From 995b3792faac18b0ff84e89e6f957940c200d35e Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Tue, 7 Jan 2020 09:00:26 +0000 Subject: [PATCH] Update DNSSEC Key and Signing Policy (KASP) --- DNSSEC-Key-and-Signing-Policy-(KASP).md | 50 ++++++------------------- 1 file changed, 11 insertions(+), 39 deletions(-) diff --git a/DNSSEC-Key-and-Signing-Policy-(KASP).md b/DNSSEC-Key-and-Signing-Policy-(KASP).md index 0258231..3ce98be 100644 --- a/DNSSEC-Key-and-Signing-Policy-(KASP).md +++ b/DNSSEC-Key-and-Signing-Policy-(KASP).md @@ -27,7 +27,7 @@ different options per zone, you would be able to do the following: ``` zone "example.com." { ... - dnssec-policy "_default"; + dnssec-policy "default"; }; ``` @@ -106,7 +106,6 @@ is set for a zone. Other DNSSEC related configuration options that are not related to the policy are likely to stay: - 1. `key-directory`: This is where the DNSKEY key files can be found. 1. `serial-update-method`: This is used for dynamic zones to determne how @@ -120,59 +119,32 @@ below. This includes all options as described in the KASP draft, but we may decide that some options are not required. ``` -dnssec-policy "nsec3" { - - description "policy for zones that require zone walking mitigation"; +dnssec-policy "example" { // Signatures - signatures-resign PT2H; signatures-refresh P3D; signatures-validity P14D; signatures-validity-dnskey P14D; - signatures-validity-denial P7D; - signatures-jitter PT12H; - signatures-inception-offset PT300S; - - // Denial of existence - denial-type nsec3; - nsec3param-ttl 0; - nsec3-optout no; - nsec3-hash-algorithm 1; - nsec3-hash-iterations 5; - nsec3-salt-length 8; - nsec3-resalt P100D; // Keys dnskey-ttl 3600; - dnskey-publish-safety PT3600S; - dnskey-retire-safety PT3600S; - share-keys no; - purge-keys-after P14D; + publish-safety PT3600S; + retire-safety PT3600S; keys { - ksk hsm "softhsm" P5Y ECDSAP256SHA256; - zsk directory "/etc/bind9/dnsseckeys/" P30D ECDSAP256SHA256; - csk key-directory PT0S 8 2048; + ksk key-directory lifetime P5Y 13; + zsk key-directory lifetime 30d 13; + csk key-directory lifetime PT0S 8 2048; }; - // Parent synchronization - cds yes; - cdnskey yes; - check-ds { 127.0.0.53; }; - check-ds-interval PT3600S; - // Zone properties zone-propagation-delay PT3600S; - zone-soa-ttl 3600; - zone-soa-minimum 3600; - zone-soa-serial-update-method unixtime; zone-max-ttl 24H; // Parent properties parent-propagation-delay PT24H; + parent-registration-delay 1h; parent-ds-ttl 3600; - parent-soa-ttl 3600; - parent-soa-minimum 3600; }; ``` @@ -219,7 +191,7 @@ of keys: Currently if you want to sign your zone with NSEC3 you can do so by introducing an NSEC3PARAM record via Dynamic Update. This is no longer necessary with -`dnssec-policy` as you can configure NSEC3 usage in `named.conf`. +`dnssec-policy` as you can configure NSEC3 usage in `named.conf` (NOT IMPLEMENTED YET). ## Changing policies @@ -239,7 +211,7 @@ information: ## Configuration -1. You can configure DNSSEC for a zone with a single configuration option (`dnssec-policy _default`). +1. You can configure DNSSEC for a zone with a single configuration option (`dnssec-policy default`). 1. You can configure DNSSEC for a zone manually (`dnssec-policy` statement). @@ -280,4 +252,4 @@ information: ## Key purging -1.A Removed keys may be purged from storage. \ No newline at end of file +1.A Removed keys may be purged from storage. (NOT IMPLEMENTED YET) \ No newline at end of file