[dns-operations] BIND version and NSEC3

Mark Andrews Mark_Andrews at isc.org
Fri May 15 22:41:07 UTC 2009

In message <9B36B03B51A53C459FFA01BE79A8471207495179 at FMD3VS021.fda.gov>, "Gani,
 Paul *" writes:
> I understand BIND 9.6 is the first version that fully supports NSEC3.
> But how about if you're not interested in performing DNSSEC resolutions,
> but just want to host an NSEC3 zone?  Will BIND 9.5 support creation of
> NSEC3 keys?  How about hosting a NSEC3 signed zone file as either a
> master or slave?
> Paul Gani
> FDA | OIM | DOI - Network Security

	BIND 9.[345] can serve a zone signed using NSEC3 capable
	keys provided the zone is using NSEC for negative validation.

	BIND 9.[345] can't serve the same zone once the negative
	validation is done using NSEC3 as it does not know how to
	select the correct NSEC3 records.
	The above constraints should be applicable to any other
	authoritative nameserver that support NSEC but not NSEC3.

	BIND 9.[345] cannot generate NSEC3 keys.
	BIND 9.[345] cannot sign a zone using NSEC3 capable keys.

	To generate a zone signed using NSEC3 capable keys you need
	BIND 9.6 or later.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the dns-operations mailing list