keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime
duration_or_unlimited algorithm string [ integer ]; ... };
max-zone-ttl duration;
+ nsec3param [ iterations integer ] [ optout boolean ] [ salt
+ string ];
parent-ds-ttl duration;
parent-propagation-delay duration;
publish-safety duration;
csk key-directory lifetime unlimited algorithm rsasha256 2048;
};
max-zone-ttl 86400;
+ nsec3param iterations 5 optout no salt "deadbeef";
parent-ds-ttl 7200;
parent-propagation-delay PT1H;
publish-safety PT3600S;
csk key-directory lifetime P30D algorithm 8 2048;
};
max-zone-ttl 86400;
+ nsec3param ;
parent-ds-ttl 7200;
parent-propagation-delay PT1H;
publish-safety PT3600S;
Converting From NSEC to NSEC3
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-To do this, an NSEC3PARAM record must be added. When the
-conversion is complete, the NSEC chain is removed and the
-NSEC3PARAM record has a zero flag field. The NSEC3 chain is
-generated before the NSEC chain is destroyed.
+Add a ``nsec3param`` option to your ``dnssec-policy`` and
+run ``rndc reconfig``.
-NSEC3 is not yet supported with ``dnssec-policy``.
+Or use ``nsupdate`` to add an NSEC3PARAM record.
+
+In both cases, the NSEC3 chain is generated and the NSEC3PARAM record is
+added before the NSEC chain is destroyed.
Converting From NSEC3 to NSEC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-To do this, use ``nsupdate`` to remove all NSEC3PARAM records with a
+To do this, remove the ``nsec3param`` option from the ``dnssec-policy`` and
+run ``rndc reconfig``.
+
+Or use ``nsupdate`` to remove all NSEC3PARAM records with a
zero flag field. The NSEC chain is generated before the NSEC3 chain
is removed.
A ``max-zone-ttl`` of zero is treated as if
the default value were in use.
+ ``nsec3param``
+ Use NSEC3 instead of NSEC, and optionally set the NSEC3 parameters.
+
+ Here is an example (for illustration purposes only) of
+ a ``nsec3`` configuration:
+
+ ::
+
+ nsec3param ttl 0 iterations 5 optout no salt "-";
+
+ The default is to use NSEC.
+
``zone-propagation-delay``
This is the expected propagation delay from the time when a zone
is first updated to the time when the new version of the
signatures-validity P14D;
signatures-validity-dnskey P14D;
- // Denial of existence
- denial-type nsec3;
- nsec3-param ttl 0 hash algorithm 1 iterations 5 optout;
- nsec3-salt length 8 resalt P100D;
+ // Denial of existence (default NSEC)
+ nsec3param iterations 5 optout no salt "-";
+ nsec3-resalt P100D;
// Keys
dnskey-ttl 3600;
keys { ( csk | ksk | zsk ) [ ( key\-directory ) ] lifetime
duration_or_unlimited algorithm string [ integer ]; ... };
max\-zone\-ttl duration;
+ nsec3param [ iterations integer ] [ optout boolean ] [ salt
+ string ];
parent\-ds\-ttl duration;
parent\-propagation\-delay duration;
publish\-safety duration;
keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime
<duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
max-zone-ttl <duration>;
+ nsec3param [ iterations <integer> ] [ optout <boolean> ] [ salt
+ <string> ];
parent-ds-ttl <duration>;
parent-propagation-delay <duration>;
publish-safety <duration>;
keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime
<duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
max-zone-ttl <duration>;
+ nsec3param [ iterations <integer> ] [ optout <boolean> ] [ salt
+ <string> ];
parent-ds-ttl <duration>;
parent-propagation-delay <duration>;
parent-registration-delay <duration>; // obsolete
keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime
<duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
max-zone-ttl <duration>;
+ nsec3param [ iterations <integer> ] [ optout <boolean> ] [ salt
+ <string> ];
parent-ds-ttl <duration>;
parent-propagation-delay <duration>;
publish-safety <duration>;
cfg_print_tuple, cfg_doc_tuple,
&cfg_rep_tuple, kaspkey_fields };
+/*%
+ * NSEC3 parameters.
+ */
+static keyword_type_t nsec3iter_kw = { "iterations", &cfg_type_uint32 };
+static cfg_type_t cfg_type_nsec3iter = {
+ "iterations", parse_optional_keyvalue, print_keyvalue,
+ doc_optional_keyvalue, &cfg_rep_uint32, &nsec3iter_kw
+};
+
+static keyword_type_t nsec3optout_kw = { "optout", &cfg_type_boolean };
+static cfg_type_t cfg_type_nsec3optout = {
+ "optout", parse_optional_keyvalue,
+ print_keyvalue, doc_optional_keyvalue,
+ &cfg_rep_boolean, &nsec3optout_kw
+};
+
+static keyword_type_t nsec3salt_kw = { "salt", &cfg_type_sstring };
+static cfg_type_t cfg_type_nsec3salt = {
+ "salt", parse_optional_keyvalue,
+ print_keyvalue, doc_optional_keyvalue,
+ &cfg_rep_string, &nsec3salt_kw
+};
+
+static cfg_tuplefielddef_t nsec3param_fields[] = {
+ { "iterations", &cfg_type_nsec3iter, 0 },
+ { "optout", &cfg_type_nsec3optout, 0 },
+ { "salt", &cfg_type_nsec3salt, 0 },
+ { NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_nsec3 = { "nsec3param", cfg_parse_tuple,
+ cfg_print_tuple, cfg_doc_tuple,
+ &cfg_rep_tuple, nsec3param_fields };
+
/*%
* Wild class, type, name.
*/
{ "dnskey-ttl", &cfg_type_duration, 0 },
{ "keys", &cfg_type_kaspkeys, 0 },
{ "max-zone-ttl", &cfg_type_duration, 0 },
+ { "nsec3param", &cfg_type_nsec3, 0 },
{ "parent-ds-ttl", &cfg_type_duration, 0 },
{ "parent-propagation-delay", &cfg_type_duration, 0 },
{ "parent-registration-delay", &cfg_type_duration,
projects / thirdparty / bind9.git / commitdiff
