DNSSEC Overview



The release of BIND 9.7.0 has been called the "DNSSEC for Humans" because it offers significant leaps in functionality and automation that is more simple to use.

To date, implementing DNSSEC using ISC Bind was manually intensive and complicated at best.  Following the general availability of Bind 9.7.0 on 02-16-2010, the task is not nearly as daunting. In this article we review at a high level, some of the new changes, features, and enhancements that have been incorporated in Bind 9.7.0 in support of DNSSEC.  This several part series will cover:

  • New DNSSEC key metadata and lifecycle maintenance
  • Automatic zone signing by "named"
  • Simplified configuration of DNSSEC Lookaside validation (DLV)
  • Configuring Dynamic DNS using the ddns-confgen or the "local" update-policy option
  • New CLI dnssec-settime and changes to dnssec-keygen, and dnssec-signzone
  • Smart signing: overview of the tools for zone signing and key maintenance
  • Improved PKCS#11 support for using Hardware Security Modules or HSM for storage and signing operations

Bind 9.7.0 can be freely downloaded from https://www.isc.org

Next Post Previous Post