Non-disruptive migration to dnssec-policy possible?

Shumon Huque shuque at gmail.com
Thu Mar 26 00:57:54 UTC 2020 

Thanks for the information Matthijs.

We were actually looking forward to this particular feature in 9.16.x for
easier key rolls. So, if you have any idea yet about the timeframe to
develop and backport the NSEC3 support to 9.16, let us know.

Thanks!
Shumon.

On Wed, Mar 25, 2020 at 4:09 PM Matthijs Mekking <matthijs at isc.org> wrote:

> Hi Shumon,
>
> The "NOT IMPLEMENTED YET" is still accurate. It means that if you use
> dnssec-policy, your zones will be signed with NSEC. Any attempts to make
> it work with NSEC3 (with Dynamic Update for example) have undefined
> behavior.
>
> You are right that at this moment dnssec-policy is not yet suitable for
> your use case. We will implement NSEC3 for dnssec-policy in 9.17 and
> backport it to 9.16.
>
> Best regards,
>
> Matthijs
>
> On 3/25/20 8:50 PM, Shumon Huque wrote:
> > On Wed, Mar 25, 2020 at 9:04 AM Matthijs Mekking <matthijs at isc.org
> > <mailto:matthijs at isc.org>> wrote:
> >
> >     Hi Håkan,
> >
> >     First of all, thanks for trying out the new dnssec-policy feature.
> >
> >     I'll admit there is insufficient documentation and tooling around
> >     migration to dnssec-policy, possibly there is a bug too.
> >
> > [...]
> >
> > HI Matthijs,
> >
> > We are just starting to look at 9.16.x also, and are considering what it
> > would take to move our current "auto-dnssec maintain" configuration to
> > the new dnssec-policy feature.
> >
> > We use NSEC3 though, and from your wiki, I see the following:
> >
> > " Currently if you want to sign your zone with NSEC3 you can do so by
> > introducing
> > an NSEC3PARAM record via Dynamic Update. This is no longer necessary with
> > dnssec-policy as you can configure NSEC3 usage in named.conf (NOT
> > IMPLEMENTED YET)."
> >
> > Is the "NOT IMPLEMENTED YET" still accurate? And if accurate, can you
> > elaborate on what that means? e.g. NSEC3 zones don't work at all? NSEC3
> > zones can be generated and served, but NSEC3 parameters cannot be
> > managed/rolled? Or something else?
> >
> > If the latter, I was wondering if it is possible to combine pieces of
> > the old and new ways, e.g. pre-configure an unsigned zone with an NSEC3
> > param using dynamic update or "rndc signing -nsec3param", and also use
> > dnssec-policy to allow for maintenance of the DNSSEC keys? Our
> > requirement though is that the signed zone needs to be NSEC3 out of the
> > gate. At first glance, if I'm understanding the new configuration
> > statements, that doesn't seem possible.
> >
> > Thanks!
> > Shumon Huque.
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200325/2faea9b4/attachment.htm>

More information about the bind-users mailing list