[nsd-users] ZONEMD-Support (was: NSD 4.3.9rc1 pre-release)
Hugo Salgado
hsalgado at vulcano.cl
Mon Dec 6 12:51:26 UTC 2021
On 11:09 05/12, A. Schulze via nsd-users wrote:
> Hi Anand!
>
> Am 04.12.21 um 12:12 schrieb Anand Buddhdev via nsd-users:
> > ZONEMD is expected to appear in the root zone next year.
>
> ok, good to know.
>
> > As Wouter explained, NSD is an authoritative-only server, and usually has no need to verify zones. Usually, NSD will be configured as a secondary, and XFR zones from primaries using TSIG.
> so it looks like zone transfer over TCP+TLS and TSIG and DNSSEC are enough integrity checks to /assume/
> data served by a secondary aren't corrupted.
>
> well, don't sound like a strange assumption but I thought, ZONEMD was also developed as a next layer ontop.
>
We at .CL use ZONEMD as an integrity check after transfer in all
nodes. It's an ad-hoc process for now, outside the server, so we're
not concerned that nsd doesn't have plans to implement it.
Hugo
More information about the nsd-users
mailing list