Hi Andreas, Thanks for the test. :-) The ZONEMD was devised to safeguard transmission of zones like the root and in-addr zones, and for hyperlocal hosting of those zones, so implementation in Unbound makes sense for that. For NSD, it could perhaps verify ZONEMD records, the hashes of it, upon loading a zonefile or loading from a zone transfer. But that would only work if that zone has one. And NSD then could not actually check the RRSIGs on the ZONEMD, because although Unbound is a DNSSEC validator, and Unbound can lookup recursively records that are needed, NSD is not and wants to be a small, tightly focused package. So for NSD it is less relevant, not really those zones have ZONEMD. And it lacks DNSSEC verification capabilities. Because of that, there are no plans for ZONEMD in NSD. Even though, hash-only checks, would not be too difficult, but the spec mandates DNSSEC checks. Best regards, Wouter On 03/12/2021 16:55, A. Schulze via nsd-users wrote:> > > Am 02.12.21 um 16:57 schrieb Wouter Wijngaards via nsd-users: >> NSD 4.3.9rc1 pre-release is available > > Hello Wouter, > > the new version compiles without trouble (using openssl3) > > Not directly related to this rc1: > > UNBOUND has the ability to check ZONEMD records > I'm missing a similar feature in NSD. Are there any plans? > > Andreas > _______________________________________________ > nsd-users mailing list > nsd-users at lists.nlnetlabs.nl > https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users >
A. Schulze
2021-Dec-03 19:56 UTC
[nsd-users] ZONEMD-Support (was: NSD 4.3.9rc1 pre-release)
Am 03.12.21 um 17:28 schrieb Wouter Wijngaards via nsd-users:> Hi Andreas, > > Thanks for the test. :-) > > The ZONEMD was devised to safeguard transmission of zones like the root > and in-addr zones, and for hyperlocal hosting of those zones, so > implementation in Unbound makes sense for that. For NSD, it could > perhaps verify ZONEMD records, the hashes of it, upon loading a zonefile > or loading from a zone transfer. But that would only work if that zone > has one. And NSD then could not actually check the RRSIGs on the ZONEMD, > because although Unbound is a DNSSEC validator, and Unbound can lookup > recursively records that are needed, NSD is not and wants to be a small, > tightly focused package. > > So for NSD it is less relevant, not really those zones have ZONEMD. And > it lacks DNSSEC verification capabilities. Because of that, there are no > plans for ZONEMD in NSD. Even though, hash-only checks, would not be too > difficult, but the spec mandates DNSSEC checks.Hello Wouter, Thanks for that clarification. It helped a lot for my understanding. I read it mostly as 1) I know not many relevant zones providing ZONEMD data today. 2) checking require DNSSEC-validation which is not implemented in NSD Point 1 let met me ask: which zones offer ZONEMD today? Just checked my local copies of - . - arpa - in-addr.arpa - ip6.arpa - root-servers.net. for ZONEMD records: nothing ... Point 2 is valid, BUT especially for DNSSEC validation it is not necessary to implement it inside NSD. postfix, the well-known MTA, is a perfect example for an other way. The whole DANE implementation simply require DNS queries are answered from a DNSSEC validating resolver. And there is an important operational advise: use a LOCAL resolver (UNBOUND is suggested btw.) -> http://www.postfix.org/TLS_README.html#client_tls_dane -> CTRL+F -> "Note:" Andreas