From 45d6239829476652efc2aa48d20ad1d85cd00bba Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Wed, 6 Nov 2019 20:06:36 -0800 Subject: [PATCH] CHANGES, REAMDE, release note --- CHANGES | 10 ++ README.md | 2 + doc/arm/Bv9ARM-book.xml | 164 +++++++++++++++++---------------- doc/arm/notes-new-features.xml | 10 ++ 4 files changed, 106 insertions(+), 80 deletions(-) diff --git a/CHANGES b/CHANGES index d6bcfc2939..128da21376 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,13 @@ +5316. [func] A new "dnssec-policy" option has been added to + named.conf to implement a key and signing policy + (KASP) for zones. When this option is in use, + named can generate new keys as needed and + automatically roll both ZSK and KSK keys. (Note + that the syntax for this statement differs from + the dnssec policy used by dnssec-keymgr.) + + See the ARM for configuration details. [GL #1134] + 5315. [bug] Apply the inital RRSIG expiration spread fixed to all dynamically created records in the zone including NSEC3. Also fix the signature clusters diff --git a/README.md b/README.md index ac0abb5ad2..9bd13231c7 100644 --- a/README.md +++ b/README.md @@ -127,6 +127,8 @@ BIND 9.15 is the newest development branch of BIND 9. It includes a number of changes from BIND 9.14 and earlier releases. New features include: +* New "dnssec-policy" statement to configure a key and signing policy + for zones, enabling automatic key regeneration and rollover. * Support for the new GeoIP2 geolocation API * Improved DNSSEC key configuration using `dnssec-keys` * YAML output for `dig`, `mdig`, and `delv`. diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 2562c1f348..a7092fb8c0 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -3127,6 +3127,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. describes a DNSSEC key and signing policy for zones. + See for details. @@ -11043,8 +11044,8 @@ example.com CNAME rpz-tcp-only. dnskey-ttl - The TTL of the DNSKEY resource records. - Default is 3600 seconds. + The TTL of the DNSKEY resource records. + Default is 3600 seconds. @@ -11053,9 +11054,9 @@ example.com CNAME rpz-tcp-only. keys - A list of keys to use. Each line represents one key. Here is - an example (for illustration purposes only) of some possible - keys in a dnssec-policy: + A list of keys to use. Each line represents one key. Here is + an example (for illustration purposes only) of some possible + keys in a dnssec-policy: keys { @@ -11066,29 +11067,29 @@ example.com CNAME rpz-tcp-only. - This example lists three keys. The first token determines - what RRsets the key will sign. If set to - ksk the key will sign the DNSKEY, CDS, - and CDNSKEY RRsets, if set to zsk the - key will sign the other RRsets, and if set to - csk the key will sign all RRsets. + This example lists three keys. The first token determines + what RRsets the key will sign. If set to + ksk the key will sign the DNSKEY, CDS, + and CDNSKEY RRsets, if set to zsk the + key will sign the other RRsets, and if set to + csk the key will sign all RRsets. - The following part determines where the key will be stored. - Currently keys can only be stored in the configured - key-directory. + The following part determines where the key will be stored. + Currently keys can only be stored in the configured + key-directory. - The third token tells how long the key may be used. In the - example the first key has a lifetime of 5 years, the second - key may be used for 30 days and the third key has a rather - peculiar lifetime of 6 months, 12 hours, 3 minutes and 15 - seconds. + The third token tells how long the key may be used. In the + example the first key has a lifetime of 5 years, the second + key may be used for 30 days and the third key has a rather + peculiar lifetime of 6 months, 12 hours, 3 minutes and 15 + seconds. - The last token(s) are the key's algorithm and algorithm length. - The length may be omitted as shown in the example for the - second and third key. + The last token(s) are the key's algorithm and algorithm + length. The length may be omitted as shown in the + example for the second and third key. @@ -11097,9 +11098,10 @@ example.com CNAME rpz-tcp-only. publish-safety - A margin that is added to the publish interval in key timing - equations to give some extra time to cover unforeseen events. - Default is PT5M (5 minutes). + A margin that is added to the publish interval in key + timing equations to give some extra time to cover + unforeseen events. Default is PT5M + (5 minutes). @@ -11108,9 +11110,10 @@ example.com CNAME rpz-tcp-only. retire-safety - A margin that is added to the retire interval in key timing - equations to give some extra time to cover unforeseen events. - Default is PT5M (5 minutes). + A margin that is added to the retire interval in key + timing equations to give some extra time to cover + unforeseen events. Default is PT5M + (5 