DNSSEC and Bind 9.3.6

Chris Thompson cet1 at cam.ac.uk
Wed Nov 3 15:04:18 UTC 2010

On Nov 3 2010, Stephane Bortzmeyer wrote:

>On Wed, Nov 03, 2010 at 11:24:03AM -0200,
> alexander at nautae.eti.br <alexander at nautae.eti.br> wrote 
> a message of 31 lines which said:
>> So, is that possible in any way to use DNSSEC with Bind 9.3.6?
>Yes. DNSSEC appeared in BIND 9.0.

After a fashion. You really don't want to use the early versions with
DNSSEC, though. (Well you don't want to use them at all, actually, as
they are out of support.)

BIND 9.3 can be used on an official slave for signed zones with NSEC
(not NSEC3) provided you set "dnssec-enable yes;" - it wasn't the
default back then. But I wouldn't try and use it as a validating
recursive resolver under any circumstances.

>> Is there any documentation to follow?
>The ARM.
>> What are the general important DNSSEC differences in these versions (9.3
>> and 9.7)?
>NSEC3 (used for the root, for .ORG, .FR, .COM.BR and several others,
>appeared in, I believe, 9.6)

9.6 is right, but NSEC3 is not used in the root zone. On the other
hand, 25 of the 47 TLDs that are currently registered in either
the root zone or in dlv.isc.org or both use NSEC3 - it cannot
be considered optional in a serious validating resolver now.

>SHA-2 (used for the root, for .FR and for several others, appeared in

9.6.2 also supports RSASHA256 and RSASHA512. Only 13 of the 47 TLDs
mentioned use one of these, but as RSASHA256 used in the root zone,
support for it really cannot be considered optional either.

>Auto-resign (appeared in 9.7)

Automated resigning within named appeared in BIND 9.6. 9.7 has more
facilities for automated key management, though.

>Many bug fixes (older versions are really problematic, sometimes)

As has been pointed out, OS distributors often supply BIND with an
old version number to which security and sometimes other fixes from
later releases have applied. But I very much doubt that you will
find anyone distributing a "9.3" version that has anything like
modern support for DNSSEC.

Chris Thompson
Email: cet1 at cam.ac.uk

More information about the bind-users mailing list