2
0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-22 10:10:06 +00:00

Update documentation with "insecure" policy

Update the ARM to mention the new built-in "insecure" policy.  Update
the DNSSEC guide recipe "Revert to unsigned" to add the additional
step of reconfiguring the zone to "insecure" (instead of immediately
set it to "none").
This commit is contained in:
Matthijs Mekking 2021-04-21 16:39:28 +02:00
parent 9c6ff463fd
commit fadc57d3d0
2 changed files with 26 additions and 10 deletions

View File

@ -1443,12 +1443,12 @@ default is used.
reduced.
``dnssec-policy``
This specifies which key and signing policy (KASP) should be used for this zone.
This is a string referring to a ``dnssec-policy`` statement. There are two
built-in policies: ``default``, which uses the default policy, and
``none``, which means no DNSSEC policy and keeps the zone unsigned. The
default is ``none``. See :ref:`dnssec-policy Grammar
<dnssec_policy_grammar>` for more details.
This specifies which key and signing policy (KASP) should be used for this
zone. This is a string referring to a ``dnssec-policy`` statement. There
are three built-in policies: ``default``, which uses the default policy,
``insecure``, to be used when you want to gracefully unsign your zone, and
``none``, which means no DNSSEC policy. The default is ``none``.
See :ref:`dnssec-policy Grammar <dnssec_policy_grammar>` for more details.
``dnssec-update-mode``
If this option is set to its default value of ``maintain`` in a zone

View File

@ -1069,8 +1069,8 @@ Below is an example showing how to remove DS records using the
To be on the safe side, wait a while before actually deleting
all signed data from your zone, just in case some validating resolvers
have cached information. After you are certain that all cached
information has expired (usually this means one TTL interval has passed), you may
reconfigure your zone.
information has expired (usually this means one TTL interval has passed),
you may reconfigure your zone.
Here is what ``named.conf`` looks like when it is signed:
@ -1083,7 +1083,7 @@ Here is what ``named.conf`` looks like when it is signed:
dnssec-policy "default";
};
Remove the ``dnssec-policy`` line so your ``named.conf`` looks like this:
Change your ``dnssec-policy`` line to indicate you want to revert to unsigned:
::
@ -1091,8 +1091,24 @@ Remove the ``dnssec-policy`` line so your ``named.conf`` looks like this:
type primary;
file "db/example.com.db";
allow-transfer { any; };
dnssec-policy "insecure";
};
Then use ``rndc reload`` to reload the zone.
Your zone is now reverted back to the traditional, insecure DNS format.
The "insecure" policy is a built-in policy (like "default"). It will make sure
the zone is still DNSSEC maintained, to allow for a graceful transition to
unsigned,
When the DS records have been removed from the parent zone, use
``rndc dnssec -checkds -key <id> withdrawn example.com`` to tell ``named`` that
the DS is removed, and the remaining DNSSEC records will be removed in a timely
manner.
After a while, your zone is reverted back to the traditional, insecure DNS
format. You can verify by checking that all DNSKEY and RRSIG records have been
removed from the zone.
You can then remove the ``dnssec-policy`` line from your ``named.conf`` and
reload the zone. The zone will now no longer be subject to any DNSSEC
maintenance.