procedure for re-signing zones on nsec3param change, when using dnssec-policy full automation?
Mark Andrews
marka at isc.org
Wed Oct 19 17:48:13 UTC 2022
Just reload the server.
--
Mark Andrews
> On 20 Oct 2022, at 01:45, PGNet Dev <pgnet.dev at gmail.com> wrote:
>
> running
>
> bind 9.18.7
>
> i've enabled dnssec-policy signing
>
> current KSK & ZSK keys had been generated with
>
> dnssec-policy "prod01" {
> ...
> nsec3param iterations 5 optout no salt-length 8;
> ...
> }
>
> noting
>
> Change default for nsec3param to iterations 0 salt-length 0
> https://gitlab.isc.org/isc-projects/bind9/-/issues/2956
>
> Guidance for NSEC3 Parameter Settings
> https://datatracker.ietf.org/doc/rfc9276/
>
> i'm changing that to,
>
> - nsec3param iterations 5 optout no salt-length 8;
> + nsec3param iterations 0 optout no salt-length 0;
>
> the rfc notes,
>
> "Changing a zone's salt value requires the construction of a complete
> new NSEC3 chain. This is true both when re-signing the entire zone
> at once and when incrementally signing it in the background where the
> new salt is only activated once every name in the chain has been
> completed."
>
> since dnssec management it 'fully automated' using dnssec-policy, in addition to the 'nsec3param' change in named.conf, and a a server reload/restart,
>
> what's the correct procedure for force re-signing all nsec3 signed zones 'now'?
>
> is changing one of the timing values in the -policy sufficient? and bind9 will automate the rest?
> or, is a manual intervention with 'dnssec-signzone' required?
>
> in either case, iiuc, re-signing will re-generate zone data with updated RRSIGs for published records.
> the DS record for each zone, extracted from its KSK, was manually pushed to registrar, and subsequently to the zone's approrpiate parent.
>
> with the does the DS record need to be touched? i.e., will the changed to nsec3param change the zone's KSK?
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list