Query on Resolver w.r.t DNSSEC
Hi , I am Ganesh and I work for wipro. We are currently working on porting DNS BIND 4.8 to DNS BIND 9.2.3. My platform is HP-Nonstop servers. I have a specific query regarding the role of resolver library in DNSSEC. Query: Does DNS BIND 9.2.3 support caching and verification of RRs (resourse records) on the resolver library part by default? We are trying to port 4.8 resolver code to 9.2.3 resolver code. Since Our platfrom doesn't support OPenssl, we are trying to lookout for this option. we wanted to know, whether by default any authentication is enabled at the resolver part in BIND 9.2.3. We understand that RFC2535 states CD and AD bit. If CD bit is set, then resolver doesn't do auth and integrity tests. Is this CD bit disabled or enabled in BIND 9.2.3? To reiterate the whole question again, we wanted to know the role of resolver with respect to DNSSEC in BIND 9.2.3! Since, we are pretty new to DNSSEC, we need your valuable inputs on the above query. regards, Ganesh. Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or Mailadmin@wipro.com immediately and destroy all copies of this message and any attachments.
This group is not bound bind specifiaclly but let me try ti answer anyway. I am Ganesh and I work for wipro. We are currently working on porting DNS BIND 4.8 to DNS BIND 9.2.3. My platform is HP-Nonstop servers. I have a specific query regarding the role of resolver library in DNSSEC. Query: Does DNS BIND 9.2.3 support caching and verification of RRs (resourse records) on the resolver library part by default? We are trying to port 4.8 resolver code to 9.2.3 resolver code. Since Our platfrom doesn't support OPenssl, we are trying to lookout for this option. we wanted to know, whether by default any authentication is enabled at the resolver part in BIND 9.2.3. If I understand it peoperly, you platform doesn't has OpenSSL and therefore bind 9 wo'n compile and therefore you want to port the bind 4.8 resolver into bind 9. The internal structureof bind9 is completely different then bind 8, to merge parts of both, will be hopeless affaire. Earlier versions of bind9 is didn't support DBSSEC by default so could be compiled without openssl support. You might want to ask the bind developpers whether it is still possible to comile with the --enable-dnssec=NO flag set (or whatever the flag to configure is). A quick search for OpenSSL on the HP NON STOP dhos two announcement (July Update.pdf, September.pdf) about the availabilaty of OpenSSL in some form. jaap
On Mon, 22 Nov 2004, Natarajan,Ganesh wrote:
Does DNS BIND 9.2.3 support caching and verification of RRs (resourse records) on the resolver library part by default?
RFC2535 is being obsoleted -- three replacement documents are in the RFC Editor queue right now. The changes between 2535-DNSSEC and DNSSECbis are substantial and incompatible. Only BIND 9.3.0 and later support these recent changes, and it's expected that 2535-DNSSEC is dead. While 9.2.3 does have a DNSSEC validator, it's pretty useless -- if you want DNSSEC, you need to use more modern code.
we wanted to know, whether by default any authentication is enabled at the resolver part in BIND 9.2.3.
No. 9.2.3 has a compile-time option for enabling DNSSEC support in the code. Even if the features are enabled, no validation is done unless trust anchors are defined (via the trusted-keys config line).
Is this CD bit disabled or enabled in BIND 9.2.3?
BIND 9.2.3, as a recursive resolver, will not issue queries with the CD bit set (unless it gets queries with the CD bit set). That means that any upstream resolvers that are doing DNSSEC validation will still do it. As above, the BIND 9.2.3 code won't do validation unless the DNSSEC code is enabled and at least one trust anchor is configured. -- Sam
participants (3)
-
Jaap Akkerhuis -
Natarajan,Ganesh -
Samuel Weiler