Skip to content

Implement dnssec-policy statement in named.conf

A DNSSEC key and signing policy (KASP) defines a DNSSEC policy that can be applied to one or more zones.

For some background information, see:

https://www.ietf.org/archive/id/draft-mekking-dnsop-kasp-00.txt

Implement configuration statements and options so that a KASP can be configured in named.conf.

Suggestion by example:

zone "example.com." {
    ...
    dnssec-policy "nsec3";
};

...

dnssecpolicy "nsec3" {

    description "policy for zones that require zone walking mitigation";

    // Signatures
    signatures-resign PT2H;
    signatures-refresh P3D;
    signatures-validity P14D;
    signatures-validity-dnskey P14D;
    signatures-validity-denial P7D;
    signatures-jitter PT12H;
    signatures-inception-offset PT300S;

    // Denial of existence
    denial-type nsec3;
    nsec3param-ttl 0;
    nsec3-optout no;
    nsec3-hash-algorithm 1;
    nsec3-hash-iterations 5;
    nsec3-salt-length 8;
    nsec3-resalt P100D;

    // Keys
    dnskey-ttl 3600;
    dnskey-publish-safety PT3600S;
    dnskey-retire-safety PT3600S;
    share-keys no;
    purge-keys-after P14D;

    keys {
        ksk hsm "softhsm" \
                P1Y offline manual ECDSAP256SHA256;
        zsk directory "/etc/bind9/dnsseckeys/" \
                P30D online automatic ECDSAP256SHA256;
    };

    // Parent synchronization
    cds yes;
    cdnskey yes;
    check-ds { 127.0.0.53; };
    check-ds-interval PT3600S;

    // Zone properties
    zone-propagation-delay PT3600S;
    zone-soa-ttl 3600;
    zone-soa-minimum 3600;
    zone-soa-serial-update-method unixtime;
    zone-max-ttl 24H;

    // Parent properties
    parent-propagation-delay PT24H;
    parent-ds-ttl 3600;
    parent-soa-ttl 3600;
    parent-soa-minimum 3600;
};
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information