CHANGES, REAMDE, release note

CHANGES

@@ -1,3 +1,13 @@
+5316.	[func]		A new "dnssec-policy" option has been added to
+			named.conf to implement a key and signing policy
+			(KASP) for zones. When this option is in use,
+			named can generate new keys as needed and
+			automatically roll both ZSK and KSK keys. (Note
+			that the syntax for this statement differs from
+			the dnssec policy used by dnssec-keymgr.)
+
+			See the ARM for configuration details. [GL #1134]
+
 5315.	[bug]		Apply the inital RRSIG expiration spread fixed
 			to all dynamically created records in the zone
 			including NSEC3. Also fix the signature clusters

README.md

@@ -127,6 +127,8 @@ BIND 9.15 is the newest development branch of BIND 9. It includes a
 number of changes from BIND 9.14 and earlier releases. New features
 include:
 
+* New "dnssec-policy" statement to configure a key and signing policy
+  for zones, enabling automatic key regeneration and rollover.
 * Support for the new GeoIP2 geolocation API
 * Improved DNSSEC key configuration using `dnssec-keys`
 * YAML output for `dig`, `mdig`, and `delv`.

doc/arm/Bv9ARM-book.xml

@@ -3127,6 +3127,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	      <entry colname="2">
 		<para>
 		  describes a DNSSEC key and signing policy for zones.
+		  See <xref linkend="dnssec_policy_grammar"/> for details.
 		</para>
 	      </entry>
 	    </row>
@@ -11043,8 +11044,8 @@ example.com                 CNAME   rpz-tcp-only.
 	      <term><command>dnskey-ttl</command></term>
 	      <listitem>
 		<para>
-		The TTL of the DNSKEY resource records.
+		  The TTL of the DNSKEY resource records.
-		Default is <constant>3600</constant> seconds.
+		  Default is <constant>3600</constant> seconds.
 		</para>
 	      </listitem>
 	    </varlistentry>
@@ -11053,9 +11054,9 @@ example.com                 CNAME   rpz-tcp-only.
 	      <term><command>keys</command></term>
 	      <listitem>
 		<para>
-		A list of keys to use.  Each line represents one key. Here is
+		  A list of keys to use.  Each line represents one key. Here is
-	        an example (for illustration purposes only) of some possible
+		  an example (for illustration purposes only) of some possible
-		keys in a <command>dnssec-policy</command>:
+		  keys in a <command>dnssec-policy</command>:
 		</para>
 
 <programlisting>keys {
@@ -11066,29 +11067,29 @@ example.com                 CNAME   rpz-tcp-only.
 </programlisting>
 
