Anand Buddhdev
2021-Dec-04 11:12 UTC
[nsd-users] ZONEMD-Support (was: NSD 4.3.9rc1 pre-release)
On 03/12/2021 20:56, A. Schulze via nsd-users wrote: Hi Andreas,> 1) I know not many relevant zones providing ZONEMD data today. > 2) checking require DNSSEC-validation which is not implemented in NSD > > Point 1 let met me ask: which zones offer ZONEMD today? Just checked my local copies of > - . > - arpa > - in-addr.arpa > - ip6.arpa > - root-servers.net. > for ZONEMD records: nothing ...ZONEMD is expected to appear in the root zone next year. Here's a publication by ICANN about it: https://www.icann.org/iana_rzerc_docs/449-rzerc003-adding-zone-data-protections-to-the-root-zone-v-final The idea behind this is that validating resolvers that want a local copy of the root zone can get it from any source, and verify it using the ZONEMD record. As Wouter explained, NSD is an authoritative-only server, and usually has no need to verify zones. Usually, NSD will be configured as a secondary, and XFR zones from primaries using TSIG. Regards, Anand Buddhdev RIPE NCC
A. Schulze
2021-Dec-05 10:09 UTC
[nsd-users] ZONEMD-Support (was: NSD 4.3.9rc1 pre-release)
Hi Anand! Am 04.12.21 um 12:12 schrieb Anand Buddhdev via nsd-users:> ZONEMD is expected to appear in the root zone next year.ok, good to know.> As Wouter explained, NSD is an authoritative-only server, and usually has no need to verify zones. Usually, NSD will be configured as a secondary, and XFR zones from primaries using TSIG.so it looks like zone transfer over TCP+TLS and TSIG and DNSSEC are enough integrity checks to /assume/ data served by a secondary aren't corrupted. well, don't sound like a strange assumption but I thought, ZONEMD was also developed as a next layer ontop. Andreas