Add kasp nsec3param configuration

Add configuration and documentation on how to enable NSEC3 when using dnssec-policy for signing your zones.
2025-08-29 13:38:26 +00:00 · 2020-10-09 14:19:10 +02:00 · 2020-10-09 14:19:10 +02:00 · f7ca96c805
commit f7ca96c805
parent 84a4273074
11 changed files with 72 additions and 10 deletions
--- a/bin/named/named.conf.rst
+++ b/bin/named/named.conf.rst
@ -66,6 +66,8 @@ DNSSEC-POLICY
  	keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime
  	    duration_or_unlimited algorithm string [ integer ]; ... };
  	max-zone-ttl duration;
  	nsec3param [ iterations integer ] [ optout boolean ] [ salt
  	    string ];
  	parent-ds-ttl duration;
  	parent-propagation-delay duration;
  	publish-safety duration;
--- a/bin/tests/system/checkconf/good-kasp.conf
+++ b/bin/tests/system/checkconf/good-kasp.conf
@ -22,6 +22,7 @@ dnssec-policy "test" {
 		csk key-directory lifetime unlimited algorithm rsasha256 2048;
 	};
 	max-zone-ttl 86400;
 	nsec3param iterations 5 optout no salt "deadbeef";
 	parent-ds-ttl 7200;
 	parent-propagation-delay PT1H;
 	publish-safety PT3600S;
--- a/bin/tests/system/checkconf/good.conf
+++ b/bin/tests/system/checkconf/good.conf
@ -22,6 +22,7 @@ dnssec-policy "test" {
 		csk key-directory lifetime P30D algorithm 8 2048;
 	};
 	max-zone-ttl 86400;
 	nsec3param ;
 	parent-ds-ttl 7200;
 	parent-propagation-delay PT1H;
 	publish-safety PT3600S;
--- a/doc/arm/dnssec.rst
+++ b/doc/arm/dnssec.rst
@ -238,17 +238,21 @@ removed after the update request completes.
 Converting From NSEC to NSEC3
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-To do this, an NSEC3PARAM record must be added. When the
+Add a ``nsec3param`` option to your ``dnssec-policy`` and
-conversion is complete, the NSEC chain is removed and the
+run ``rndc reconfig``.
 NSEC3PARAM record has a zero flag field. The NSEC3 chain is
 generated before the NSEC chain is destroyed.
-NSEC3 is not yet supported with ``dnssec-policy``.
+Or use ``nsupdate`` to add an NSEC3PARAM record.
 In both cases, the NSEC3 chain is generated and the NSEC3PARAM record is
 added before the NSEC chain is destroyed.
 Converting From NSEC3 to NSEC
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-To do this, use ``nsupdate`` to remove all NSEC3PARAM records with a
+To do this, remove the ``nsec3param`` option from the ``dnssec-policy`` and
 run ``rndc reconfig``.
 Or use ``nsupdate`` to remove all NSEC3PARAM records with a
 zero flag field. The NSEC chain is generated before the NSEC3 chain
 is removed.
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@ -4955,6 +4955,18 @@ The following options can be specified in a ``dnssec-policy`` statement:
       A ``max-zone-ttl`` of zero is treated as if
       the default value were in use.
     ``nsec3param``
       Use NSEC3 instead of NSEC, and optionally set the NSEC3 parameters.
       Here is an example (for illustration purposes only) of
       a ``nsec3`` configuration:
       ::
          nsec3param ttl 0 iterations 5 optout no salt "-";
       The default is to use NSEC.
