Op 22-12-2020 om 01:07 schreef Benno Overeinder:
> Hi Paul,
>
> On 18/12/2020 22:57, Paul Hoffman wrote:
>> Greetings. Now that ZONEMD is waiting in the RFC Editor's queue, I was
>> wondering how the developers are coming with implementation. The
>> protocol is ripe for two-party testing.
>
> <NLnet Labs hat on>
>
> We have implemented ZONEMD (verification and DNSSEC validation) in
> Unbound, ready to be merged into the main branch and released early next
> year.
Recently, also the ldns library has been extended with zone-digest
functionality. ZONEMD RRs can now be calculated and added with
ldns-signzone , and verified with ldns-verify-zone .
This is available on the develop branch on
https://github.com/NLnetLabs/ldns
this will also be released early next year.
Usage: ldns-signzone [OPTIONS] zonefile key [key [key]]
signs the zone with the given key(s)
-z <[scheme:]hash> Add ZONEMD resource record
<scheme> should be "simple" (or 1)
<hash> should be "sha384" or "sha512" (or 1 or 2)
this option can be given more than once
-Z Allow ZONEMDs to be added without signing
Usage: ldns-verify-zone [OPTIONS] <zonefile>
Reads the zonefile and checks for DNSSEC errors.
It checks whether NSEC(3)s are present, and verifies all signatures
It also checks the NSEC(3) chain, but it will error on opted-out delegations
It also checks whether ZONEMDs are present, and if so, needs one of them
to match the zone's data.
OPTIONS:
-Z Requires a valid ZONEMD RR to be present.
When given once, this option will permit verifying
just the ZONEMD RR of an unsigned zone. When given
more than once, the zone needs to be validly DNSSEC
signed as well.
Cheers,
-- Willem
>
>
> Cheers,
>
> -- Benno
>
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
