From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Thu, 27 Mar 2025 14:51:17 +0000 (-0400) Subject: docs: nsec/nsec3 X-Git-Tag: dnsdist-2.0.0-alpha2~110^2~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8f9a4c70bc047ec70b7421b2e8d9bd8bc8dd5092;p=thirdparty%2Fpdns.git docs: nsec/nsec3 Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> --- diff --git a/docs/changelog/pre-4.0.rst b/docs/changelog/pre-4.0.rst index 202e4e5209..903d3f1560 100644 --- a/docs/changelog/pre-4.0.rst +++ b/docs/changelog/pre-4.0.rst @@ -1730,7 +1730,7 @@ DNSSEC changes in 3.2 cause trouble. Reported by Kees Monshouwer and fixed by him in `commit 25cee6b9448744d3b6428ceb38cda9de0efd327c `__. - When a name is matched only by a wildcard, but the type in the query - is not present, we would be lacking one NSEC(3) record to prove the + is not present, we would be lacking one NSEC/NSEC3 record to prove the existence of the wildcard. Fixed by Kees Monshouwer in `commit 7bb8e2026c204f3356bfde3634a297f05aad0b4e `__ and `commit 1012b0399b0353b04edaa61b8a42be10da4290f7 `__. - Luuk Hendriks spotted that our PolarSSL RSA key generation code was @@ -1984,7 +1984,7 @@ Changes between RC2 and RC3 Presumably fixed in `commit b87bd70860f12824262b995dd791423661f68182 `__. - Updated a bunch of internal counters to be threadsafe. Code in `commit 16f7d28d81099077def2b44436a4942893afc306 `__. -- NSEC(3) bitmaps can now cover RRtypes above 255. Reported by Michael +- NSEC/NSEC3 bitmaps can now cover RRtypes above 255. Reported by Michael Braunoeder, patch by Aki Tuomi in `commit 5b7f65461b656ce554d392e903c92091370a0dfd `__. - pdnssec check-zone now reports MBOXFW and URL records (as those are unsupported since 3.0). Reported by Gerwin Krist of Digitalus, patch diff --git a/docs/dnssec/migration.rst b/docs/dnssec/migration.rst index 6ace0ce69e..f5f3d64328 100644 --- a/docs/dnssec/migration.rst +++ b/docs/dnssec/migration.rst @@ -74,7 +74,7 @@ Putting them in the database might cause duplicate records in responses. automatically. .. warning:: - Right now, you will also need to configure NSEC(3) settings + Right now, you will also need to configure NSEC/NSEC3 settings for pre-signed zones using ``pdnsutil set-nsec3``. Default is NSEC, in which case no further configuration is necessary. diff --git a/docs/dnssec/modes-of-operation.rst b/docs/dnssec/modes-of-operation.rst index ad7ae6657b..2949d8ab03 100644 --- a/docs/dnssec/modes-of-operation.rst +++ b/docs/dnssec/modes-of-operation.rst @@ -142,8 +142,8 @@ Such zones can either be served as secondary from a remote primary in online signing mode, or can be pre-signed using tools like OpenDNSSEC, ldns-signzone, and dnssec-signzone. -Even in this mode, PowerDNS will synthesize NSEC(3) records itself -because of its architecture. RRSIGs of these NSEC(3) will still need to +Even in this mode, PowerDNS will synthesize NSEC/NSEC3 records itself +because of its architecture. RRSIGs of these NSEC/NSEC3 will still need to be imported. See the :ref:`Presigned migration guide `. Front-signing diff --git a/docs/dnssec/operational.rst b/docs/dnssec/operational.rst index 2ba497be97..c349aaba37 100644 --- a/docs/dnssec/operational.rst +++ b/docs/dnssec/operational.rst @@ -218,9 +218,9 @@ Note that the NSEC/NSEC3 records proving those negatives will get the high TTL i .. note:: This behaviour was changed in version 4.3.0. - We believe the language in RFC 4034 and 5155 about the NSEC(3) TTL is a mistake, and we have chosen to honour its spirit instead of its words. + We believe the language in RFC 4034 and 5155 about the NSEC/NSEC3 TTL is a mistake, and we have chosen to honour its spirit instead of its words. This unfortunate wording was eventually corrected in :rfc:`RFC 9077 <9077#section-3>`. - NSEC(3) records now get the negative TTL (which is the lowest of the SOA TTL and the SOA minimum), which means their TTL matches that of an error such as NXDOMAIN. + NSEC/NSEC3 records now get the negative TTL (which is the lowest of the SOA TTL and the SOA minimum), which means their TTL matches that of an error such as NXDOMAIN. This conforms to RFC9077. diff --git a/docs/upgrading.rst b/docs/upgrading.rst index 2b1622ae02..cd90382f3b 100644 --- a/docs/upgrading.rst +++ b/docs/upgrading.rst @@ -323,10 +323,10 @@ The previous set of indexes for the gsqlite3 backend was found to be poor. 4.2.x to 4.3.0 -------------- -NSEC(3) TTL changed -^^^^^^^^^^^^^^^^^^^ +NSEC/NSEC3 TTL changed +^^^^^^^^^^^^^^^^^^^^^^ -NSEC(3) records now use the negative TTL, instead of the SOA minimum TTL. +NSEC/NSEC3 records now use the negative TTL, instead of the SOA minimum TTL. See :ref:`the DNSSEC TTL notes ` for more information. Lua Netmask class methods changed diff --git a/pdns/recursordist/docs/changelog/4.0.rst b/pdns/recursordist/docs/changelog/4.0.rst index 36b46c3aac..c154583df9 100644 --- a/pdns/recursordist/docs/changelog/4.0.rst +++ b/pdns/recursordist/docs/changelog/4.0.rst @@ -470,7 +470,7 @@ following major new features: - RPZ aka Response Policy Zone support - IXFR slaving in the PowerDNS Recursor for RPZ - DNSSEC processing in Recursor (Authoritative has had this for years) -- DNSSEC validation (without NSEC(3) proof validation) +- DNSSEC validation (without NSEC/NSEC3 proof validation) - EDNS Client Subnet support in PowerDNS Recursor (Authoritative has had this for years) - Lua asynchronous queries for per-IP/per-domain status diff --git a/pdns/recursordist/docs/changelog/4.5.rst b/pdns/recursordist/docs/changelog/4.5.rst index 08d3a717a2..60ede2f268 100644 --- a/pdns/recursordist/docs/changelog/4.5.rst +++ b/pdns/recursordist/docs/changelog/4.5.rst @@ -258,7 +258,7 @@ Changelogs for 4.5.X :tags: Bug Fixes :pullreq: 10519 - Make sure that we pass the SOA along the NSEC(3) proof for DS queries. + Make sure that we pass the SOA along the NSEC/NSEC3 proof for DS queries. .. changelog:: :version: 4.5.2