NXT RRs and BIND 8

Jim Reid jim at rfc1035.com
Fri Jan 28 23:45:58 UTC 2000 

>>>>> "Curt" == curbhalb  <curbhalb at mindspring.com> writes:

    Curt> I am working with BIND version 8.x, and I have a few
    Curt> questions about NXT RR's.  Does the server only send NXT
    Curt> RR's to the resolver on requests where the name is not found
    Curt> in the zone, AND when the zone is signed?  

Yes, and even then only if the signed zone file has NXT records (which
it's supposed to have). Well I suppose you could insert NXT records
into an unsigned zone, but what would be the point? If the zone's not
signed, the standard NXDOMAIN error code is good enough because
there's no digital signature to verify any NXT record anyway.

    Curt> I have been attempting to get BIND to send me NXT records,
    Curt> but as of yet it only sends me the SOA of the zone where the
    Curt> node was (not) found.

That's correct. NXT records are not created on the fly by the name
server. So unless you put them in some zone file, the name server
won't know anything about these resource records. You should only get
an NXT record if the zone was signed and the signed zone file
contained NXT records. In those cases each NXT record would be signed
by a SIG record. That SIG record could then be used to verify the name
server's "the name you asked for does not exist" response. That's why
NXT records are needed.

    Curt> I have not signed the zone yet, because
    Curt> I don't know the correct format of the SIG class (or is it
    Curt> type?) to place in the zone master file.

This should set some alarm bells ringing. The format of the SIG record
type is very complicated. It's defined in RFC2065. SIG records are
derived from public keys and the data for some set of equivalent
resource records in the zone. They include a digital signature. SIG
records are not the sort of things that can be created or altered by
hand unless your mental arithmetic skills extend to exponentiation and
modulo division with many-hundred-bit RSA or DSA keys. The dnssigner
tool in the contrib tarball is probably an easier way to sign your
zone. It'll generate SIG and NXT records for you. Oh, and dnskeygen
creates the public/private keys (and KEY records) that are needed to
get dnssigner to sign the zone.

BTW, if you are going to play with secure DNS, always make sure you
use the latest version of BIND. Earlier versions of 8.2 have bugs in
the DNSSEC code.

More information about the bind-users mailing list