[nsd-users] ZONEMD-Support (was: NSD 4.3.9rc1 pre-release)
A. Schulze
sca at andreasschulze.de
Fri Dec 3 19:56:36 UTC 2021
Am 03.12.21 um 17:28 schrieb Wouter Wijngaards via nsd-users:
> Hi Andreas,
>
> Thanks for the test. :-)
>
> The ZONEMD was devised to safeguard transmission of zones like the root
> and in-addr zones, and for hyperlocal hosting of those zones, so
> implementation in Unbound makes sense for that. For NSD, it could
> perhaps verify ZONEMD records, the hashes of it, upon loading a zonefile
> or loading from a zone transfer. But that would only work if that zone
> has one. And NSD then could not actually check the RRSIGs on the ZONEMD,
> because although Unbound is a DNSSEC validator, and Unbound can lookup
> recursively records that are needed, NSD is not and wants to be a small,
> tightly focused package.
>
> So for NSD it is less relevant, not really those zones have ZONEMD. And
> it lacks DNSSEC verification capabilities. Because of that, there are no
> plans for ZONEMD in NSD. Even though, hash-only checks, would not be too
> difficult, but the spec mandates DNSSEC checks.
Hello Wouter,
Thanks for that clarification. It helped a lot for my understanding.
I read it mostly as
1) I know not many relevant zones providing ZONEMD data today.
2) checking require DNSSEC-validation which is not implemented in NSD
Point 1 let met me ask: which zones offer ZONEMD today? Just checked my local copies of
- .
- arpa
- in-addr.arpa
- ip6.arpa
- root-servers.net.
for ZONEMD records: nothing ...
Point 2 is valid, BUT
especially for DNSSEC validation it is not necessary to implement it inside NSD.
postfix, the well-known MTA, is a perfect example for an other way.
The whole DANE implementation simply require DNS queries are answered from a DNSSEC validating resolver.
And there is an important operational advise: use a LOCAL resolver (UNBOUND is suggested btw.)
-> http://www.postfix.org/TLS_README.html#client_tls_dane -> CTRL+F -> "Note:"
Andreas
More information about the nsd-users
mailing list