[nsd-users] ZONEMD-Support (was: NSD 4.3.9rc1 pre-release)

A. Schulze sca at andreasschulze.de
Fri Dec 3 19:56:36 UTC 2021

Am 03.12.21 um 17:28 schrieb Wouter Wijngaards via nsd-users:
> Hi Andreas,
> Thanks for the test. :-)
> The ZONEMD was devised to safeguard transmission of zones like the root
> and in-addr zones, and for hyperlocal hosting of those zones, so
> implementation in Unbound makes sense for that. For NSD, it could
> perhaps verify ZONEMD records, the hashes of it, upon loading a zonefile
> or loading from a zone transfer. But that would only work if that zone
> has one. And NSD then could not actually check the RRSIGs on the ZONEMD,
> because although Unbound is a DNSSEC validator, and Unbound can lookup
> recursively records that are needed, NSD is not and wants to be a small,
> tightly focused package.
> So for NSD it is less relevant, not really those zones have ZONEMD. And
> it lacks DNSSEC verification capabilities. Because of that, there are no
> plans for ZONEMD in NSD. Even though, hash-only checks, would not be too
> difficult, but the spec mandates DNSSEC checks.

Hello Wouter,

Thanks for that clarification. It helped a lot for my understanding.
I read it mostly as

1) I know not many relevant zones providing ZONEMD data today.
2) checking require DNSSEC-validation which is not implemented in NSD

Point 1 let met me ask: which zones offer ZONEMD today? Just checked my local copies of
 - .
 - arpa
 - in-addr.arpa
 - ip6.arpa
 - root-servers.net.
for ZONEMD records: nothing ...

Point 2 is valid, BUT

especially for DNSSEC validation it is not necessary to implement it inside NSD.
postfix, the well-known MTA, is a perfect example for an other way.
The whole DANE implementation simply require DNS queries are answered from a DNSSEC validating resolver.
And there is an important operational advise: use a LOCAL resolver (UNBOUND is suggested btw.)

-> http://www.postfix.org/TLS_README.html#client_tls_dane -> CTRL+F -> "Note:"


More information about the nsd-users mailing list