ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

Add kasp nsec3param configuration

Browse Source 
Add configuration and documentation on how to enable NSEC3 when
using dnssec-policy for signing your zones.

(cherry picked from commit f7ca96c805)
This commit is contained in:
Matthijs Mekking
2020-10-09 14:19:10 +02:00
parent 9b9ac92fd0
commit 5dfd3b2d7b
11 changed files with 72 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
doc/arm/dnssec.rst
View File

@@ -248,17 +248,21 @@ removed after the update request completes.
Converting From NSEC to NSEC3
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To do this, an NSEC3PARAM record must be added. When the
conversion is complete, the NSEC chain is removed and the
NSEC3PARAM record has a zero flag field. The NSEC3 chain is
generated before the NSEC chain is destroyed.
Add a ``nsec3param`` option to your ``dnssec-policy`` and
run ``rndc reconfig``.
NSEC3 is not yet supported with ``dnssec-policy``.
Or use ``nsupdate`` to add an NSEC3PARAM record.
In both cases, the NSEC3 chain is generated and the NSEC3PARAM record is
added before the NSEC chain is destroyed.
Converting From NSEC3 to NSEC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To do this, use ``nsupdate`` to remove all NSEC3PARAM records with a
To do this, remove the ``nsec3param`` option from the ``dnssec-policy`` and
run ``rndc reconfig``.
Or use ``nsupdate`` to remove all NSEC3PARAM records with a
zero flag field. The NSEC chain is generated before the NSEC3 chain
is removed.

12
doc/arm/reference.rst
View File

@@ -4938,6 +4938,18 @@ The following options can be specified in a ``dnssec-policy`` statement:
A `max-zone-ttl` of zero is treated as if
the default value were in use.
``nsec3param``
Use NSEC3 instead of NSEC, and optionally set the NSEC3 parameters.
Here is an example (for illustration purposes only) of
a ``nsec3`` configuration:
::
nsec3param ttl 0 iterations 5 optout no salt "-";
The default is to use NSEC.
``zone-propagation-delay``
This is the expected propagation delay from the time when a zone
is first updated to the time when the new version of the

7
doc/design/dnssec-policy
View File

@@ -126,10 +126,9 @@ dnssec-policy "nsec3" {
signatures-validity P14D;
signatures-validity-dnskey P14D;
// Denial of existence
denial-type nsec3;
nsec3-param ttl 0 hash algorithm 1 iterations 5 optout;
nsec3-salt length 8 resalt P100D;
// Denial of existence (default NSEC)
nsec3param iterations 5 optout no salt "-";
nsec3-resalt P100D;
// Keys
dnskey-ttl 3600;

2
doc/man/named.conf.5in
View File

@@ -105,6 +105,8 @@ dnssec\-policy string {
keys { ( csk | ksk | zsk ) [ ( key\-directory ) ] lifetime
duration_or_unlimited algorithm string [ integer ]; ... };
max\-zone\-ttl duration;
nsec3param [ iterations integer ] [ optout boolean ] [ salt
string ];
parent\-ds\-ttl duration;
parent\-propagation\-delay duration;
publish\-safety duration;

2
doc/misc/dnssec-policy.grammar.rst
View File

@@ -5,6 +5,8 @@
keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime
<duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
max-zone-ttl <duration>;
nsec3param [ iterations <integer> ] [ optout <boolean> ] [ salt
<string> ];
parent-ds-ttl <duration>;
parent-propagation-delay <duration>;
publish-safety <duration>;

2
doc/misc/options
View File

@@ -26,6 +26,8 @@ dnssec-policy <string> {
keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime
<duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
max-zone-ttl <duration>;
nsec3param [ iterations <integer> ] [ optout <boolean> ] [ salt
<string> ];
parent-ds-ttl <duration>;
parent-propagation-delay <duration>;
parent-registration-delay <duration>; // obsolete

2
doc/misc/options.active
View File

@@ -26,6 +26,8 @@ dnssec-policy <string> {
keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime
<duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
max-zone-ttl <duration>;
nsec3param [ iterations <integer> ] [ optout <boolean> ] [ salt
<string> ];
parent-ds-ttl <duration>;
parent-propagation-delay <duration>;
publish-safety <duration>;