dnssec revision 234010
1135446StrhodesCopyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") 2135446StrhodesCopyright (C) 2000-2002 Internet Software Consortium. 3135446StrhodesSee COPYRIGHT in the source root or http://isc.org/copyright.html for terms. 4135446Strhodes 5135446StrhodesDNSSEC Release Notes 6135446Strhodes 7135446StrhodesThis document summarizes the state of the DNSSEC implementation in 8135446Strhodesthis release of BIND9. 9135446Strhodes 10135446Strhodes 11135446StrhodesOpenSSL Library Required 12135446Strhodes 13135446StrhodesTo support DNSSEC, BIND 9 must be linked with version 0.9.6e or newer of 14135446Strhodesthe OpenSSL library. As of BIND 9.2, the library is no longer 15135446Strhodesincluded in the distribution - it must be provided by the operating 16135446Strhodessystem or installed separately. 17135446Strhodes 18135446StrhodesTo build BIND 9 with OpenSSL, use "configure --with-openssl". If 19135446Strhodesthe OpenSSL library is installed in a nonstandard location, you can 20135446Strhodesspecify a path as in "configure --with-openssl=/var". 21135446Strhodes 22135446Strhodes 23135446StrhodesKey Generation and Signing 24135446Strhodes 25135446StrhodesThe tools for generating DNSSEC keys and signatures are now in the 26135446Strhodesbin/dnssec directory. Documentation for these programs can be found 27135446Strhodesin doc/arm/Bv9ARM.4.html and the man pages. 28135446Strhodes 29135446StrhodesThe random data used in generating DNSSEC keys and signatures comes 30135446Strhodesfrom either /dev/random (if the OS supports it) or keyboard input. 31135446StrhodesAlternatively, a device or file containing entropy/random data can be 32135446Strhodesspecified. 33135446Strhodes 34135446Strhodes 35135446StrhodesServing Secure Zones 36135446Strhodes 37135446StrhodesWhen acting as an authoritative name server, BIND9 includes KEY, SIG 38135446Strhodesand NXT records in responses as specified in RFC2535 when the request 39135446Strhodeshas the DO flag set in the query. 40135446Strhodes 41135446Strhodes 42135446StrhodesSecure Resolution 43135446Strhodes 44135446StrhodesBasic support for validation of DNSSEC signatures in responses has 45135446Strhodesbeen implemented but should still be considered experimental. 46135446Strhodes 47135446StrhodesWhen acting as a caching name server, BIND9 is capable of performing 48135446Strhodesbasic DNSSEC validation of positive as well as nonexistence responses. 49135446StrhodesThis functionality is enabled by including a "trusted-keys" clause 50135446Strhodesin the configuration file, containing the top-level zone key of the 51135446Strhodesthe DNSSEC tree. 52135446Strhodes 53135446StrhodesValidation of wildcard responses is not currently supported. In 54135446Strhodesparticular, a "name does not exist" response will validate 55135446Strhodessuccessfully even if it does not contain the NXT records to prove the 56135446Strhodesnonexistence of a matching wildcard. 57135446Strhodes 58135446StrhodesProof of insecure status for insecure zones delegated from secure 59135446Strhodeszones works when the zones are completely insecure. Privately 60135446Strhodessecured zones delegated from secure zones will not work in all cases, 61135446Strhodessuch as when the privately secured zone is served by the same server 62135446Strhodesas an ancestor (but not parent) zone. 63135446Strhodes 64135446StrhodesHandling of the CD bit in queries is now fully implemented. Validation 65135446Strhodesis not attempted for recursive queries if CD is set. 66135446Strhodes 67135446Strhodes 68135446StrhodesSecure Dynamic Update 69135446Strhodes 70135446StrhodesDynamic update of secure zones has been implemented, but may not be 71135446Strhodescomplete. Affected NXT and SIG records are updated by the server when 72135446Strhodesan update occurs. Advanced access control is possible using the 73135446Strhodes"update-policy" statement in the zone definition. 74135446Strhodes 75135446Strhodes 76135446StrhodesSecure Zone Transfers 77135446Strhodes 78135446StrhodesBIND 9 does not implement the zone transfer security mechanisms of 79135446StrhodesRFC2535 section 5.6, and we have no plans to implement them in the 80135446Strhodesfuture as we consider them inferior to the use of TSIG or SIG(0) to 81135446Strhodesensure the integrity of zone transfers. 82135446Strhodes 83135446Strhodes 84234010Sdougb$Id: dnssec,v 1.19 2004/03/05 05:04:53 marka Exp $ 85