 		<para>
-		This example lists three keys. The first token determines
+		  This example lists three keys. The first token determines
-		what RRsets the key will sign. If set to
+		  what RRsets the key will sign. If set to
-		<userinput>ksk</userinput> the key will sign the DNSKEY, CDS,
+		  <userinput>ksk</userinput> the key will sign the DNSKEY, CDS,
-		and CDNSKEY RRsets, if set to <userinput>zsk</userinput> the
+		  and CDNSKEY RRsets, if set to <userinput>zsk</userinput> the
-		key will sign the other RRsets, and if set to
+		  key will sign the other RRsets, and if set to
-		<userinput>csk</userinput> the key will sign all RRsets.
+		  <userinput>csk</userinput> the key will sign all RRsets.
 		</para>
 		<para>
-		The following part determines where the key will be stored.
+		  The following part determines where the key will be stored.
-		Currently keys can only be stored in the configured
+		  Currently keys can only be stored in the configured
-		<command>key-directory</command>.
+		  <command>key-directory</command>.
 		</para>
 		<para>
-		The third token tells how long the key may be used.  In the
+		  The third token tells how long the key may be used.  In the
-		example the first key has a lifetime of 5 years, the second
+		  example the first key has a lifetime of 5 years, the second
-		key may be used for 30 days and the third key has a rather
+		  key may be used for 30 days and the third key has a rather
-	        peculiar lifetime of 6 months, 12 hours, 3 minutes and 15
+		  peculiar lifetime of 6 months, 12 hours, 3 minutes and 15
-		seconds.
+		  seconds.
 		</para>
 		<para>
-		The last token(s) are the key's algorithm and algorithm length.
+		  The last token(s) are the key's algorithm and algorithm
-		The length may be omitted as shown in the example for the
+		  length.  The length may be omitted as shown in the
-		second and third key.
+		  example for the second and third key.
 		</para>
 	      </listitem>
 	    </varlistentry>
@@ -11097,9 +11098,10 @@ example.com                 CNAME   rpz-tcp-only.
 	      <term><command>publish-safety</command></term>
 	      <listitem>
 		<para>
-		A margin that is added to the publish interval in key timing
+		  A margin that is added to the publish interval in key
-		equations to give some extra time to cover unforeseen events.
+		  timing equations to give some extra time to cover
-		Default is <constant>PT5M</constant> (5 minutes).
+		  unforeseen events.  Default is <constant>PT5M</constant>
+		  (5 minutes).
 		</para>
 	      </listitem>
 	    </varlistentry>
@@ -11108,9 +11110,10 @@ example.com                 CNAME   rpz-tcp-only.
 	      <term><command>retire-safety</command></term>
 	      <listitem>
 		<para>
-		A margin that is added to the retire interval in key timing
+		  A margin that is added to the retire interval in key
-		equations to give some extra time to cover unforeseen events.
+		  timing equations to give some extra time to cover
-		Default is <constant>PT5M</constant> (5 minutes).
+		  unforeseen events.  Default is <constant>PT5M</constant>
+		  (5 minutes).
 		</para>
 	      </listitem>
 	    </varlistentry>
@@ -11119,13 +11122,13 @@ example.com                 CNAME   rpz-tcp-only.
 	      <term><command>signatures-refresh</command></term>
 	      <listitem>
 		<para>
-		This determines when a RRSIG record needs to be refreshed.
+		  This determines when a RRSIG record needs to be
-		The signatures is renewed when the time until the expiration
+		  refreshed.  The signatures is renewed when the time until
-		time is closer than <command>signatures-refresh</command>.
+		  the expiration time is closer than
-		<command>signatures-resign</command> interval.
+		  <command>signatures-refresh</command>.
-		Default is <constant>P5D</constant> (5 days), meaning a
+		  <command>signatures-resign</command> interval.  Default
-		signature that will expire in 5 days or sooner will be
+		  is <constant>P5D</constant> (5 days), meaning a signature
-		refreshed.
+		  that will expire in 5 days or sooner will be refreshed.
 		</para>
 	      </listitem>
 	    </varlistentry>
@@ -11134,9 +11137,9 @@ example.com                 CNAME   rpz-tcp-only.
 	      <term><command>signatures-validity</command></term>
 	      <listitem>
 		<para>
-		The validity period of an RRSIG record (minus the inception
+		  The validity period of an RRSIG record (minus the
-		offset and jitter). Default is <constant>P2W</constant>
+		  inception offset and jitter). Default is
-		(2 weeks).
+		  <constant>P2W</constant> (2 weeks).
 		</para>
 	      </listitem>
 	    </varlistentry>
@@ -11145,8 +11148,9 @@ example.com                 CNAME   rpz-tcp-only.
 	      <term><command>signatures-validity-dnskey</command></term>
 	      <listitem>
 		<para>
-		Like <command>signatures-validity</command> but for DNSKEY
+		  Like <command>signatures-validity</command> but for
-		records. Default is <constant>P2W</constant> (2 weeks).
+		  DNSKEY records. Default is <constant>P2W</constant> (2
+		  weeks).
 		</para>
 	      </listitem>
 	    </varlistentry>
@@ -11155,32 +11159,32 @@ example.com                 CNAME   rpz-tcp-only.
 	      <term><command>zone-max-ttl</command></term>
 	      <listitem>
 		<para>
-		Like <command>max-zone-ttl</command>, specifies the maximum
+		  Like <command>max-zone-ttl</command>, specifies the
-		permissible TTL value in seconds. When loading a zone file
+		  maximum permissible TTL value in seconds. When loading a
-		using a <option>masterfile-format</option> or
+		  zone file using a <option>masterfile-format</option> or
-		<constant>text</constant> or <constant>raw</constant>,
+		  <constant>text</constant> or <constant>raw</constant>,
-		any record encountered with a TTL higher than
+		  any record encountered with a TTL higher than
-		<option>zone-max-ttl</option> will be capped to the maximum
+		  <option>zone-max-ttl</option> will be capped to the
-		permissible TTL value.
+		  maximum permissible TTL value.
 		</para>
 		<para>
-		This is needed in DNSSEC-maintained zones because when
+		  This is needed in DNSSEC-maintained zones because when
-		rolling to a new DNSKEY, the old key needs to remain
+		  rolling to a new DNSKEY, the old key needs to remain
-		available until RRSIG records have expired from
+		  available until RRSIG records have expired from caches.
-		caches.  The <option>zone-max-ttl</option> option guarantees
+		  The <option>zone-max-ttl</option> option guarantees that
-		that the largest TTL in the zone will be no higher than the
+		  the largest TTL in the zone will be no higher than the
-		set value.
+		  set value.
+		</para>
+		<para>
+		  (NOTE: Because <constant>map</constant>-format files
+		  load directly into memory, this option cannot be
+		  used with them.)
+		</para>
+		<para>
+		  The default value is <constant>PT24H</constant> (24 hours).
+		  A <option>zone-max-ttl</option> of zero is treated as if
+		  the default value is in use.
 		</para>
-	      <para>
-		(NOTE: Because <constant>map</constant>-format files
-		load directly into memory, this option cannot be
-		used with them.)
-	      </para>
-	      <para>
-		The default value is <constant>PT24H</constant> (24 hours).
-		A <option>zone-max-ttl</option> of zero is treated as if
-		the default value is in use.
-	      </para>
 	      </listitem>
 	    </varlistentry>
 
