Hi Andreas,
Thanks for the test. :-)
The ZONEMD was devised to safeguard transmission of zones like the root
and in-addr zones, and for hyperlocal hosting of those zones, so
implementation in Unbound makes sense for that. For NSD, it could
perhaps verify ZONEMD records, the hashes of it, upon loading a zonefile
or loading from a zone transfer. But that would only work if that zone
has one. And NSD then could not actually check the RRSIGs on the ZONEMD,
because although Unbound is a DNSSEC validator, and Unbound can lookup
recursively records that are needed, NSD is not and wants to be a small,
tightly focused package.
So for NSD it is less relevant, not really those zones have ZONEMD. And
it lacks DNSSEC verification capabilities. Because of that, there are no
plans for ZONEMD in NSD. Even though, hash-only checks, would not be too
difficult, but the spec mandates DNSSEC checks.
Best regards, Wouter
On 03/12/2021 16:55, A. Schulze via nsd-users wrote:>
>
> Am 02.12.21 um 16:57 schrieb Wouter Wijngaards via nsd-users:
>> NSD 4.3.9rc1 pre-release is available
>
> Hello Wouter,
>
> the new version compiles without trouble (using openssl3)
>
> Not directly related to this rc1:
>
> UNBOUND has the ability to check ZONEMD records
> I'm missing a similar feature in NSD. Are there any plans?
>
> Andreas
> _______________________________________________
> nsd-users mailing list
> nsd-users at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
>