BIND 9.3.2 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 ONC and NFS Software

(Protocol Modifications for the DNS Security Extension). The DNSSEC implementation

provides the following new features:

• Signed Zone

A signed zone contains additional security-related resource records (RRs). Table

1-1 describes additional security-related records in BIND 9.3.2.

Table 1-1 Security-Related RRs in a Signed Zone

DescriptionRR Type

Enables normal DNS resolution and stores public keys. The DNSKEY

record replaces the KEY record.

DNS Public Key (DNSKEY)

Stores cryptographically generated digital signaturesResource Record Signature

(RRSIG)

Enables a security-aware resolver to authenticate a negative reply, for

non-existence of name or type, using the same mechanism that is used

to authenticate other DNS replies. The NSEC record replaces the NXT

record.

Next Secure (NSEC)

Simplifies administrative tasks involved in signing delegations across

organizational boundaries

Delegation Signer (DS)

• New DNSSEC options in the options statement

BIND 9.3.2 provides new DNSSEC options in the options statement. lists the

new options in the options statement located in the /etc/named.conf file.

Table 1-2 New DNSSEC Options

DescriptionOption

Enables or disables DNSSEC support. If this option is set

to yes, named supports the DNSSEC feature. By default,

the DNSSEC feature is not enabled.

dnssec-enable yes_or_no;

Provides the validator an alternate method to validate

DNSKEY records at the top of a zone.

dnssec-lookaside domain

trust-anchor domain;

Specifies hierarchies that are secure (signed and validated).

If this option is set to yes, named accepts answers only if

they are secure. If this option is set to no, named applies

the standard DNSSEC validation.

dnssec-must-be-secure domain

yes_or_no;

Disables the specified DNSSEC algorithms at and below

the specified name. Multiple disable-algorithms

statements are allowed. However, only the most specific

is applied.

disable-algorithms domain {

algorithm; [ algorithm; ] };

Specifies when the automatically generated DNSSEC

signatures expire. The default value is 30 days. The

maximum is 3660 days (10 years).

sig-validity-interval number;

BIND 9.3.2 Features 7