mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-28 13:08:06 +00:00
Code Issues Releases Wiki Activity

Update DNSSEC Key and Signing Policy (KASP)

Matthijs Mekking 2020-01-07 09:00:26 +00:00
parent e6f51bbf9b
commit 995b3792fa
1 changed files with 11 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
DNSSEC-Key-and-Signing-Policy-(KASP).md

@ -27,7 +27,7 @@ different options per zone, you would be able to do the following:
``` ```
zone "example.com." { zone "example.com." {
... ...
dnssec-policy "_default"; dnssec-policy "default";
}; };
``` ```
@ -106,7 +106,6 @@ is set for a zone.
Other DNSSEC related configuration options that are not related to the policy Other DNSSEC related configuration options that are not related to the policy
are likely to stay: are likely to stay:
1. `key-directory`: This is where the DNSKEY key files can be found. 1. `key-directory`: This is where the DNSKEY key files can be found.
1. `serial-update-method`: This is used for dynamic zones to determne how 1. `serial-update-method`: This is used for dynamic zones to determne how
@ -120,59 +119,32 @@ below. This includes all options as described in the KASP draft, but we may
decide that some options are not required. decide that some options are not required.
``` ```
dnssec-policy "nsec3" { dnssec-policy "example" {
description "policy for zones that require zone walking mitigation";
// Signatures // Signatures
signatures-resign PT2H;
signatures-refresh P3D; signatures-refresh P3D;
signatures-validity P14D; signatures-validity P14D;
signatures-validity-dnskey P14D; signatures-validity-dnskey P14D;
signatures-validity-denial P7D;
signatures-jitter PT12H;
signatures-inception-offset PT300S;
// Denial of existence
denial-type nsec3;
nsec3param-ttl 0;
nsec3-optout no;
nsec3-hash-algorithm 1;
nsec3-hash-iterations 5;
nsec3-salt-length 8;
nsec3-resalt P100D;
// Keys // Keys
dnskey-ttl 3600; dnskey-ttl 3600;
dnskey-publish-safety PT3600S; publish-safety PT3600S;
dnskey-retire-safety PT3600S; retire-safety PT3600S;
share-keys no;
purge-keys-after P14D;
keys { keys {
ksk hsm "softhsm" P5Y ECDSAP256SHA256; ksk key-directory lifetime P5Y 13;
zsk directory "/etc/bind9/dnsseckeys/" P30D ECDSAP256SHA256; zsk key-directory lifetime 30d 13;
csk key-directory PT0S 8 2048; csk key-directory lifetime PT0S 8 2048;
}; };
// Parent synchronization
cds yes;
cdnskey yes;
check-ds { 127.0.0.53; };
check-ds-interval PT3600S;
// Zone properties // Zone properties
zone-propagation-delay PT3600S; zone-propagation-delay PT3600S;
zone-soa-ttl 3600;
zone-soa-minimum 3600;
zone-soa-serial-update-method unixtime;
zone-max-ttl 24H; zone-max-ttl 24H;
// Parent properties // Parent properties
parent-propagation-delay PT24H; parent-propagation-delay PT24H;
parent-registration-delay 1h;
parent-ds-ttl 3600; parent-ds-ttl 3600;
parent-soa-ttl 3600;
parent-soa-minimum 3600;
}; };
``` ```
@ -219,7 +191,7 @@ of keys:
Currently if you want to sign your zone with NSEC3 you can do so by introducing Currently if you want to sign your zone with NSEC3 you can do so by introducing
an NSEC3PARAM record via Dynamic Update. This is no longer necessary with an NSEC3PARAM record via Dynamic Update. This is no longer necessary with
`dnssec-policy` as you can configure NSEC3 usage in `named.conf`. `dnssec-policy` as you can configure NSEC3 usage in `named.conf` (NOT IMPLEMENTED YET).
## Changing policies ## Changing policies
@ -239,7 +211,7 @@ information:
## Configuration ## Configuration
1. You can configure DNSSEC for a zone with a single configuration option (`dnssec-policy _default`). 1. You can configure DNSSEC for a zone with a single configuration option (`dnssec-policy default`).
1. You can configure DNSSEC for a zone manually (`dnssec-policy` statement). 1. You can configure DNSSEC for a zone manually (`dnssec-policy` statement).
@ -280,4 +252,4 @@ information:
## Key purging ## Key purging
1.A Removed keys may be purged from storage. 1.A Removed keys may be purged from storage. (NOT IMPLEMENTED YET)