diff --git a/bin/named/named.conf.rst b/bin/named/named.conf.rst index 42f6f80063..cd61c576af 100644 --- a/bin/named/named.conf.rst +++ b/bin/named/named.conf.rst @@ -66,6 +66,8 @@ DNSSEC-POLICY keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime duration_or_unlimited algorithm string [ integer ]; ... }; max-zone-ttl duration; + nsec3param [ iterations integer ] [ optout boolean ] [ salt + string ]; parent-ds-ttl duration; parent-propagation-delay duration; publish-safety duration; diff --git a/bin/tests/system/checkconf/good-kasp.conf b/bin/tests/system/checkconf/good-kasp.conf index 094ad56b06..f3d286eb1a 100644 --- a/bin/tests/system/checkconf/good-kasp.conf +++ b/bin/tests/system/checkconf/good-kasp.conf @@ -22,6 +22,7 @@ dnssec-policy "test" { csk key-directory lifetime unlimited algorithm rsasha256 2048; }; max-zone-ttl 86400; + nsec3param iterations 5 optout no salt "deadbeef"; parent-ds-ttl 7200; parent-propagation-delay PT1H; publish-safety PT3600S; diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf index 01226b457f..e23fd25060 100644 --- a/bin/tests/system/checkconf/good.conf +++ b/bin/tests/system/checkconf/good.conf @@ -22,6 +22,7 @@ dnssec-policy "test" { csk key-directory lifetime P30D algorithm 8 2048; }; max-zone-ttl 86400; + nsec3param ; parent-ds-ttl 7200; parent-propagation-delay PT1H; publish-safety PT3600S; diff --git a/doc/arm/dnssec.rst b/doc/arm/dnssec.rst index 5e3119707e..2e1c178afe 100644 --- a/doc/arm/dnssec.rst +++ b/doc/arm/dnssec.rst @@ -238,17 +238,21 @@ removed after the update request completes. Converting From NSEC to NSEC3 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -To do this, an NSEC3PARAM record must be added. When the -conversion is complete, the NSEC chain is removed and the -NSEC3PARAM record has a zero flag field. The NSEC3 chain is -generated before the NSEC chain is destroyed. +Add a ``nsec3param`` option to your ``dnssec-policy`` and +run ``rndc reconfig``. -NSEC3 is not yet supported with ``dnssec-policy``. +Or use ``nsupdate`` to add an NSEC3PARAM record. + +In both cases, the NSEC3 chain is generated and the NSEC3PARAM record is +added before the NSEC chain is destroyed. Converting From NSEC3 to NSEC ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -To do this, use ``nsupdate`` to remove all NSEC3PARAM records with a +To do this, remove the ``nsec3param`` option from the ``dnssec-policy`` and +run ``rndc reconfig``. + +Or use ``nsupdate`` to remove all NSEC3PARAM records with a zero flag field. The NSEC chain is generated before the NSEC3 chain is removed. diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 15ad929a90..3597d8fe03 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -4955,6 +4955,18 @@ The following options can be specified in a ``dnssec-policy`` statement: A ``max-zone-ttl`` of zero is treated as if the default value were in use. + ``nsec3param`` + Use NSEC3 instead of NSEC, and optionally set the NSEC3 parameters. + + Here is an example (for illustration purposes only) of + a ``nsec3`` configuration: + + :: + + nsec3param ttl 0 iterations 5 optout no salt "-"; + + The default is to use NSEC. + ``zone-propagation-delay`` This is the expected propagation delay from the time when a zone is first updated to the time when the new version of the diff --git a/doc/design/dnssec-policy b/doc/design/dnssec-policy index eeef7fbea9..d8457bde08 100644 --- a/doc/design/dnssec-policy +++ b/doc/design/dnssec-policy @@ -126,10 +126,9 @@ dnssec-policy "nsec3" { signatures-validity P14D; signatures-validity-dnskey P14D; - // Denial of existence - denial-type nsec3; - nsec3-param ttl 0 hash algorithm 1 iterations 5 