Commit 45d62398 authored by Evan Hunt's avatar Evan Hunt
Browse files

CHANGES, REAMDE, release note

parent 18454a0b
Pipeline #25139 canceled with stages
in 18 seconds
5316. [func] A new "dnssec-policy" option has been added to
named.conf to implement a key and signing policy
(KASP) for zones. When this option is in use,
named can generate new keys as needed and
automatically roll both ZSK and KSK keys. (Note
that the syntax for this statement differs from
the dnssec policy used by dnssec-keymgr.)
See the ARM for configuration details. [GL #1134]
5315. [bug] Apply the inital RRSIG expiration spread fixed
to all dynamically created records in the zone
including NSEC3. Also fix the signature clusters
......
......@@ -127,6 +127,8 @@ BIND 9.15 is the newest development branch of BIND 9. It includes a
number of changes from BIND 9.14 and earlier releases. New features
include:
* New "dnssec-policy" statement to configure a key and signing policy
for zones, enabling automatic key regeneration and rollover.
* Support for the new GeoIP2 geolocation API
* Improved DNSSEC key configuration using `dnssec-keys`
* YAML output for `dig`, `mdig`, and `delv`.
......
......@@ -3127,6 +3127,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
<entry colname="2">
<para>
describes a DNSSEC key and signing policy for zones.
See <xref linkend="dnssec_policy_grammar"/> for details.
</para>
</entry>
</row>
......@@ -11043,8 +11044,8 @@ example.com CNAME rpz-tcp-only.
<term><command>dnskey-ttl</command></term>
<listitem>
<para>
The TTL of the DNSKEY resource records.
Default is <constant>3600</constant> seconds.
The TTL of the DNSKEY resource records.
Default is <constant>3600</constant> seconds.
</para>
</listitem>
</varlistentry>
......@@ -11053,9 +11054,9 @@ example.com CNAME rpz-tcp-only.
<term><command>keys</command></term>
<listitem>
<para>
A list of keys to use. Each line represents one key. Here is
an example (for illustration purposes only) of some possible
keys in a <command>dnssec-policy</command>:
A list of keys to use. Each line represents one key. Here is
an example (for illustration purposes only) of some possible
keys in a <command>dnssec-policy</command>:
</para>
 
<programlisting>keys {
......@@ -11066,29 +11067,29 @@ example.com CNAME rpz-tcp-only.
</programlisting>
 
<para>
This example lists three keys. The first token determines
what RRsets the key will sign. If set to
<userinput>ksk</userinput> the key will sign the DNSKEY, CDS,
and CDNSKEY RRsets, if set to <userinput>zsk</userinput> the
key will sign the other RRsets, and if set to
<userinput>csk</userinput> the key will sign all RRsets.
This example lists three keys. The first token determines
what RRsets the key will sign. If set to
<userinput>ksk</userinput> the key will sign the DNSKEY, CDS,
and CDNSKEY RRsets, if set to <userinput>zsk</userinput> the
key will sign the other RRsets, and if set to
<userinput>csk</userinput> the key will sign all RRsets.
</para>
<para>
The following part determines where the key will be stored.
Currently keys can only be stored in the configured
<command>key-directory</command>.
The following part determines where the key will be stored.
Currently keys can only be stored in the configured
<command>key-directory</command>.
</para>
<para>
The third token tells how long the key may be used. In the
example the first key has a lifetime of 5 years, the second
key may be used for 30 days and the third key has a rather
peculiar lifetime of 6 months, 12 hours, 3 minutes and 15
seconds.
The third token tells how long the key may be used. In the
example the first key has a lifetime of 5 years, the second
key may be used for 30 days and the third key has a rather
peculiar lifetime of 6 months, 12 hours, 3 minutes and 15
seconds.
</para>
<para>
The last token(s) are the key's algorithm and algorithm length.
The length may be omitted as shown in the example for the
second and third key.
The last token(s) are the key's algorithm and algorithm
length. The length may be omitted as shown in the
example for the second and third key.
</para>
</listitem>
</varlistentry>
......@@ -11097,9 +11098,10 @@ example.com CNAME rpz-tcp-only.
<term><command>publish-safety</command></term>
<listitem>
<para>
A margin that is added to the publish interval in key timing
equations to give some extra time to cover unforeseen events.
Default is <constant>PT5M</constant> (5 minutes).
A margin that is added to the publish interval in key
timing equations to give some extra time to cover
unforeseen events. Default is <constant>PT5M</constant>
(5 minutes).
</para>
</listitem>
</varlistentry>
......@@ -11108,9 +11110,10 @@ example.com CNAME rpz-tcp-only.
<term><command>retire-safety</command></term>
<listitem>
<para>
A margin that is added to the retire interval in key timing
equations to give some extra time to cover unforeseen events.
Default is <constant>PT5M</constant> (5 minutes).
A margin that is added to the retire interval in key
timing equations to give some extra time to cover
unforeseen events. Default is <constant>PT5M</constant>
(5 minutes).
</para>
</listitem>
</varlistentry>
......@@ -11119,13 +11122,13 @@ example.com CNAME rpz-tcp-only.
<term><command>signatures-refresh</command></term>
<listitem>
<para>
This determines when a RRSIG record needs to be refreshed.
The signatures is renewed when the time until the expiration
time is closer than <command>signatures-refresh</command>.
<command>signatures-resign</command> interval.
Default is <constant>P5D</constant> (5 days), meaning a
signature that will expire in 5 days or sooner will be
refreshed.
This determines when a RRSIG record needs to be
refreshed. The signatures is renewed when the time until
the expiration time is closer than
<command>signatures-refresh</command>.
<command>signatures-resign</command> interval. Default
is <constant>P5D</constant> (5 days), meaning a signature
that will expire in 5 days or sooner will be refreshed.
</para>
</listitem>
</varlistentry>
......@@ -11134,9 +11137,9 @@ example.com CNAME rpz-tcp-only.
<term><command>signatures-validity</command></term>
<listitem>
<para>
The validity period of an RRSIG record (minus the inception
offset and jitter). Default is <constant>P2W</constant>
(2 weeks).
The validity period of an RRSIG record (minus the
inception offset and jitter). Default is
<constant>P2W</constant> (2 weeks).
</para>
</listitem>
</varlistentry>
......@@ -11145,8 +11148,9 @@ example.com CNAME rpz-tcp-only.
<term><command>signatures-validity-dnskey</command></term>
<listitem>
<para>
Like <command>signatures-validity</command> but for DNSKEY
records. Default is <constant>P2W</constant> (2 weeks).
Like <command>signatures-validity</command> but for
DNSKEY records. Default is <constant>P2W</constant> (2
weeks).
</para>
</listitem>
</varlistentry>
......@@ -11155,32 +11159,32 @@ example.com CNAME rpz-tcp-only.
<term><command>zone-max-ttl</command></term>
<listitem>
<para>
Like <command>max-zone-ttl</command>, specifies the maximum
permissible TTL value in seconds. When loading a zone file
using a <option>masterfile-format</option> or
<constant>text</constant> or <constant>raw</constant>,
any record encountered with a TTL higher than
<option>zone-max-ttl</option> will be capped to the maximum
permissible TTL value.
Like <command>max-zone-ttl</command>, specifies the
maximum permissible TTL value in seconds. When loading a
zone file using a <option>masterfile-format</option> or
<constant>text</constant> or <constant>raw</constant>,
any record encountered with a TTL higher than
<option>zone-max-ttl</option> will be capped to the
maximum permissible TTL value.
</para>
<para>
This is needed in DNSSEC-maintained zones because when
rolling to a new DNSKEY, the old key needs to remain
available until RRSIG records have expired from
caches. The <option>zone-max-ttl</option> option guarantees
that the largest TTL in the zone will be no higher than the
set value.
This is needed in DNSSEC-maintained zones because when
rolling to a new DNSKEY, the old key needs to remain
available until RRSIG records have expired from caches.
The <option>zone-max-ttl</option> option guarantees that
the largest TTL in the zone will be no higher than the
set value.
</para>
<para>
(NOTE: Because <constant>map</constant>-format files
load directly into memory, this option cannot be
used with them.)
</para>
<para>
The default value is <constant>PT24H</constant> (24 hours).
A <option>zone-max-ttl</option> of zero is treated as if
the default value is in use.
</para>
<para>
(NOTE: Because <constant>map</constant>-format files
load directly into memory, this option cannot be
used with them.)
</para>
<para>
The default value is <constant>PT24H</constant> (24 hours).
A <option>zone-max-ttl</option> of zero is treated as if
the default value is in use.
</para>
</listitem>
</varlistentry>
 
