Commit c81bf797 authored by Andreas Gustafsson's avatar Andreas Gustafsson
Browse files

incorporated comments from Brian

parent 9c987b20
......@@ -32,8 +32,8 @@ supported. Responses indicating the nonexistence of a name include a
NXT record proving the nonexistence of the name itself, but do not
include any NXT records to prove the nonexistence of a matching
wildcard record. Positive responses resulting from wildcard expansion
do not include the NXT records to prove the nonexistence of a more
specific wildcard match.
do not include the NXT records to prove the nonexistence of a
non-wildcard match or a more specific wildcard match.
Secure resolution
......@@ -44,7 +44,8 @@ been implemented but should still be considered experimental.
When acting as a caching name server, BIND9 is capable of performing
basic DNSSEC validation of positive as well as nonexistence responses.
This functionality is enabled by including a "trusted-keys" clause
in the configuration file.
in the configuration file, containing the top-level zone key of the
the DNSSEC tree.
Validation of wildcard responses is not currently supported. In
particular, a "name does not exist" response will validate
......@@ -53,10 +54,19 @@ nonexistence of a matching wildcard.
Proof of insecure status for insecure zones delegated from secure
zones has been partially implemented but should not yet be expected to
work in all cases.
Handling of the CD bit in queries is not yet fully implemented;
validation is currently attempted for all recursive queries, even if
CD is set.
$Id: dnssec,v 1.1 2000/05/23 14:34:49 gson Exp $
Secure dynamic update
Dynamic update of secure zones has been implemented, but may not be
complete. Affected NXT and SIG records are updated by the server when
an update occurs. Advanced access control is possible using the
"update-policy" statement in the zone definition.
$Id: dnssec,v 1.2 2000/05/23 16:41:25 gson Exp $
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment