update
|
|
|
|
|
|
|
|
|
|
Dynamic update of secure zones has been implemented, but may not be
|
|
|
|
|
complete. Affected NXT and SIG records are updated by the server when
|
|
|
|
|
an update occurs. Advanced access control is possible using the
|
|
|
|
|
"update-policy" statement in the zone definition.
|
|
|
|
|
|
|
|
|
|
|
2000-06-22 00:14:39 +00:00
|
|
|
$Id: dnssec,v 1.4 2000/06/22 00:14:36 tale Exp $
|
