NXT record proving the nonexistence of the name itself, but do not
include any NXT records to prove the nonexistence of a matching
wildcard record. Positive responses resulting from wildcard expansion
-do not include the NXT records to prove the nonexistence of a more
-specific wildcard match.
+do not include the NXT records to prove the nonexistence of a
+non-wildcard match or a more specific wildcard match.
Secure resolution
When acting as a caching name server, BIND9 is capable of performing
basic DNSSEC validation of positive as well as nonexistence responses.
This functionality is enabled by including a "trusted-keys" clause
-in the configuration file.
+in the configuration file, containing the top-level zone key of the
+the DNSSEC tree.
Validation of wildcard responses is not currently supported. In
particular, a "name does not exist" response will validate
Proof of insecure status for insecure zones delegated from secure
zones has been partially implemented but should not yet be expected to
-work.
+work in all cases.
Handling of the CD bit in queries is not yet fully implemented;
validation is currently attempted for all recursive queries, even if
CD is set.
-$Id: dnssec,v 1.1 2000/05/23 14:34:49 gson Exp $
+
+Secure dynamic update
+
+Dynamic update of secure zones has been implemented, but may not be
+complete. Affected NXT and SIG records are updated by the server when
+an update occurs. Advanced access control is possible using the
+"update-policy" statement in the zone definition.
+
+
+$Id: dnssec,v 1.2 2000/05/23 16:41:25 gson Exp $
projects / thirdparty / bind9.git / commitdiff
