Add kasp nsec3param configuration

Add configuration and documentation on how to enable NSEC3 when using dnssec-policy for signing your zones.
2025-08-29 13:38:26 +00:00 · 2020-10-09 14:19:10 +02:00 · 2020-10-09 14:19:10 +02:00 · f7ca96c805
commit f7ca96c805
parent 84a4273074
11 changed files with 72 additions and 10 deletions
--- a/bin/named/named.conf.rst
+++ b/bin/named/named.conf.rst
@ -66,6 +66,8 @@ DNSSEC-POLICY
  	keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime
  	    duration_or_unlimited algorithm string [ integer ]; ... };
  	max-zone-ttl duration;
+  	nsec3param [ iterations integer ] [ optout boolean ] [ salt
+  	    string ];
  	parent-ds-ttl duration;
  	parent-propagation-delay duration;
  	publish-safety duration;
--- a/bin/tests/system/checkconf/good-kasp.conf
+++ b/bin/tests/system/checkconf/good-kasp.conf
@ -22,6 +22,7 @@ dnssec-policy "test" {
 		csk key-directory lifetime unlimited algorithm rsasha256 2048;
 	};
 	max-zone-ttl 86400;
+	nsec3param iterations 5 optout no salt "deadbeef";
 	parent-ds-ttl 7200;
 	parent-propagation-delay PT1H;
 	publish-safety PT3600S;
--- a/bin/tests/system/checkconf/good.conf
+++ b/bin/tests/system/checkconf/good.conf
@ -22,6 +22,7 @@ dnssec-policy "test" {
 		csk key-directory lifetime P30D algorithm 8 2048;
 	};
 	max-zone-ttl 86400;
+	nsec3param ;
 	parent-ds-ttl 7200;
 	parent-propagation-delay PT1H;
 	publish-safety PT3600S;
--- a/doc/arm/dnssec.rst
+++ b/doc/arm/dnssec.rst
@ -238,17 +238,21 @@ removed after the update request completes.
 Converting From NSEC to NSEC3
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-To do this, an NSEC3PARAM record must be added. When the
-conversion is complete, the NSEC chain is removed and the
-NSEC3PARAM record has a zero flag field. The NSEC3 chain is
-generated before the NSEC chain is destroyed.
+Add a ``nsec3param`` option to your ``dnssec-policy`` and
+run ``rndc reconfig``.

-NSEC3 is not yet supported with ``dnssec-policy``.
+Or use ``nsupdate`` to add an NSEC3PARAM record.
+
+In both cases, the NSEC3 chain is generated and the NSEC3PARAM record is
+added before the NSEC chain is destroyed.

 Converting From NSEC3 to NSEC
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-To do this, use ``nsupdate`` to remove all NSEC3PARAM records with a
+To do this, remove the ``nsec3param`` option from the ``dnssec-policy`` and
+run ``rndc reconfig``.
+
+Or use ``nsupdate`` to remove all NSEC3PARAM records with a
 zero flag field. The NSEC chain is generated before the NSEC3 chain
 is removed.

--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@ -4955,6 +4955,18 @@ The following options can be specified in a ``dnssec-policy`` statement:
       A ``max-zone-ttl`` of zero is treated as if
       the default value were in use.

+     ``nsec3param``
+       Use NSEC3 instead of NSEC, and optionally set the NSEC3 parameters.
+
+       Here is an example (for illustration purposes only) of
+       a ``nsec3`` configuration:
+
+       ::
+
+          nsec3param ttl 0 iterations 5 optout no salt "-";
+
+       The default is to use NSEC.
+
     ``zone-propagation-delay``
       This is the expected propagation delay from the time when a zone
       is first updated to the time when the new version of the
--- a/doc/design/dnssec-policy
+++ b/doc/design/dnssec-policy
@ -126,10 +126,9 @@ dnssec-policy "nsec3" {
    signatures-validity P14D;
    signatures-validity-dnskey P14D;

-    // Denial of existence
-    denial-type nsec3;
-    nsec3-param ttl 0 hash algorithm 1 iterations 5 optout;
-    nsec3-salt length 8 resalt P100D;
+    // Denial of existence (default NSEC)
+    nsec3param iterations 5 optout no salt "-";
+    nsec3-resalt P100D;

