mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-28 04:58:04 +00:00
Code Issues Releases Wiki Activity

Update documentation with "insecure" policy

Browse Source 
Update the ARM to mention the new built-in "insecure" policy.  Update
the DNSSEC guide recipe "Revert to unsigned" to add the additional
step of reconfiguring the zone to "insecure" (instead of immediately
set it to "none").
This commit is contained in:
Matthijs Mekking 2021-04-21 16:39:28 +02:00
parent 9c6ff463fd
commit fadc57d3d0
2 changed files with 26 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
doc/arm/reference.rst
View File

@ -1443,12 +1443,12 @@ default is used.
reduced. reduced.
``dnssec-policy`` ``dnssec-policy``
This specifies which key and signing policy (KASP) should be used for this zone. This specifies which key and signing policy (KASP) should be used for this
This is a string referring to a ``dnssec-policy`` statement. There are two zone. This is a string referring to a ``dnssec-policy`` statement. There
built-in policies: ``default``, which uses the default policy, and are three built-in policies: ``default``, which uses the default policy,
``none``, which means no DNSSEC policy and keeps the zone unsigned. The ``insecure``, to be used when you want to gracefully unsign your zone, and
default is ``none``. See :ref:`dnssec-policy Grammar ``none``, which means no DNSSEC policy. The default is ``none``.
<dnssec_policy_grammar>` for more details. See :ref:`dnssec-policy Grammar <dnssec_policy_grammar>` for more details.
``dnssec-update-mode`` ``dnssec-update-mode``
If this option is set to its default value of ``maintain`` in a zone If this option is set to its default value of ``maintain`` in a zone

24
doc/dnssec-guide/recipes.rst
View File

@ -1069,8 +1069,8 @@ Below is an example showing how to remove DS records using the
To be on the safe side, wait a while before actually deleting To be on the safe side, wait a while before actually deleting
all signed data from your zone, just in case some validating resolvers all signed data from your zone, just in case some validating resolvers
have cached information. After you are certain that all cached have cached information. After you are certain that all cached
information has expired (usually this means one TTL interval has passed), you may information has expired (usually this means one TTL interval has passed),
reconfigure your zone. you may reconfigure your zone.
Here is what ``named.conf`` looks like when it is signed: Here is what ``named.conf`` looks like when it is signed:
@ -1083,7 +1083,7 @@ Here is what ``named.conf`` looks like when it is signed:
dnssec-policy "default"; dnssec-policy "default";
}; };
Remove the ``dnssec-policy`` line so your ``named.conf`` looks like this: Change your ``dnssec-policy`` line to indicate you want to revert to unsigned:
:: ::
@ -1091,8 +1091,24 @@ Remove the ``dnssec-policy`` line so your ``named.conf`` looks like this:
type primary; type primary;
file "db/example.com.db"; file "db/example.com.db";
allow-transfer { any; }; allow-transfer { any; };
dnssec-policy "insecure";
}; };
Then use ``rndc reload`` to reload the zone. Then use ``rndc reload`` to reload the zone.
Your zone is now reverted back to the traditional, insecure DNS format. The "insecure" policy is a built-in policy (like "default"). It will make sure
the zone is still DNSSEC maintained, to allow for a graceful transition to
unsigned,
When the DS records have been removed from the parent zone, use
``rndc dnssec -checkds -key <id> withdrawn example.com`` to tell ``named`` that
the DS is removed, and the remaining DNSSEC records will be removed in a timely
manner.
After a while, your zone is reverted back to the traditional, insecure DNS
format. You can verify by checking that all DNSKEY and RRSIG records have been
removed from the zone.
You can then remove the ``dnssec-policy`` line from your ``named.conf`` and
reload the zone. The zone will now no longer be subject to any DNSSEC
maintenance.