Add kasp nsec3param configuration

Add configuration and documentation on how to enable NSEC3 when using dnssec-policy for signing your zones. (cherry picked from commit f7ca96c805)
2020-10-09 14:19:10 +02:00
parent 9b9ac92fd0
commit 5dfd3b2d7b
11 changed files with 72 additions and 10 deletions
--- a/bin/named/named.conf.rst
+++ b/bin/named/named.conf.rst
@@ -76,6 +76,8 @@ DNSSEC-POLICY
  	keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime
  	    duration_or_unlimited algorithm string [ integer ]; ... };
  	max-zone-ttl duration;
+  	nsec3param [ iterations integer ] [ optout boolean ] [ salt
+  	    string ];
  	parent-ds-ttl duration;
  	parent-propagation-delay duration;
  	publish-safety duration;
--- a/bin/tests/system/checkconf/good-kasp.conf
+++ b/bin/tests/system/checkconf/good-kasp.conf
@@ -22,6 +22,7 @@ dnssec-policy "test" {
 		csk key-directory lifetime unlimited algorithm rsasha256 2048;
 	};
 	max-zone-ttl 86400;
+	nsec3param iterations 5 optout no salt "deadbeef";
 	parent-ds-ttl 7200;
 	parent-propagation-delay PT1H;
 	publish-safety PT3600S;
--- a/bin/tests/system/checkconf/good.conf
+++ b/bin/tests/system/checkconf/good.conf
@@ -22,6 +22,7 @@ dnssec-policy "test" {
 		csk key-directory lifetime P30D algorithm 8 2048;
 	};
 	max-zone-ttl 86400;
+	nsec3param ;
 	parent-ds-ttl 7200;
 	parent-propagation-delay PT1H;
 	publish-safety PT3600S;