[dns-operations] BIND version and NSEC3
Mark_Andrews at isc.org
Fri May 15 22:41:07 UTC 2009
In message <9B36B03B51A53C459FFA01BE79A8471207495179 at FMD3VS021.fda.gov>, "Gani,
Paul *" writes:
> I understand BIND 9.6 is the first version that fully supports NSEC3.
> But how about if you're not interested in performing DNSSEC resolutions,
> but just want to host an NSEC3 zone? Will BIND 9.5 support creation of
> NSEC3 keys? How about hosting a NSEC3 signed zone file as either a
> master or slave?
> Paul Gani
> FDA | OIM | DOI - Network Security
BIND 9. can serve a zone signed using NSEC3 capable
keys provided the zone is using NSEC for negative validation.
BIND 9. can't serve the same zone once the negative
validation is done using NSEC3 as it does not know how to
select the correct NSEC3 records.
The above constraints should be applicable to any other
authoritative nameserver that support NSEC but not NSEC3.
BIND 9. cannot generate NSEC3 keys.
BIND 9. cannot sign a zone using NSEC3 capable keys.
To generate a zone signed using NSEC3 capable keys you need
BIND 9.6 or later.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the dns-operations