"Fossies" - the Fresh Open Source Software Archive

Member "bind-9.11.23/doc/misc/dnssec" (7 Sep 2020, 2978 Bytes) of package /linux/misc/dns/bind9/9.11.23/bind-9.11.23.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
    2 
    3 See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
    4 
    5 DNSSEC Release Notes
    6 
    7 This document summarizes the state of the DNSSEC implementation in
    8 this release of BIND9.
    9 
   10 
   11 OpenSSL Library Required
   12 
   13 To support DNSSEC, BIND 9 must be linked with version 0.9.6e or newer of
   14 the OpenSSL library.  As of BIND 9.2, the library is no longer
   15 included in the distribution - it must be provided by the operating
   16 system or installed separately.
   17 
   18 To build BIND 9 with OpenSSL, use "configure --with-openssl".  If
   19 the OpenSSL library is installed in a nonstandard location, you can
   20 specify a path as in "configure --with-openssl=/var".
   21 
   22 
   23 Key Generation and Signing
   24 
   25 The tools for generating DNSSEC keys and signatures are now in the
   26 bin/dnssec directory.  Documentation for these programs can be found
   27 in doc/arm/Bv9ARM.4.html and the man pages.
   28 
   29 The random data used in generating DNSSEC keys and signatures comes
   30 from either /dev/random (if the OS supports it) or keyboard input.
   31 Alternatively, a device or file containing entropy/random data can be
   32 specified.
   33 
   34 
   35 Serving Secure Zones
   36 
   37 When acting as an authoritative name server, BIND9 includes KEY, SIG
   38 and NXT records in responses as specified in RFC2535 when the request
   39 has the DO flag set in the query.
   40 
   41 
   42 Secure Resolution
   43 
   44 Basic support for validation of DNSSEC signatures in responses has
   45 been implemented but should still be considered experimental.
   46 
   47 When acting as a caching name server, BIND9 is capable of performing
   48 basic DNSSEC validation of positive as well as nonexistence responses.
   49 This functionality is enabled by including a "trusted-keys" clause
   50 in the configuration file, containing the top-level zone key of the
   51 the DNSSEC tree.
   52 
   53 Validation of wildcard responses is not currently supported.  In
   54 particular, a "name does not exist" response will validate
   55 successfully even if it does not contain the NXT records to prove the
   56 nonexistence of a matching wildcard.
   57 
   58 Proof of insecure status for insecure zones delegated from secure
   59 zones works when the zones are completely insecure.  Privately
   60 secured zones delegated from secure zones will not work in all cases,
   61 such as when the privately secured zone is served by the same server
   62 as an ancestor (but not parent) zone.
   63 
   64 Handling of the CD bit in queries is now fully implemented.  Validation
   65 is not attempted for recursive queries if CD is set.
   66 
   67 
   68 Secure Dynamic Update
   69 
   70 Dynamic update of secure zones has been implemented, but may not be
   71 complete.  Affected NXT and SIG records are updated by the server when
   72 an update occurs.  Advanced access control is possible using the
   73 "update-policy" statement in the zone definition.
   74 
   75 
   76 Secure Zone Transfers
   77 
   78 BIND 9 does not implement the zone transfer security mechanisms of
   79 RFC2535 section 5.6, and we have no plans to implement them in the
   80 future as we consider them inferior to the use of TSIG or SIG(0) to
   81 ensure the integrity of zone transfers.