procedure for re-signing zones on nsec3param change, when using dnssec-policy full automation?
PGNet Dev
pgnet.dev at gmail.com
Wed Oct 19 14:45:32 UTC 2022
running
bind 9.18.7
i've enabled dnssec-policy signing
current KSK & ZSK keys had been generated with
dnssec-policy "prod01" {
...
nsec3param iterations 5 optout no salt-length 8;
...
}
noting
Change default for nsec3param to iterations 0 salt-length 0
https://gitlab.isc.org/isc-projects/bind9/-/issues/2956
Guidance for NSEC3 Parameter Settings
https://datatracker.ietf.org/doc/rfc9276/
i'm changing that to,
- nsec3param iterations 5 optout no salt-length 8;
+ nsec3param iterations 0 optout no salt-length 0;
the rfc notes,
"Changing a zone's salt value requires the construction of a complete
new NSEC3 chain. This is true both when re-signing the entire zone
at once and when incrementally signing it in the background where the
new salt is only activated once every name in the chain has been
completed."
since dnssec management it 'fully automated' using dnssec-policy, in addition to the 'nsec3param' change in named.conf, and a a server reload/restart,
what's the correct procedure for force re-signing all nsec3 signed zones 'now'?
is changing one of the timing values in the -policy sufficient? and bind9 will automate the rest?
or, is a manual intervention with 'dnssec-signzone' required?
in either case, iiuc, re-signing will re-generate zone data with updated RRSIGs for published records.
the DS record for each zone, extracted from its KSK, was manually pushed to registrar, and subsequently to the zone's approrpiate parent.
with the does the DS record need to be touched? i.e., will the changed to nsec3param change the zone's KSK?
More information about the bind-users
mailing list