Hi all,
I need to know if NSD complies with the following RFCs and if they are or are not implemented. If they are not implemented it would be good to know why, but not essential. A simple “Yes” or “No” answer to each one will suffice.
RFC 4470 Minimally Covering NSEC Records and DNSSEC On-line Signing
RFC 4509 Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs)
RFC 5011 Automated Updates of DNS Security (DNSSEC) Trust Anchors
RFC 5702 Use of SHA-2 Algorithms with RSA in DNSKEY and RRSIG Resource Records for DNSSEC
Thanks.
Hi Robert,
Hi all,
I need to know if NSD complies with the following RFCs and if they are
or are not implemented. If they are not implemented it would be good to
know why, but not essential. A simple "Yes" or "No" answer to each one
will suffice.
RFC 4470 Minimally Covering NSEC Records and DNSSEC On-line Signing
No: NSD does not do signing.
RFC 4509 Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource
Records (RRs)
Yes.
RFC 5011 Automated Updates of DNS Security (DNSSEC) Trust Anchors
No: NSD is not a resolver.
RFC 5702 Use of SHA-2 Algorithms with RSA in DNSKEY and RRSIG Resource
Records for DNSSEC
Yes.
Best regards,
Matthijs
it might be helpful to the initial poster to know that, even though
RFC 4470 (with amendments in RFC 4471) is on IETF Standards Track,
it is to be considered an optional part of the DNSSEC protocol suite.
This was to address the zone enumeration problem back in the day when
NSEC3 (now in RFC 5155) was not yet fully specified, let alone implemented.
Both methods address the same problem from different angles and
have their pros and cons. With NSEC3 in use with various TLDs,
tools and validators today can be expected to understand this
extension (and NSD implements RFC 5155 on the authoritative server
side).
If the list of RFCs originated from a 3rd party checklist, I'd be
interested in learning about the background.
-Peter