... | ... | @@ -27,7 +27,7 @@ different options per zone, you would be able to do the following: |
|
|
```
|
|
|
zone "example.com." {
|
|
|
...
|
|
|
dnssec-policy "_default";
|
|
|
dnssec-policy "default";
|
|
|
};
|
|
|
```
|
|
|
|
... | ... | @@ -106,7 +106,6 @@ is set for a zone. |
|
|
Other DNSSEC related configuration options that are not related to the policy
|
|
|
are likely to stay:
|
|
|
|
|
|
|
|
|
1. `key-directory`: This is where the DNSKEY key files can be found.
|
|
|
|
|
|
1. `serial-update-method`: This is used for dynamic zones to determne how
|
... | ... | @@ -120,59 +119,32 @@ below. This includes all options as described in the KASP draft, but we may |
|
|
decide that some options are not required.
|
|
|
|
|
|
```
|
|
|
dnssec-policy "nsec3" {
|
|
|
|
|
|
description "policy for zones that require zone walking mitigation";
|
|
|
dnssec-policy "example" {
|
|
|
|
|
|
// Signatures
|
|
|
signatures-resign PT2H;
|
|
|
signatures-refresh P3D;
|
|
|
signatures-validity P14D;
|
|
|
signatures-validity-dnskey P14D;
|
|
|
signatures-validity-denial P7D;
|
|
|
signatures-jitter PT12H;
|
|
|
signatures-inception-offset PT300S;
|
|
|
|
|
|
// Denial of existence
|
|
|
denial-type nsec3;
|
|
|
nsec3param-ttl 0;
|
|
|
nsec3-optout no;
|
|
|
nsec3-hash-algorithm 1;
|
|
|
nsec3-hash-iterations 5;
|
|
|
nsec3-salt-length 8;
|
|
|
nsec3-resalt P100D;
|
|
|
|
|
|
// Keys
|
|
|
dnskey-ttl 3600;
|
|
|
dnskey-publish-safety PT3600S;
|
|
|
dnskey-retire-safety PT3600S;
|
|
|
share-keys no;
|
|
|
purge-keys-after P14D;
|
|
|
publish-safety PT3600S;
|
|
|
retire-safety PT3600S;
|
|
|
|
|
|
keys {
|
|
|
ksk hsm "softhsm" P5Y ECDSAP256SHA256;
|
|
|
zsk directory "/etc/bind9/dnsseckeys/" P30D ECDSAP256SHA256;
|
|
|
csk key-directory PT0S 8 2048;
|
|
|
ksk key-directory lifetime P5Y 13;
|
|
|
zsk key-directory lifetime 30d 13;
|
|
|
csk key-directory lifetime PT0S 8 2048;
|
|
|
};
|
|
|
|
|
|
// Parent synchronization
|
|
|
cds yes;
|
|
|
cdnskey yes;
|
|
|
check-ds { 127.0.0.53; };
|
|
|
check-ds-interval PT3600S;
|
|
|
|
|
|
// Zone properties
|
|
|
zone-propagation-delay PT3600S;
|
|
|
zone-soa-ttl 3600;
|
|
|
zone-soa-minimum 3600;
|
|
|
zone-soa-serial-update-method unixtime;
|
|
|
zone-max-ttl 24H;
|
|
|
|
|
|
// Parent properties
|
|
|
parent-propagation-delay PT24H;
|
|
|
parent-registration-delay 1h;
|
|
|
parent-ds-ttl 3600;
|
|
|
parent-soa-ttl 3600;
|
|
|
parent-soa-minimum 3600;
|
|
|
};
|
|
|
```
|
|
|
|
... | ... | @@ -219,7 +191,7 @@ of keys: |
|
|
|
|
|
Currently if you want to sign your zone with NSEC3 you can do so by introducing
|
|
|
an NSEC3PARAM record via Dynamic Update. This is no longer necessary with
|
|
|
`dnssec-policy` as you can configure NSEC3 usage in `named.conf`.
|
|
|
`dnssec-policy` as you can configure NSEC3 usage in `named.conf` (NOT IMPLEMENTED YET).
|
|
|
|
|
|
## Changing policies
|
|
|
|
... | ... | @@ -239,7 +211,7 @@ information: |
|
|
|
|
|
## Configuration
|
|
|
|
|
|
1. You can configure DNSSEC for a zone with a single configuration option (`dnssec-policy _default`).
|
|
|
1. You can configure DNSSEC for a zone with a single configuration option (`dnssec-policy default`).
|
|
|
|
|
|
1. You can configure DNSSEC for a zone manually (`dnssec-policy` statement).
|
|
|
|
... | ... | @@ -280,4 +252,4 @@ information: |
|
|
|
|
|
## Key purging
|
|
|
|
|
|
1.A Removed keys may be purged from storage. |
|
|
\ No newline at end of file |
|
|
1.A Removed keys may be purged from storage. (NOT IMPLEMENTED YET) |
|
|
\ No newline at end of file |