freebsd-skq/contrib/bind/doc/secure
Peter Wemm 4e0ffe0bae Import (trimmed) ISC bind-8.1.2-t3b. This will be updated to 8.1.2 on
final release.

Obtained from:  ftp.isc.org
1998-05-03 04:11:49 +00:00
..
copyright.txt Import (trimmed) ISC bind-8.1.2-t3b. This will be updated to 8.1.2 on 1998-05-03 04:11:49 +00:00
install.txt Import (trimmed) ISC bind-8.1.2-t3b. This will be updated to 8.1.2 on 1998-05-03 04:11:49 +00:00
readme.txt Import (trimmed) ISC bind-8.1.2-t3b. This will be updated to 8.1.2 on 1998-05-03 04:11:49 +00:00
usage.txt Import (trimmed) ISC bind-8.1.2-t3b. This will be updated to 8.1.2 on 1998-05-03 04:11:49 +00:00

			Secure DNS (TIS/DNSSEC)
			    September 1996

Copyright (C) 1995,1996 Trusted Information Systems, Incorporated

Trusted Information Systems, Inc. has received approval from the
United States Government for export and reexport of TIS/DNSSEC
software from the United States of America under the provisions of
the Export Administration Regulations (EAR) General Software Note
(GSN) license exception for mass market software.  Under the
provisions of this license, this software may be exported or
reexported to all destinations except for the embargoed countries of
Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria.  Any export
or reexport of TIS/DNSSEC software to the embargoed countries
requires additional, specific licensing approval from the United
States Government.

Trusted Information Systems, Inc., is pleased to
provide a reference implementation of the secure Domain Name System
(TIS/DNSSEC).  In order to foster acceptance of secure DNS and provide
the community with a usable, working version of this technology,
TIS/DNSSEC is being made available for broad use on the following basis.

- Trusted Information Systems makes no representation about the
  suitability of this software for any purpose.  It is provided "as is"
  without express or implied warranty.

- TIS/DNSSEC is distributed in source code form, with all modules written
  in the C programming language.  It runs on many UNIX derived platforms
  and is integrated with the Bind implementation of the DNS protocol.

- This beta version of TIS/DNSSEC may be used, copied, and modified for
  testing and evaluation purposes without fee during the beta test
  period, provided that this notice appears in supporting documentation
  and is retained in all software modules in which it appears.  Any other
  use requires specific, written prior permission from Trusted Information
  Systems.

TIS maintains the email distribution list dns-security@tis.com for
discussion of secure DNS.  To join, send email to
	dns-security-request@tis.com.

TIS/DNSSEC technical questions and bug reports should be addressed to
	dns-security@tis.com. 

To reach the maintainers of TIS/DNSSEC send mail to
	tisdnssec-support@tis.com

TIS/DNSSEC is a product of Trusted Information Systems, Inc.

This is an beta version of Bind with secure DNS extensions it uses 
RSAREF which you must obtain separately.

Implemented and tested in this version:
	Portable key storage format. 
	Improved authentication API 
	Support for using different authentication packages.
	All Security RRs including KEY SIG, NXT, and support for wild cards
	tool for generating KEYs 
	tool for signing RRs in boot files
	verification of RRs on load 
	verification of RRs over the wire
	transmission of SIG RRs
	returns NXT when name and/or type does not exist
	storage of NXT, KEY, and SIG RRs with CNAME RR
	AD/ID bits added to header and setting of these bits
	key storage and retrieval
	dig and nslookup can display new header bits and RRs
	AXFR signature RR
	keyfile directive 
	$SIGNER directive (to turn on and off signing)
	adding KEY to answers with NS or SOA
	SOA sequence numbers are now set each time zone is signed
	SIG AXFR ignores label count of names
	generation and inclusion of .PARENT files
	Returns only one NXT at delegation points unless two are required
	Expired SIG records are now returned in response to query
	
Implemented but not fully tested:

Known bugs:
	
Not implemented:
	ROUND_ROBIN behaviour 
	zone transfer in SIG(AXFR) sort order. 
	transaction SIGs
	verification in resolver. (stub resolvers must trust local servers
		resolver library is to low level to implement security)
	knowing when to trust the AD bit in responses

Read files INSTALL_SEC and USAGE_SEC for installation and user
instructions, respectively.