BIND 9.3.2 Release Notes HP-UX 11i v1, HP-UX 11i v2, and HP-UX 11i v3 (5900-2140, March 2012)

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 ONC and NFS Software

4034 (Resource Records for the DNS Security Extensions), and 4035 (Protocol Modifications for

the DNS Security Extension). The DNSSEC implementation provides the following new features:

• Signed Zone

A signed zone contains additional security-related resource records (RRs). Table 1 (page 5)

describes additional security-related records in BIND 9.3.2.

Table 1 Security-Related RRs in a Signed Zone

DescriptionRR Type

Enables normal DNS resolution and stores public keys. The DNSKEY record

replaces the KEY record.

DNS Public Key (DNSKEY)

Stores cryptographically generated digital signaturesResource Record Signature

(RRSIG)

Enables a security-aware resolver to authenticate a negative reply, for

non-existence of name or type, using the same mechanism that is used to

authenticate other DNS replies. The NSEC record replaces the NXT record.

Next Secure (NSEC)

Simplifies administrative tasks involved in signing delegations across

organizational boundaries

Delegation Signer (DS)

• New DNSSEC options in the options statement

BIND 9.3.2 provides new DNSSEC options in the options statement. Table 2 (page 5)

lists the new options in the options statement located in the /etc/named.conf file.

Table 2 New DNSSEC Options

DescriptionOption

Enables or disables DNSSEC support. If this option is set to yes,

named supports the DNSSEC feature. By default, the DNSSEC

feature is not enabled.

dnssec-enable yes_or_no;

Provides the validator an alternate method to validate DNSKEY

records at the top of a zone.

dnssec-lookaside domain

trust-anchor domain;

Specifies hierarchies that are secure (signed and validated). If this

option is set to yes, named accepts answers only if they are secure.

dnssec-must-be-secure domain

yes_or_no;

If this option is set to no, named applies the standard DNSSEC

validation.

Disables the specified DNSSEC algorithms at and below the

specified name. Multiple disable-algorithms statements are

allowed. However, only the most specific is applied.

disable-algorithms domain {

algorithm; [ algorithm; ] };

Specifies when the automatically generated DNSSEC signatures

expire. The default value is 30 days. The maximum is 3660 days

(10 years).

sig-validity-interval number;

For more information on the new DNSSEC options, see named.conf(1)

• New DNSSEC statement in the options statement

BIND 9.3.2 contains trusted-keys, a new DNSSEC statement in the options statement located

in /etc/named.conf file. The trusted-keys statement defines DNSSEC security roots.

A security root is defined when the public key for a non-authoritative zone cannot be securely

obtained through DNS, either because it is the DNS root zone or because its parent zone is

unsigned. When a key is configured as a trusted key, it is treated as if it is validated and is

secure. The resolver attempts DNSSEC validation on all DNS data in the subdomains of a

security root. The trusted-keys statement can contain multiple key entries, each consisting

of the key's domain name, flags, protocol, algorithm, and the base-64 representation of the

key data. For more information on the trusted-keys statement, see named.conf(1)

BIND 9.3.2 features 5