[nsd-users] ZONEMD-Support (was: NSD 4.3.9rc1 pre-release)
Anand Buddhdev
anandb at ripe.net
Sat Dec 4 11:12:53 UTC 2021
On 03/12/2021 20:56, A. Schulze via nsd-users wrote:
Hi Andreas,
> 1) I know not many relevant zones providing ZONEMD data today.
> 2) checking require DNSSEC-validation which is not implemented in NSD
>
> Point 1 let met me ask: which zones offer ZONEMD today? Just checked my local copies of
> - .
> - arpa
> - in-addr.arpa
> - ip6.arpa
> - root-servers.net.
> for ZONEMD records: nothing ...
ZONEMD is expected to appear in the root zone next year. Here's a
publication by ICANN about it:
https://www.icann.org/iana_rzerc_docs/449-rzerc003-adding-zone-data-protections-to-the-root-zone-v-final
The idea behind this is that validating resolvers that want a local copy
of the root zone can get it from any source, and verify it using the
ZONEMD record.
As Wouter explained, NSD is an authoritative-only server, and usually
has no need to verify zones. Usually, NSD will be configured as a
secondary, and XFR zones from primaries using TSIG.
Regards,
Anand Buddhdev
RIPE NCC
More information about the nsd-users
mailing list