[nsd-users] ZONEMD-Support (was: NSD 4.3.9rc1 pre-release)

Anand Buddhdev anandb at ripe.net
Sat Dec 4 11:12:53 UTC 2021


On 03/12/2021 20:56, A. Schulze via nsd-users wrote:

Hi Andreas,

> 1) I know not many relevant zones providing ZONEMD data today.
> 2) checking require DNSSEC-validation which is not implemented in NSD
> 
> Point 1 let met me ask: which zones offer ZONEMD today? Just checked my local copies of
>   - .
>   - arpa
>   - in-addr.arpa
>   - ip6.arpa
>   - root-servers.net.
> for ZONEMD records: nothing ...

ZONEMD is expected to appear in the root zone next year. Here's a 
publication by ICANN about it:

https://www.icann.org/iana_rzerc_docs/449-rzerc003-adding-zone-data-protections-to-the-root-zone-v-final

The idea behind this is that validating resolvers that want a local copy 
of the root zone can get it from any source, and verify it using the 
ZONEMD record.

As Wouter explained, NSD is an authoritative-only server, and usually 
has no need to verify zones. Usually, NSD will be configured as a 
secondary, and XFR zones from primaries using TSIG.

Regards,
Anand Buddhdev
RIPE NCC


More information about the nsd-users mailing list