On 03/12/2021 20:56, A. Schulze via nsd-users wrote:
Hi Andreas,
1) I know not many relevant zones providing ZONEMD data today.
2) checking require DNSSEC-validation which is not implemented in NSD
Point 1 let met me ask: which zones offer ZONEMD today? Just checked my local
copies of
- .
- arpa
- in-addr.arpa
- ip6.arpa
- root-servers.net.
for ZONEMD records: nothing ...
ZONEMD is expected to appear in the root zone next year. Here's a
publication by ICANN about it:
https://www.icann.org/iana_rzerc_docs/449-rzerc003-adding-zone-data-protections-to-the-root-zone-v-final
The idea behind this is that validating resolvers that want a local copy
of the root zone can get it from any source, and verify it using the
ZONEMD record.
As Wouter explained, NSD is an authoritative-only server, and usually
has no need to verify zones. Usually, NSD will be configured as a
secondary, and XFR zones from primaries using TSIG.
Regards,
Anand Buddhdev
RIPE NCC
_______________________________________________
nsd-users mailing list
nsd-users@lists.nlnetlabs.nl
https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
