From 1b855974958ebca91882c4b59f66c48dd5784b87 Mon Sep 17 00:00:00 2001 From: Andreas Gustafsson Date: Tue, 23 May 2000 14:34:49 +0000 Subject: [PATCH] added DNSSEC release notes --- doc/misc/dnssec | 62 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 doc/misc/dnssec diff --git a/doc/misc/dnssec b/doc/misc/dnssec new file mode 100644 index 0000000000..29cabe32c9 --- /dev/null +++ b/doc/misc/dnssec @@ -0,0 +1,62 @@ + + + +DNSSEC Release Notes + + + +This document summarizes the state of the DNSSEC implementation in +this release of BIND9. + + +Key generation and signing + +The tools for generating DNSSEC keys and signatures are now in the +bin/dnssec directory. Documentation for these programs can be found +in doc/arm/Bv9ARM.4.html. + +The random data used in generating DNSSEC keys and signatures +currently contains a significant pseudo-random component and is +therefore not cryptographically strong. We do not recommend that keys +generated by the key generation tools in this distribution be used in +production. + + +Serving secure zones + +When acting as an authoritative name server, BIND9 includes KEY, SIG +and NXT records in responses as specified in RFC2535. + +Response generation for wildcard records in secure zones is not fully +supported. Responses indicating the nonexistence of a name include a +NXT record proving the nonexistence of the name itself, but do not +include any NXT records to prove the nonexistence of a matching +wildcard record. Positive responses resulting from wildcard expansion +do not include the NXT records to prove the nonexistence of a more +specific wildcard match. + + +Secure resolution + +Basic support for validation of DNSSEC signatures in responses has +been implemented but should still be considered experimental. + +When acting as a caching name server, BIND9 is capable of performing +basic DNSSEC validation of positive as well as nonexistence responses. +This functionality is enabled by including a "trusted-keys" clause +in the configuration file. + +Validation of wildcard responses is not currently supported. In +particular, a "name does not exist" response will validate +successfully even if it does not contain the NXT records to prove the +nonexistence of a matching wildcard. + +Proof of insecure status for insecure zones delegated from secure +zones has been partially implemented but should not yet be expected to +work. + +Handling of the CD bit in queries is not yet fully implemented; +validation is currently attempted for all recursive queries, even if +CD is set. + +$Id: dnssec,v 1.1 2000/05/23 14:34:49 gson Exp $