From 2305d8770bd80cdd7109e0271208e14d262862b1 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Tue, 27 Sep 2022 11:46:23 +0200 Subject: [PATCH 1/3] Add inline-signing requirement to DNSSEC Guide This change was made in !6403, but the appropriate documentation changes were not applied to the DNSSEC Guide. (cherry picked from commit 09522c8d73650b477960cc63ec420c72006a5829) --- doc/dnssec-guide/signing.rst | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/doc/dnssec-guide/signing.rst b/doc/dnssec-guide/signing.rst index 7fb8e147de..d1175cdb0a 100644 --- a/doc/dnssec-guide/signing.rst +++ b/doc/dnssec-guide/signing.rst @@ -66,6 +66,7 @@ To sign a zone, add the following statement to its zone "example.com" in { ... dnssec-policy default; + inline-signing yes; ... }; @@ -77,6 +78,17 @@ for most situations. We cover the creation of a custom policy in :ref:`signing_custom_policy`, but for the moment we are accepting the default values. +Using :any:`dnssec-policy` requires dynamic DNS or :any:`inline-signing` +to be enabled. + +.. note:: + + Previously, if a zone with a :any:`dnssec-policy` did not have dynamic + DNS set up and :any:`inline-signing` was not explicity set, BIND 9 used + inline-signing implicitly. But this caused a lot of problems when operators + switched on or off dynamic DNS for their zones. Therefor, you now have to + configure it explicitly. + When the configuration file is updated, tell :iscman:`named` to reload the configuration file by running :option:`rndc reconfig`: @@ -1358,9 +1370,8 @@ repeated here. A few points are worth noting, though: - The :any:`dnssec-policy` statement in the :iscman:`named` configuration file describes all aspects of the DNSSEC policy, including the signing. -- When using :any:`dnssec-policy`, there is no need to set the - :any:`auto-dnssec` and :any:`inline-signing` options for a zone. The zone's - ``policy`` statement implicitly does this. +- The :any:`dnssec-policy` statement requires to zone to use dynamic DNS, + or that :any:`inline-signing` is enabled. .. _advanced_discussions_manual_key_management_and_signing: From d1a01d88f992da30d2a93d968d58a8201ba5c3f3 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Tue, 27 Sep 2022 11:57:53 +0200 Subject: [PATCH 2/3] Update inline-signing requirement to ARM This change was made in !6403, but the appropriate documentation changes were not applied to the ARM. (cherry picked from commit 5d454a715876f8524e11acfbccfd1292c3fbedfa) --- doc/arm/reference.rst | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 9204b74ed6..9e20e4064c 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -6339,12 +6339,16 @@ zone is generated even if they have the same policy. If multiple views are configured with different versions of the same zone, each separate version uses the same set of signing keys. -By default, :any:`dnssec-policy` assumes :any:`inline-signing`. This means that -a signed version of the zone is maintained separately and is written out to -a different file on disk (the zone's filename plus a ``.signed`` extension). +The :any:`dnssec-policy` statement requires dynamic DNS to be set up, or +:any:`inline-signing` to be enabled. + +If :any:`inline-signing` is enabled, this means that a signed version of the +zone is maintained separately and is written out to a different file on disk +(the zone's filename plus a ``.signed`` extension). If the zone is dynamic because it is configured with an :any:`update-policy` or -:any:`allow-update`, the DNSSEC records are written to the filename set in the original zone's :any:`file`, unless :any:`inline-signing` is explicitly set. +:any:`allow-update`, the DNSSEC records are written to the filename set in the +original zone's :any:`file`, unless :any:`inline-signing` is explicitly set. Key rollover timing is computed for each key according to the key lifetime defined in the KASP. The lifetime may be modified by zone TTLs From 2abb2b638a8c2c7bf43af15d11a257e9caf3ad82 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Tue, 27 Sep 2022 12:04:37 +0200 Subject: [PATCH 3/3] Add inline-signing to config examples Add 'inline-signing yes;' to configuration examples to have working copy paste configurations. (cherry picked from commit 18d230a5844038ad3fdd438f25f83a6580f4782e) --- doc/arm/dnssec.inc.rst | 7 ++++++- doc/dnssec-guide/recipes.rst | 4 ++++ doc/dnssec-guide/signing.rst | 2 ++ 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/doc/arm/dnssec.inc.rst b/doc/arm/dnssec.inc.rst index f4810aeeff..762e6aa585 100644 --- a/doc/arm/dnssec.inc.rst +++ b/doc/arm/dnssec.inc.rst @@ -99,9 +99,13 @@ up-to-date DNSSEC practices: type primary; file "dnssec.example.db"; dnssec-policy default; + inline-signing yes; }; -This single line is sufficient to create the necessary signing keys, and generate +The :any:`dnssec-policy` statement requires dynamic DNS to be set up, or +:any:`inline-signing` to be enabled. In the example above we use the latter. + +This is sufficient to create the necessary signing keys, and generate ``DNSKEY``, ``RRSIG``, and ``NSEC`` records for the zone. BIND also takes care of any DNSSEC maintenance for this zone, including replacing signatures that are about to expire and managing :ref:`key_rollovers`. @@ -171,6 +175,7 @@ by configuring parental agents: type primary; file "dnssec.example.db"; dnssec-policy default; + inline-signing yes; parental-agents { 192.0.2.1; }; }; diff --git a/doc/dnssec-guide/recipes.rst b/doc/dnssec-guide/recipes.rst index cb2c3116e2..56eb1a514b 100644 --- a/doc/dnssec-guide/recipes.rst +++ b/doc/dnssec-guide/recipes.rst @@ -63,6 +63,7 @@ what the :iscman:`named.conf` zone statement looks like on the primary server, 1 file "db/example.com.db"; key-directory "keys/example.com"; dnssec-policy default; + inline-signing yes; allow-transfer { 192.168.1.2; 192.168.1.3; 192.168.1.4; }; }; @@ -142,6 +143,7 @@ signed data via zone transfer to the other three DNS secondaries. Its file "db/example.com.db"; key-directory "keys/example.com"; dnssec-policy default; + inline-signing yes; allow-transfer { 192.168.1.2; 192.168.1.3; 192.168.1.4; }; }; @@ -995,6 +997,7 @@ Here is what :iscman:`named.conf` looks like when it is signed: type primary; file "db/example.com.db"; dnssec-policy "default"; + inline-signing yes; }; To indicate the reversion to unsigned, change the :any:`dnssec-policy` line: @@ -1006,6 +1009,7 @@ To indicate the reversion to unsigned, change the :any:`dnssec-policy` line: type primary; file "db/example.com.db"; dnssec-policy "insecure"; + inline-signing yes; }; Then use :option:`rndc reload` to reload the zone. diff --git a/doc/dnssec-guide/signing.rst b/doc/dnssec-guide/signing.rst index d1175cdb0a..7ed5b824af 100644 --- a/doc/dnssec-guide/signing.rst +++ b/doc/dnssec-guide/signing.rst @@ -835,6 +835,7 @@ this example, we'll add it to the :any:`zone` statement: zone "example.net" in { ... dnssec-policy standard; + inline-signing yes; ... }; @@ -916,6 +917,7 @@ presence. Let's look at the following configuration excerpt: zone "example.net" in { ... dnssec-policy standard; + inline-signing yes; parental-agents { "net"; }; ... };