minutes). @@ -11119,13 +11122,13 @@ example.com CNAME rpz-tcp-only. signatures-refresh - This determines when a RRSIG record needs to be refreshed. - The signatures is renewed when the time until the expiration - time is closer than signatures-refresh. - signatures-resign interval. - Default is P5D (5 days), meaning a - signature that will expire in 5 days or sooner will be - refreshed. + This determines when a RRSIG record needs to be + refreshed. The signatures is renewed when the time until + the expiration time is closer than + signatures-refresh. + signatures-resign interval. Default + is P5D (5 days), meaning a signature + that will expire in 5 days or sooner will be refreshed. @@ -11134,9 +11137,9 @@ example.com CNAME rpz-tcp-only. signatures-validity - The validity period of an RRSIG record (minus the inception - offset and jitter). Default is P2W - (2 weeks). + The validity period of an RRSIG record (minus the + inception offset and jitter). Default is + P2W (2 weeks). @@ -11145,8 +11148,9 @@ example.com CNAME rpz-tcp-only. signatures-validity-dnskey - Like signatures-validity but for DNSKEY - records. Default is P2W (2 weeks). + Like signatures-validity but for + DNSKEY records. Default is P2W (2 + weeks). @@ -11155,32 +11159,32 @@ example.com CNAME rpz-tcp-only. zone-max-ttl - Like max-zone-ttl, specifies the maximum - permissible TTL value in seconds. When loading a zone file - using a or - text or raw, - any record encountered with a TTL higher than - will be capped to the maximum - permissible TTL value. + Like max-zone-ttl, specifies the + maximum permissible TTL value in seconds. When loading a + zone file using a or + text or raw, + any record encountered with a TTL higher than + will be capped to the + maximum permissible TTL value. - This is needed in DNSSEC-maintained zones because when - rolling to a new DNSKEY, the old key needs to remain - available until RRSIG records have expired from - caches. The option guarantees - that the largest TTL in the zone will be no higher than the - set value. + This is needed in DNSSEC-maintained zones because when + rolling to a new DNSKEY, the old key needs to remain + available until RRSIG records have expired from caches. + The option guarantees that + the largest TTL in the zone will be no higher than the + set value. + + + (NOTE: Because map-format files + load directly into memory, this option cannot be + used with them.) + + + The default value is PT24H (24 hours). + A of zero is treated as if + the default value is in use. - - (NOTE: Because map-format files - load directly into memory, this option cannot be - used with them.) - - - The default value is PT24H (24 hours). - A of zero is treated as if - the default value is in use. - @@ -11188,10 +11192,11 @@ example.com CNAME rpz-tcp-only. zone-propagation-delay - The expected propagation delay from when a zone is updated - and when the new version of the zone is served by all its - name servers. Default is PT5M (5 minutes). - + The expected propagation delay from when a zone is + updated and when the new version of the zone is served by + all its name servers. Default is + PT5M (5 minutes). + @@ -11199,9 +11204,9 @@ example.com CNAME rpz-tcp-only. parent-ds-ttl - The TTL of the DS RRset that the parent uses. Default is - PT1H (1 hour). - + The TTL of the DS RRset that the parent uses. Default is + PT1H (1 hour). + @@ -11209,11 +11214,11 @@ example.com CNAME rpz-tcp-only. parent-propagation-delay - The expected propagation delay from when the parent zone is - updated and when the new version of the parent zone is served - by all its name servers. Default is - PT1H (1 hour). - + The expected propagation delay from when the parent zone + is updated and when the new version of the parent zone is + served by all its name servers. Default is + PT1H (1 hour). + @@ -11221,15 +11226,14 @@ example.com CNAME rpz-tcp-only. parent-registration-delay - The expected registration delay from when a DS RRset change - is requested and when the DS RRset has been updated in the - parent zone. Default is P1D (1 day). + The expected registration delay from when a DS RRset + change is requested and when the DS RRset has been + updated in the parent zone. Default is + P1D (1 day). - -
<command>managed-keys</command> Statement Grammar diff --git a/doc/arm/notes-new-features.xml b/doc/arm/notes-new-features.xml index 95c27fb0db..5f10e70476 100644 --- a/doc/arm/notes-new-features.xml +++ b/doc/arm/notes-new-features.xml @@ -11,6 +11,16 @@
New Features + + + The new dnssec-policy option allows the + configuration key and signing policy (KASP) for zones. This + option enables named to generate new keys + as needed and automatically roll both ZSK and KSK keys. + (Note that the syntax for this statement differs from the dnssec + policy used by dnssec-keymgr.) [GL #1134] + + Added a new statistics variable tcp-highwater