On Tue, Jan 19, 2021 at 8:44 AM Viktor Dukhovni <ietf-d...@dukhovni.org> wrote:
> > Sorry for leaving this vague. Changing the salt requires rebuilding the > entire NSEC3 chain, and so is difficult to combine with incremental zone > signing (such as BIND's "auto-dnssec maintain"). If you're doing > periodic whole zone signing, which reconstructs the entire chain, you > can change the salt at will each time the zone is signed from scratch. > > If, on the other hand, the zone is signed incrementally as individual > records are modified, then there is not an opportunity to change the > salt, which needs to be consistent across the entire chain. > It should work with incremental signing too. I haven't actually tried it with BIND's 'auto-dnssec maintain' - perhaps ISC folks can confirm. The way it should work is that you tell the BIND signing server that you're updating the NSEC3 parameters (by dynamic update or issuing an 'rndc' control command). It will then in the background rebuild a second complete NSEC3 chain. While doing this, it will temporarily house the NSEC3PARAM data in a private record (so that the auth servers don't instantly start using that chain to construct negative responses), and will only make that visible in the apex NSEC3PARAM record once the chain has been fully built. You can then delete the old NSEC3PARAM. Shumon.
_______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