    // Keys
    dnskey-ttl 3600;
--- a/doc/man/named.conf.5in
+++ b/doc/man/named.conf.5in
@ -105,6 +105,8 @@ dnssec\-policy string {
      keys { ( csk | ksk | zsk ) [ ( key\-directory ) ] lifetime
          duration_or_unlimited algorithm string [ integer ]; ... };
      max\-zone\-ttl duration;
+      nsec3param [ iterations integer ] [ optout boolean ] [ salt
+          string ];
      parent\-ds\-ttl duration;
      parent\-propagation\-delay duration;
      publish\-safety duration;
--- a/doc/misc/dnssec-policy.grammar.rst
+++ b/doc/misc/dnssec-policy.grammar.rst
@ -5,6 +5,8 @@
  	keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime
  	    <duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
  	max-zone-ttl <duration>;
+  	nsec3param [ iterations <integer> ] [ optout <boolean> ] [ salt
+  	    <string> ];
  	parent-ds-ttl <duration>;
  	parent-propagation-delay <duration>;
  	publish-safety <duration>;
--- a/doc/misc/options
+++ b/doc/misc/options
@ -26,6 +26,8 @@ dnssec-policy <string> {
        keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime
            <duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
        max-zone-ttl <duration>;
+        nsec3param [ iterations <integer> ] [ optout <boolean> ] [ salt
+            <string> ];
        parent-ds-ttl <duration>;
        parent-propagation-delay <duration>;
        parent-registration-delay <duration>; // obsolete
--- a/doc/misc/options.active
+++ b/doc/misc/options.active
@ -26,6 +26,8 @@ dnssec-policy <string> {
        keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime
            <duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
        max-zone-ttl <duration>;
+        nsec3param [ iterations <integer> ] [ optout <boolean> ] [ salt
+            <string> ];
        parent-ds-ttl <duration>;
        parent-propagation-delay <duration>;
        publish-safety <duration>;
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@ -571,6 +571,40 @@ static cfg_type_t cfg_type_kaspkey = { "kaspkey",	cfg_parse_tuple,
 				       cfg_print_tuple, cfg_doc_tuple,
 				       &cfg_rep_tuple,	kaspkey_fields };

+/*%
+ * NSEC3 parameters.
+ */
+static keyword_type_t nsec3iter_kw = { "iterations", &cfg_type_uint32 };
+static cfg_type_t cfg_type_nsec3iter = {
+	"iterations",	       parse_optional_keyvalue, print_keyvalue,
+	doc_optional_keyvalue, &cfg_rep_uint32,		&nsec3iter_kw
+};
+
+static keyword_type_t nsec3optout_kw = { "optout", &cfg_type_boolean };
+static cfg_type_t cfg_type_nsec3optout = {
+	"optout",	  parse_optional_keyvalue,
+	print_keyvalue,	  doc_optional_keyvalue,
+	&cfg_rep_boolean, &nsec3optout_kw
+};
+
+static keyword_type_t nsec3salt_kw = { "salt", &cfg_type_sstring };
+static cfg_type_t cfg_type_nsec3salt = {
+	"salt",		 parse_optional_keyvalue,
+	print_keyvalue,	 doc_optional_keyvalue,
+	&cfg_rep_string, &nsec3salt_kw
+};
+
+static cfg_tuplefielddef_t nsec3param_fields[] = {
+	{ "iterations", &cfg_type_nsec3iter, 0 },
+	{ "optout", &cfg_type_nsec3optout, 0 },
+	{ "salt", &cfg_type_nsec3salt, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_nsec3 = { "nsec3param",    cfg_parse_tuple,
+				     cfg_print_tuple, cfg_doc_tuple,
+				     &cfg_rep_tuple,  nsec3param_fields };
+
 /*%
 * Wild class, type, name.
 */
@ -2097,6 +2131,7 @@ static cfg_clausedef_t dnssecpolicy_clauses[] = {
 	{ "dnskey-ttl", &cfg_type_duration, 0 },
 	{ "keys", &cfg_type_kaspkeys, 0 },
 	{ "max-zone-ttl", &cfg_type_duration, 0 },
+	{ "nsec3param", &cfg_type_nsec3, 0 },
 	{ "parent-ds-ttl", &cfg_type_duration, 0 },
 	{ "parent-propagation-delay", &cfg_type_duration, 0 },
 	{ "parent-registration-delay", &cfg_type_duration,