@@ -11188,10 +11192,11 @@ example.com                 CNAME   rpz-tcp-only.
 	      <term><command>zone-propagation-delay</command></term>
 	      <listitem>
 		<para>
-		The expected propagation delay from when a zone is updated
+		  The expected propagation delay from when a zone is
-		and when the new version of the zone is served by all its
+		  updated and when the new version of the zone is served by
-		name servers.  Default is <constant>PT5M</constant> (5 minutes).
+		  all its name servers.  Default is
-	      </para>
+		  <constant>PT5M</constant> (5 minutes).
+		</para>
 	      </listitem>
 	    </varlistentry>
 
@@ -11199,9 +11204,9 @@ example.com                 CNAME   rpz-tcp-only.
 	      <term><command>parent-ds-ttl</command></term>
 	      <listitem>
 		<para>
-		The TTL of the DS RRset that the parent uses.  Default is
+		  The TTL of the DS RRset that the parent uses.  Default is
-		<constant>PT1H</constant> (1 hour).
+		  <constant>PT1H</constant> (1 hour).
-	      </para>
+		</para>
 	      </listitem>
 	    </varlistentry>
 
@@ -11209,11 +11214,11 @@ example.com                 CNAME   rpz-tcp-only.
 	      <term><command>parent-propagation-delay</command></term>
 	      <listitem>
 		<para>
-		The expected propagation delay from when the parent zone is
+		  The expected propagation delay from when the parent zone
-		updated and when the new version of the parent zone is served
+		  is updated and when the new version of the parent zone is
-		by all its name servers.  Default is
+		  served by all its name servers.  Default is
-		<constant>PT1H</constant> (1 hour).
+		  <constant>PT1H</constant> (1 hour).
-	      </para>
+		</para>
 	      </listitem>
 	    </varlistentry>
 
@@ -11221,15 +11226,14 @@ example.com                 CNAME   rpz-tcp-only.
 	      <term><command>parent-registration-delay</command></term>
 	      <listitem>
 		<para>
-		The expected registration delay from when a DS RRset change
+		  The expected registration delay from when a DS RRset
-		is requested and when the DS RRset has been updated in the
+		  change is requested and when the DS RRset has been
-		parent zone.  Default is <constant>P1D</constant> (1 day).
+		  updated in the parent zone.  Default is
+		  <constant>P1D</constant> (1 day).
 	      </para>
 	      </listitem>
 	    </varlistentry>
-
 	  </variablelist>
-
 	</section>
 
 	<section xml:id="managed-keys"><info><title><command>managed-keys</command> Statement Grammar</title></info>

doc/arm/notes-new-features.xml

@@ -11,6 +11,16 @@
 
 <section xml:id="relnotes_features"><info><title>New Features</title></info>
   <itemizedlist>
+    <listitem>
+      <para>
+	The new <command>dnssec-policy</command> option allows the
+	configuration key and signing policy (KASP) for zones. This
+	option enables <command>named</command> to generate new keys
+	as needed and automatically roll both ZSK and KSK keys.
+	(Note that the syntax for this statement differs from the dnssec
+	policy used by <command>dnssec-keymgr</command>.) [GL #1134]
+      </para>
+    </listitem>
     <listitem>
       <para>
         Added a new statistics variable <command>tcp-highwater</command>