......@@ -11188,10 +11192,11 @@ example.com CNAME rpz-tcp-only.
<term><command>zone-propagation-delay</command></term>
<listitem>
<para>
The expected propagation delay from when a zone is updated
and when the new version of the zone is served by all its
name servers. Default is <constant>PT5M</constant> (5 minutes).
</para>
The expected propagation delay from when a zone is
updated and when the new version of the zone is served by
all its name servers. Default is
<constant>PT5M</constant> (5 minutes).
</para>
</listitem>
</varlistentry>
 
......@@ -11199,9 +11204,9 @@ example.com CNAME rpz-tcp-only.
<term><command>parent-ds-ttl</command></term>
<listitem>
<para>
The TTL of the DS RRset that the parent uses. Default is
<constant>PT1H</constant> (1 hour).
</para>
The TTL of the DS RRset that the parent uses. Default is
<constant>PT1H</constant> (1 hour).
</para>
</listitem>
</varlistentry>
 
......@@ -11209,11 +11214,11 @@ example.com CNAME rpz-tcp-only.
<term><command>parent-propagation-delay</command></term>
<listitem>
<para>
The expected propagation delay from when the parent zone is
updated and when the new version of the parent zone is served
by all its name servers. Default is
<constant>PT1H</constant> (1 hour).
</para>
The expected propagation delay from when the parent zone
is updated and when the new version of the parent zone is
served by all its name servers. Default is
<constant>PT1H</constant> (1 hour).
</para>
</listitem>
</varlistentry>
 
......@@ -11221,15 +11226,14 @@ example.com CNAME rpz-tcp-only.
<term><command>parent-registration-delay</command></term>
<listitem>
<para>
The expected registration delay from when a DS RRset change
is requested and when the DS RRset has been updated in the
parent zone. Default is <constant>P1D</constant> (1 day).
The expected registration delay from when a DS RRset
change is requested and when the DS RRset has been
updated in the parent zone. Default is
<constant>P1D</constant> (1 day).
</para>
</listitem>
</varlistentry>
</variablelist>
</section>
 
<section xml:id="managed-keys"><info><title><command>managed-keys</command> Statement Grammar</title></info>
......
......@@ -11,6 +11,16 @@
<section xml:id="relnotes_features"><info><title>New Features</title></info>
<itemizedlist>
<listitem>
<para>
The new <command>dnssec-policy</command> option allows the
configuration key and signing policy (KASP) for zones. This
option enables <command>named</command> to generate new keys
as needed and automatically roll both ZSK and KSK keys.
(Note that the syntax for this statement differs from the dnssec
policy used by <command>dnssec-keymgr</command>.) [GL #1134]
</para>
</listitem>
<listitem>
<para>
Added a new statistics variable <command>tcp-highwater</command>
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment