[Userland-team] [OpenIndiana Distribution - Feature #1233] Bind 9.8 with RFC 5011 DNSSEC root key already defined

illumos project devnull at illumos.org
Sat Mar 17 08:21:20 UTC 2012 

Issue #1233 has been updated by r a.


Hi,

Bind 9.9 was released on the 29th February and includes the following improvements detailed below and includes RFC 5011 for auto update of Root Key Signing Key. Can this be next default release?

*Inline Signing*

   This feature greatly simplifies the deployment of DNSSEC by allowing completely automatic, fully transparent signing of zones. Using the new 'inline-signing' option in a master server allows named to switch on DNSSEC in a zone without modifying the original zone file in any way.  Using it in a slave server allows a zone to be signed even if it's served from a master database that doesn't support DNSSEC.

   Some example configurations may be found at
   https://kb.isc.org/article/AA-00626/0/Inline-Signing-in-ISC-BIND-9.9.0-Examples.html

*NXDOMAIN Redirection*

   This is a mechanism for resolver operators to redirect users when a query would have otherwise resulted in "no such domain".  This allows an ISP, for example, to provide alternate suggestions for misspelled domain names.  (Whenever DNSSEC validation is requested by the client and requested name is in a DNSSEC-signed domain, NXDOMAIN redirection will not take place.)
Multiprocessing Performance Improvements

   When built with thread support and when running on multicore UNIX or Linux systems, named can now use multiple threads to listen for incoming UDP traffic.  On some architectures, this allows a significant improvement in query performance. 
Further information at:
   https://kb.isc.org/article/AA-00629/109/Performance%3A-Multi-threaded-I-O.html

   This release includes a substantially reworked recursive client management system, improving hardware scalability. Prior releases showed some degradation in performance when running with more than eight processor cores.
Startup and Reconfiguration Performance Improvements

   BIND 9.9 includes a fix that greatly improves startup performance on authoritative systems using large numbers of zones.  The zone task table is sized based on the number of configured zones; previously it used a hard-coded size.  Customers have reported speedups ranging from 3x to 20x as a result of this fix.

   Slave zones are now cached in raw (binary) format instead of text format by default; this cuts load time for slave zones by roughly 50%.

   'rndc reconfig' has been modified to minimze the time during which name service is interrupted.
Improved RNDC Commands

   The new 'rndc flushtree' command clears the DNS cache of all names beneath a specified name.

   'rndc freeze' and 'rndc thaw' no longer remove a zone's journal file; this allows 'ixfr-from-differences' to be used with dynamic zones. To sync and remove a journal file, use 'rndc sync -clean'.
General DNSSEC Improvements

   The new 'rndc signing' command provides greater visibility and control of the automatic DNSSEC signing process.  When a zone is being signed by named, records are inserted into the zone indicating which keys are currently in the process of signing and which have finished (this enables named to resume the process correctly if there is a crash before the zone is fully signed).  With 'rndc signing' it is possible to view this status information, remove the records indicating that signing is complete.

   'rndc signing' also allows configuration of the NSEC3 parameters of a zone.  This can be done even before a zone is signed, enabling named to sign zones with NSEC3 without the need to use NSEC first.
General Improvements

   The 'also-notify' option now takes uses the same syntax as the 'masters' option.  This allows, for example, TSIG keys to be specified for use with notifies.

   The new 'serial-update-method' option allows you to choose, in dynamic zones, whether changes should cause the SOA serial number to be incremented by one, or set to the current time.


----------------------------------------
Feature #1233: Bind 9.8 with RFC 5011 DNSSEC root key already defined
https://www.illumos.org/issues/1233

Author: r a
Status: New
Priority: Low
Assignee: OI Userland
Category: SFW (Solaris Freeware)
Target version: oi_151_stable
Difficulty: Bite-size
Tags: bind


Can OpenIndiana be shipped with Bind v9.8 as the default version, and also have Bind configured by default to have DNSSEC enabled and for DNSSEC validation to occur and have a valid Root Key along with the root hints file. With RFC5011 Bind will auto update the DNSSEC root key providing it has one valid key defined.







-- 
You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://www.illumos.org/my/account

More information about the Userland-team mailing list