Red Hat Bugzilla – Bug 11370
dns_signer not shipped
Last modified: 2008-05-01 11:37:55 EDT
You do not ship dns_signer, the application needed to generate a Secure DNS
Zone (as per DNSSEC), as part of the standard bind package. It is part of
the contrib section of BIND 8.2.2, but it does not get built as part of the
current bind rpm build process.
Without dns_signer, you cannot generate a DNSSEC Secure Zone file.
Could you please build the dns_signer and also ship it with the Bind RPM?
Please correct me if I'm wrong, but I understood that the DNSSEC protocols use
RSA-MD5 signatures, which require use of a patented algorithm.
We'll probably "fix" this some time after the RSA patent expired.
FYI, RSADSI has given a license to BIND specifically to enable the distribution
of SecureDNS. If you'd like I can go find you the relevant websites that have
the license information, but a web search of DNS RSA and License should find
it. In particular, John Gilmore was instrumental in obtaining such a license.
I think this is all sorted with bind 9.1, as RSA has expired and bind now uses
OpenSSL. (The SecureDNS licence, from what I remember, was not strictly 'Open