optout; - nsec3-salt length 8 resalt P100D; + // Denial of existence (default NSEC) + nsec3param iterations 5 optout no salt "-"; + nsec3-resalt P100D; // Keys dnskey-ttl 3600; diff --git a/doc/man/named.conf.5in b/doc/man/named.conf.5in index 356a0d122b..f7d3823cd2 100644 --- a/doc/man/named.conf.5in +++ b/doc/man/named.conf.5in @@ -105,6 +105,8 @@ dnssec\-policy string { keys { ( csk | ksk | zsk ) [ ( key\-directory ) ] lifetime duration_or_unlimited algorithm string [ integer ]; ... }; max\-zone\-ttl duration; + nsec3param [ iterations integer ] [ optout boolean ] [ salt + string ]; parent\-ds\-ttl duration; parent\-propagation\-delay duration; publish\-safety duration; diff --git a/doc/misc/dnssec-policy.grammar.rst b/doc/misc/dnssec-policy.grammar.rst index 951983cf1d..c9771fcb3d 100644 --- a/doc/misc/dnssec-policy.grammar.rst +++ b/doc/misc/dnssec-policy.grammar.rst @@ -5,6 +5,8 @@ keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime algorithm [ ]; ... }; max-zone-ttl ; + nsec3param [ iterations ] [ optout ] [ salt + ]; parent-ds-ttl ; parent-propagation-delay ; publish-safety ; diff --git a/doc/misc/options b/doc/misc/options index b49cf12797..6d641c4b6f 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -26,6 +26,8 @@ dnssec-policy { keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime algorithm [ ]; ... }; max-zone-ttl ; + nsec3param [ iterations ] [ optout ] [ salt + ]; parent-ds-ttl ; parent-propagation-delay ; parent-registration-delay ; // obsolete diff --git a/doc/misc/options.active b/doc/misc/options.active index da43db123a..da3bfed79c 100644 --- a/doc/misc/options.active +++ b/doc/misc/options.active @@ -26,6 +26,8 @@ dnssec-policy { keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime algorithm [ ]; ... }; max-zone-ttl ; + nsec3param [ iterations ] [ optout ] [ salt + ]; parent-ds-ttl ; parent-propagation-delay ; publish-safety ; diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 7551e1d8cf..5ec87adbe9 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -571,6 +571,40 @@ static cfg_type_t cfg_type_kaspkey = { "kaspkey", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple, kaspkey_fields }; +/*% + * NSEC3 parameters. + */ +static keyword_type_t nsec3iter_kw = { "iterations", &cfg_type_uint32 }; +static cfg_type_t cfg_type_nsec3iter = { + "iterations", parse_optional_keyvalue, print_keyvalue, + doc_optional_keyvalue, &cfg_rep_uint32, &nsec3iter_kw +}; + +static keyword_type_t nsec3optout_kw = { "optout", &cfg_type_boolean }; +static cfg_type_t cfg_type_nsec3optout = { + "optout", parse_optional_keyvalue, + print_keyvalue, doc_optional_keyvalue, + &cfg_rep_boolean, &nsec3optout_kw +}; + +static keyword_type_t nsec3salt_kw = { "salt", &cfg_type_sstring }; +static cfg_type_t cfg_type_nsec3salt = { + "salt", parse_optional_keyvalue, + print_keyvalue, doc_optional_keyvalue, + &cfg_rep_string, &nsec3salt_kw +}; + +static cfg_tuplefielddef_t nsec3param_fields[] = { + { "iterations", &cfg_type_nsec3iter, 0 }, + { "optout", &cfg_type_nsec3optout, 0 }, + { "salt", &cfg_type_nsec3salt, 0 }, + { NULL, NULL, 0 } +}; + +static cfg_type_t cfg_type_nsec3 = { "nsec3param", cfg_parse_tuple, + cfg_print_tuple, cfg_doc_tuple, + &cfg_rep_tuple, nsec3param_fields }; + /*% * Wild class, type, name. */ @@ -2097,6 +2131,7 @@ static cfg_clausedef_t dnssecpolicy_clauses[] = { { "dnskey-ttl", &cfg_type_duration, 0 }, { "keys", &cfg_type_kaspkeys, 0 }, { "max-zone-ttl", &cfg_type_duration, 0 }, + { "nsec3param", &cfg_type_nsec3, 0 }, { "parent-ds-ttl", &cfg_type_duration, 0 }, { "parent-propagation-delay", &cfg_type_duration, 0 }, { "parent-registration-delay", &cfg_type_duration,