[nsd-users] ZONEMD-Support (was: NSD 4.3.9rc1 pre-release)

Hugo Salgado hsalgado at vulcano.cl
Mon Dec 6 12:51:26 UTC 2021


On 11:09 05/12, A. Schulze via nsd-users wrote:
> Hi Anand!
> 
> Am 04.12.21 um 12:12 schrieb Anand Buddhdev via nsd-users:
> > ZONEMD is expected to appear in the root zone next year. 
> 
> ok, good to know.
> 
> > As Wouter explained, NSD is an authoritative-only server, and usually has no need to verify zones. Usually, NSD will be configured as a secondary, and XFR zones from primaries using TSIG.
> so it looks like zone transfer over TCP+TLS and TSIG and DNSSEC are enough integrity checks to /assume/
> data served by a secondary aren't corrupted.
> 
> well, don't sound like a strange assumption but I thought, ZONEMD was also developed as a next layer ontop.
> 

We at .CL use ZONEMD as an integrity check after transfer in all
nodes. It's an ad-hoc process for now, outside the server, so we're
not concerned that nsd doesn't have plans to implement it.

Hugo



More information about the nsd-users mailing list