     ``zone-propagation-delay``
       This is the expected propagation delay from the time when a zone
       is first updated to the time when the new version of the
--- a/doc/design/dnssec-policy
+++ b/doc/design/dnssec-policy
@ -126,10 +126,9 @@ dnssec-policy "nsec3" {
    signatures-validity P14D;
    signatures-validity-dnskey P14D;
-    // Denial of existence
+    // Denial of existence (default NSEC)
-    denial-type nsec3;
+    nsec3param iterations 5 optout no salt "-";
-    nsec3-param ttl 0 hash algorithm 1 iterations 5 optout;
+    nsec3-resalt P100D;
    nsec3-salt length 8 resalt P100D;
    // Keys
    dnskey-ttl 3600;
--- a/doc/man/named.conf.5in
+++ b/doc/man/named.conf.5in
@ -105,6 +105,8 @@ dnssec\-policy string {
      keys { ( csk | ksk | zsk ) [ ( key\-directory ) ] lifetime
          duration_or_unlimited algorithm string [ integer ]; ... };
      max\-zone\-ttl duration;
      nsec3param [ iterations integer ] [ optout boolean ] [ salt
          string ];
      parent\-ds\-ttl duration;
      parent\-propagation\-delay duration;
      publish\-safety duration;
--- a/doc/misc/dnssec-policy.grammar.rst
+++ b/doc/misc/dnssec-policy.grammar.rst
@ -5,6 +5,8 @@
  	keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime
  	    <duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
  	max-zone-ttl <duration>;
  	nsec3param [ iterations <integer> ] [ optout <boolean> ] [ salt
  	    <string> ];
  	parent-ds-ttl <duration>;
  	parent-propagation-delay <duration>;
  	publish-safety <duration>;
--- a/doc/misc/options
+++ b/doc/misc/options
@ -26,6 +26,8 @@ dnssec-policy <string> {
        keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime
            <duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
        max-zone-ttl <duration>;
        nsec3param [ iterations <integer> ] [ optout <boolean> ] [ salt
            <string> ];
        parent-ds-ttl <duration>;
        parent-propagation-delay <duration>;
        parent-registration-delay <duration>; // obsolete
--- a/doc/misc/options.active
+++ b/doc/misc/options.active
@ -26,6 +26,8 @@ dnssec-policy <string> {
        keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime
            <duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
        max-zone-ttl <duration>;
        nsec3param [ iterations <integer> ] [ optout <boolean> ] [ salt
            <string> ];
        parent-ds-ttl <duration>;
        parent-propagation-delay <duration>;
        publish-safety <duration>;
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@ -571,6 +571,40 @@ static cfg_type_t cfg_type_kaspkey = { "kaspkey",	cfg_parse_tuple,
 				       cfg_print_tuple, cfg_doc_tuple,
 				       &cfg_rep_tuple,	kaspkey_fields };
 /*%
 * NSEC3 parameters.
 */
 static keyword_type_t nsec3iter_kw = { "iterations", &cfg_type_uint32 };
 static cfg_type_t cfg_type_nsec3iter = {
 	"iterations",	       parse_optional_keyvalue, print_keyvalue,
 	doc_optional_keyvalue, &cfg_rep_uint32,		&nsec3iter_kw
 };
 static keyword_type_t nsec3optout_kw = { "optout", &cfg_type_boolean };
 static cfg_type_t cfg_type_nsec3optout = {
 	"optout",	  parse_optional_keyvalue,
 	print_keyvalue,	  doc_optional_keyvalue,
 	&cfg_rep_boolean, &nsec3optout_kw
 };
 static keyword_type_t nsec3salt_kw = { "salt", &cfg_type_sstring };
 static cfg_type_t cfg_type_nsec3salt = {
 	"salt",		 parse_optional_keyvalue,
 	print_keyvalue,	 doc_optional_keyvalue,
 	&cfg_rep_string, &nsec3salt_kw
 };
 static cfg_tuplefielddef_t nsec3param_fields[] = {
 	{ "iterations", &cfg_type_nsec3iter, 0 },
 	{ "optout", &cfg_type_nsec3optout, 0 },
 	{ "salt", &cfg_type_nsec3salt, 0 },
 	{ NULL, NULL, 0 }
 };
 static cfg_type_t cfg_type_nsec3 = { "nsec3param",    cfg_parse_tuple,
 				     cfg_print_tuple, cfg_doc_tuple,
 				     &cfg_rep_tuple,  nsec3param_fields };
 /*%
 * Wild class, type, name.
 */
@ -2097,6 +2131,7 @@ static cfg_clausedef_t dnssecpolicy_clauses[] = {
 	{ "dnskey-ttl", &cfg_type_duration, 0 },
 	{ "keys", &cfg_type_kaspkeys, 0 },
 	{ "max-zone-ttl", &cfg_type_duration, 0 },
 	{ "nsec3param", &cfg_type_nsec3, 0 },
 	{ "parent-ds-ttl", &cfg_type_duration, 0 },
 	{ "parent-propagation-delay", &cfg_type_duration, 0 },
 	{ "parent-registration-delay", &cfg_type_duration,