Op 22-12-2020 om 01:07 schreef Benno Overeinder: > Hi Paul, > > On 18/12/2020 22:57, Paul Hoffman wrote: >> Greetings. Now that ZONEMD is waiting in the RFC Editor's queue, I was >> wondering how the developers are coming with implementation. The >> protocol is ripe for two-party testing. > > <NLnet Labs hat on> > > We have implemented ZONEMD (verification and DNSSEC validation) in > Unbound, ready to be merged into the main branch and released early next > year.
Recently, also the ldns library has been extended with zone-digest functionality. ZONEMD RRs can now be calculated and added with ldns-signzone , and verified with ldns-verify-zone . This is available on the develop branch on https://github.com/NLnetLabs/ldns this will also be released early next year. Usage: ldns-signzone [OPTIONS] zonefile key [key [key]] signs the zone with the given key(s) -z <[scheme:]hash> Add ZONEMD resource record <scheme> should be "simple" (or 1) <hash> should be "sha384" or "sha512" (or 1 or 2) this option can be given more than once -Z Allow ZONEMDs to be added without signing Usage: ldns-verify-zone [OPTIONS] <zonefile> Reads the zonefile and checks for DNSSEC errors. It checks whether NSEC(3)s are present, and verifies all signatures It also checks the NSEC(3) chain, but it will error on opted-out delegations It also checks whether ZONEMDs are present, and if so, needs one of them to match the zone's data. OPTIONS: -Z Requires a valid ZONEMD RR to be present. When given once, this option will permit verifying just the ZONEMD RR of an unsigned zone. When given more than once, the zone needs to be validly DNSSEC signed as well. Cheers, -- Willem > > > Cheers, > > -- Benno > _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop