DNSSEC Release Notes This document summarizes the state of the DNSSEC implementation in this release of BIND9. Key generation and signing The tools for generating DNSSEC keys and signatures are now in the bin/dnssec directory. Documentation for these programs can be found in doc/arm/Bv9ARM.4.html. The random data used in generating DNSSEC keys and signatures comes from /dev/random if the OS supports that. Otherwise, the DNSSEC tools must be fed a file containing entropy/random data. Future releases will allow entropy to be entered manually from the keyboard. Serving secure zones When acting as an authoritative name server, BIND9 includes KEY, SIG and NXT records in responses as specified in RFC2535. Response generation for wildcard records in secure zones is not fully supported. Responses indicating the nonexistence of a name include a NXT record proving the nonexistence of the name itself, but do not include any NXT records to prove the nonexistence of a matching wildcard record. Positive responses resulting from wildcard expansion do not include the NXT records to prove the nonexistence of a non-wildcard match or a more specific wildcard match. Secure resolution Basic support for validation of DNSSEC signatures in responses has been implemented but should still be considered experimental. When acting as a caching name server, BIND9 is capable of performing basic DNSSEC validation of positive as well as nonexistence responses. This functionality is enabled by including a "trusted-keys" clause in the configuration file, containing the top-level zone key of the the DNSSEC tree. Validation of wildcard responses is not currently supported. In particular, a "name does not exist" response will validate successfully even if it does not contain the NXT records to prove the nonexistence of a matching wildcard. Proof of insecure status for insecure zones delegated from secure zones has been partially implemented but should not yet be expected to work in all cases. Handling of the CD bit in queries is not yet fully implemented; validation is currently attempted for all recursive queries, even if CD is set. Secure dynamic update Dynamic update of secure zones has been implemented, but may not be complete. Affected NXT and SIG records are updated by the server when an update occurs. Advanced access control is possible using the "update-policy" statement in the zone definition. $Id: dnssec,v 1.3 2000/06/14 23:03:21 bwelling Exp $