[dns-operations] BIND version and NSEC3
Jeremy C. Reed
reed at reedmedia.net
Fri May 15 18:10:53 UTC 2009
On Fri, 15 May 2009, Gani, Paul * wrote:
> I understand BIND 9.6 is the first version that fully supports NSEC3.
> But how about if you're not interested in performing DNSSEC resolutions,
> but just want to host an NSEC3 zone? Will BIND 9.5 support creation of
> NSEC3 keys?
BIND 9.5's dnssec-signzone doesn't know NSEC3.
BIND 9.5's dnssec-keygen doesn't know NSEC3RSASHA1.
> How about hosting a NSEC3 signed zone file as either a
> master or slave?
BIND 9.5 doesn't know NSEC3PARAM or NSEC3 and will complain about unknown
RR type and won't load.
Also with DNSSEC, when status is NOERROR, a DNSSEC-enabled server also
sends back (in the authority section) the NSEC record for the requested
label and class. This will show that the requested TYPE doesn't exist.
When the status is NXDOMAIN, a DNSSEC-enabled server also sends back (in
the authority section), an NSEC record for the previous label which will
show the alphabetical next label. But your zone doesn't have NSEC ...
So using BIND that doesn't know NSEC3, it won't send back NSEC3. (And
newer dnssec-signzone doesn't create both NSEC and NSEC3 so can't use that
as an idea.)
(In my testing attempts I used custom TYPE51 and TYPE50 and convert the
data to the custom format. I have done that and served zone with NSEC3
with old BIND 9.3.5-P2, but that authoritative server doesn't do anything
special with the NSEC3PARAM. And any request for something that should
have been proven non-existent with NSEC3 failed. Also requests for
wildcards and NSEC3 records failed.)
You can see examples of custom TYPE50 and TYPE51 by using an old dig.
(Please consider using the bind-users list.)
More information about the dns-operations