Hi Andreas, Thanks for the test. :-)
The ZONEMD was devised to safeguard transmission of zones like the root and in-addr zones, and for hyperlocal hosting of those zones, so implementation in Unbound makes sense for that. For NSD, it could perhaps verify ZONEMD records, the hashes of it, upon loading a zonefile or loading from a zone transfer. But that would only work if that zone has one. And NSD then could not actually check the RRSIGs on the ZONEMD, because although Unbound is a DNSSEC validator, and Unbound can lookup recursively records that are needed, NSD is not and wants to be a small, tightly focused package. So for NSD it is less relevant, not really those zones have ZONEMD. And it lacks DNSSEC verification capabilities. Because of that, there are no plans for ZONEMD in NSD. Even though, hash-only checks, would not be too difficult, but the spec mandates DNSSEC checks. Best regards, Wouter On 03/12/2021 16:55, A. Schulze via nsd-users wrote: > > > Am 02.12.21 um 16:57 schrieb Wouter Wijngaards via nsd-users: >> NSD 4.3.9rc1 pre-release is available > > Hello Wouter, > > the new version compiles without trouble (using openssl3) > > Not directly related to this rc1: > > UNBOUND has the ability to check ZONEMD records > I'm missing a similar feature in NSD. Are there any plans? > > Andreas > _______________________________________________ > nsd-users mailing list > nsd-users@lists.nlnetlabs.nl > https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users > _______________________________________________ nsd-users mailing list nsd-users@lists.nlnetlabs.nl https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
