mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 14:07:59 +00:00
Code Issues Releases Wiki Activity

added DNSSEC release notes

Browse Source
This commit is contained in:
Andreas Gustafsson
2000-05-23 14:34:49 +00:00
parent 9d7c5c2c31
commit 1b85597495
1 changed files with 62 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
doc/misc/dnssec Normal file
View File

@@ -0,0 +1,62 @@
DNSSEC Release Notes
This document summarizes the state of the DNSSEC implementation in
this release of BIND9.
Key generation and signing
The tools for generating DNSSEC keys and signatures are now in the
bin/dnssec directory. Documentation for these programs can be found
in doc/arm/Bv9ARM.4.html.
The random data used in generating DNSSEC keys and signatures
currently contains a significant pseudo-random component and is
therefore not cryptographically strong. We do not recommend that keys
generated by the key generation tools in this distribution be used in
production.
Serving secure zones
When acting as an authoritative name server, BIND9 includes KEY, SIG
and NXT records in responses as specified in RFC2535.
Response generation for wildcard records in secure zones is not fully
supported. Responses indicating the nonexistence of a name include a
NXT record proving the nonexistence of the name itself, but do not
include any NXT records to prove the nonexistence of a matching
wildcard record. Positive responses resulting from wildcard expansion
do not include the NXT records to prove the nonexistence of a more
specific wildcard match.
Secure resolution
Basic support for validation of DNSSEC signatures in responses has
been implemented but should still be considered experimental.
When acting as a caching name server, BIND9 is capable of performing
basic DNSSEC validation of positive as well as nonexistence responses.
This functionality is enabled by including a "trusted-keys" clause
in the configuration file.
Validation of wildcard responses is not currently supported. In
particular, a "name does not exist" response will validate
successfully even if it does not contain the NXT records to prove the
nonexistence of a matching wildcard.
Proof of insecure status for insecure zones delegated from secure
zones has been partially implemented but should not yet be expected to
work.
Handling of the CD bit in queries is not yet fully implemented;
validation is currently attempted for all recursive queries, even if
CD is set.
$Id: dnssec,v 1.1 2000/05/23 14:34:49 gson Exp $