added DNSSEC release notes

diff --git a/doc/misc/dnssec b/doc/misc/dnssec
new file mode 100644 (file)
index 0000000..29cabe3
--- /dev/null
+++ b/doc/misc/dnssec
@@ -0,0 +1,62 @@
+
+
+
+DNSSEC Release Notes
+
+
+
+This document summarizes the state of the DNSSEC implementation in
+this release of BIND9.
+
+
+Key generation and signing
+
+The tools for generating DNSSEC keys and signatures are now in the
+bin/dnssec directory.  Documentation for these programs can be found
+in doc/arm/Bv9ARM.4.html.
+
+The random data used in generating DNSSEC keys and signatures
+currently contains a significant pseudo-random component and is
+therefore not cryptographically strong.  We do not recommend that keys
+generated by the key generation tools in this distribution be used in
+production.
+
+
+Serving secure zones
+
+When acting as an authoritative name server, BIND9 includes KEY, SIG
+and NXT records in responses as specified in RFC2535.
+
+Response generation for wildcard records in secure zones is not fully
+supported.  Responses indicating the nonexistence of a name include a
+NXT record proving the nonexistence of the name itself, but do not
+include any NXT records to prove the nonexistence of a matching
+wildcard record.  Positive responses resulting from wildcard expansion
+do not include the NXT records to prove the nonexistence of a more
+specific wildcard match.
+
+
+Secure resolution
+
+Basic support for validation of DNSSEC signatures in responses has
+been implemented but should still be considered experimental.
+
+When acting as a caching name server, BIND9 is capable of performing
+basic DNSSEC validation of positive as well as nonexistence responses.
+This functionality is enabled by including a "trusted-keys" clause
+in the configuration file.
+
+Validation of wildcard responses is not currently supported.  In
+particular, a "name does not exist" response will validate
+successfully even if it does not contain the NXT records to prove the
+nonexistence of a matching wildcard.
+
+Proof of insecure status for insecure zones delegated from secure
+zones has been partially implemented but should not yet be expected to
+work.
+
+Handling of the CD bit in queries is not yet fully implemented;
+validation is currently attempted for all recursive queries, even if
+CD is set.
+
+$Id: dnssec,v 1.1 2000/05/23 14:34:49 gson Exp $