Re: procedure for re-signing zones on nsec3param change, when using dnssec-policy full automation?

Wed, 19 Oct 2022 10:49:12 -0700 

Just reload the server. 

-- 
Mark Andrews

> On 20 Oct 2022, at 01:45, PGNet Dev <pgnet....@gmail.com> wrote:
> 
> running
> 
>    bind 9.18.7
> 
> i've enabled dnssec-policy signing
> 
> current KSK & ZSK keys had been generated with
> 
>    dnssec-policy "prod01" {
>        ...
>        nsec3param iterations 5 optout no salt-length 8;
>        ...
>    }
> 
> noting
> 
>    Change default for nsec3param to iterations 0 salt-length 0
>     https://gitlab.isc.org/isc-projects/bind9/-/issues/2956
> 
>    Guidance for NSEC3 Parameter Settings
>     https://datatracker.ietf.org/doc/rfc9276/
> 
> i'm changing that to,
> 
> -    nsec3param iterations 5 optout no salt-length 8;
> +    nsec3param iterations 0 optout no salt-length 0;
> 
> the rfc notes,
> 
>    "Changing a zone's salt value requires the construction of a complete
>     new NSEC3 chain.  This is true both when re-signing the entire zone
>     at once and when incrementally signing it in the background where the
>     new salt is only activated once every name in the chain has been
>     completed."
> 
> since dnssec management it 'fully automated' using dnssec-policy, in addition 
> to the 'nsec3param' change in named.conf, and a a server reload/restart,    
> 
> what's the correct procedure for force re-signing all nsec3 signed zones 
> 'now'?
> 
> is changing one of the timing values in the -policy sufficient? and bind9 
> will automate the rest?
> or, is a manual intervention with 'dnssec-signzone' required?
> 
> in either case, iiuc, re-signing will re-generate zone data with updated 
> RRSIGs for published records.
> the DS record for each zone, extracted from its KSK, was manually pushed to 
> registrar, and subsequently to the zone's approrpiate parent.
> 
> with the does the DS record need to be touched? i.e., will the changed to 
> nsec3param change the zone's KSK?
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to