BIND 9.3.2 Release Notes (5900-1575, April 2011)

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 ONC and NFS Software

• “New options to enable and disable IXFR” (page 9)

• “Transition support for IPv4 and IPv6” (page 9)

• “New commands in the rndc utility” (page 10)

• “New option in the zone statement” (page 10)

• “New command-line options” (page 10)

• “Supports RFC 4193 (Unique local IPv6 unicast addresses)” (page 11)

DNSSEC implementation based on RFC 4033, 4034, and 4035

Starting with BIND 9.3.2, the Domain Name System Security Extensions (DNSSEC) feature

implements the standards specified in RFC 4033 (DNS Security Introduction and Requirements),

4034 (Resource Records for the DNS Security Extensions), and 4035 (Protocol Modifications for

the DNS Security Extension). The DNSSEC implementation provides the following new features:

• Signed Zone

A signed zone contains additional security-related resource records (RRs). Table 1-1 describes

additional security-related records in BIND 9.3.2.

Table 1 Security-Related RRs in a Signed Zone

DescriptionRR Type

Enables normal DNS resolution and stores public keys. The DNSKEY record

replaces the KEY record.

DNS Public Key (DNSKEY)

Stores cryptographically generated digital signaturesResource Record Signature

(RRSIG)

Enables a security-aware resolver to authenticate a negative reply, for

non-existence of name or type, using the same mechanism that is used to

authenticate other DNS replies. The NSEC record replaces the NXT record.

Next Secure (NSEC)

Simplifies administrative tasks involved in signing delegations across

organizational boundaries

Delegation Signer (DS)

• New DNSSEC options in the options statement

BIND 9.3.2 provides new DNSSEC options in the options statement. lists the new options

in the options statement located in the /etc/named.conf file.

Table 2 New DNSSEC Options

DescriptionOption

Enables or disables DNSSEC support. If this option is set to yes,

named supports the DNSSEC feature. By default, the DNSSEC

feature is not enabled.

dnssec-enable yes_or_no;

Provides the validator an alternate method to validate DNSKEY

records at the top of a zone.

dnssec-lookaside domain

trust-anchor domain;

Specifies hierarchies that are secure (signed and validated). If this

option is set to yes, named accepts answers only if they are secure.

If this option is set to no, named applies the standard DNSSEC

validation.

dnssec-must-be-secure domain

yes_or_no;

Disables the specified DNSSEC algorithms at and below the

specified name. Multiple disable-algorithms statements are

allowed. However, only the most specific is applied.

disable-algorithms domain {

algorithm; [ algorithm; ] };

Specifies when the automatically generated DNSSEC signatures

expire. The default value is 30 days. The maximum is 3660 days

(10 years).

sig-validity-interval number;

BIND 9.3.2 features 5