DNS signature verification (for BIND 9.2.3)

[Nishant]

Hi Jim,
Thank You for the response. I went thru the docs, as suggested by you
and
got to understand the Validation Part of the Client.
But, Regarding the ' Signing of a Zone ' I still have the following
query:


Jim Reid <jim at rfc1035.com> wrote in message news:<cc1hs7$2t2u$1 at sf1.isc.org>...
 
> Not quite. The record types are now called DNSKEY and RRSIG in the
> latest DNSSEC drafts. You'll find them on the IETF web site. And
> there's no encryption or decryption going on. Resource records are
> signed using public key crypto and a DNSSEC-aware client should be
> able to validate those signatures.
> dnssec-signzone generates a signed version of a zone.

If i'm not mistaken, isn't it that the process of signing a resource
record means: " taking a hash of the record(by passing it thru a hash
function) and then encrypting just the hash with the Private Key " ?
and,
For this, does 'dnssec-signzone' calls OpenSSL crypto functions?


> In BIND9,validation of these signatures is done using the openssl crypto code.
> The guts of the DNSSEC validation code is in lib/dns/validator.c
> There was a discussion about how to setup DNSSEC in this list a few
> weeks ago. I recommend you check the list archives for more info and
> pointers to websites that may help you.


regards,
Nishant Kumar
Systems engineer, Wipro ESG
Bangalore, India