Update DNSSEC Key and Signing Policy (KASP)

2025-08-28 13:08:06 +00:00 · 2020-01-07 09:00:26 +00:00 · 2020-01-07 09:00:26 +00:00 · 995b3792fa
commit 995b3792fa
parent e6f51bbf9b
1 changed files with 11 additions and 39 deletions
--- a/DNSSEC-Key-and-Signing-Policy-(KASP).md
+++ b/DNSSEC-Key-and-Signing-Policy-(KASP).md
@ -27,7 +27,7 @@ different options per zone, you would be able to do the following:
 ```
 zone "example.com." {
    ...
-    dnssec-policy "_default";
+    dnssec-policy "default";
 };
 ```

@ -106,7 +106,6 @@ is set for a zone.
 Other DNSSEC related configuration options that are not related to the policy
 are likely to stay:

-
 1. `key-directory`: This is where the DNSKEY key files can be found.

 1. `serial-update-method`: This is used for dynamic zones to determne how
@ -120,59 +119,32 @@ below. This includes all options as described in the KASP draft, but we may
 decide that some options are not required.

 ```
-dnssec-policy "nsec3" {
-
-    description "policy for zones that require zone walking mitigation";
+dnssec-policy "example" {

    // Signatures
-    signatures-resign PT2H;
    signatures-refresh P3D;
    signatures-validity P14D;
    signatures-validity-dnskey P14D;
-    signatures-validity-denial P7D;
-    signatures-jitter PT12H;
-    signatures-inception-offset PT300S;
-
-    // Denial of existence
-    denial-type nsec3;
-    nsec3param-ttl 0;
-    nsec3-optout no;
-    nsec3-hash-algorithm 1;
-    nsec3-hash-iterations 5;
-    nsec3-salt-length 8;
-    nsec3-resalt P100D;

    // Keys
    dnskey-ttl 3600;
-    dnskey-publish-safety PT3600S;
-    dnskey-retire-safety PT3600S;
-    share-keys no;
-    purge-keys-after P14D;
+    publish-safety PT3600S;
+    retire-safety PT3600S;

    keys {
-        ksk hsm "softhsm" P5Y ECDSAP256SHA256;
-        zsk directory "/etc/bind9/dnsseckeys/" P30D ECDSAP256SHA256;
-        csk key-directory PT0S 8 2048;
+        ksk key-directory lifetime P5Y 13;
+        zsk key-directory lifetime 30d 13;
+        csk key-directory lifetime PT0S 8 2048;
    };

-    // Parent synchronization
-    cds yes;
-    cdnskey yes;
-    check-ds { 127.0.0.53; };
-    check-ds-interval PT3600S;
-
    // Zone properties
    zone-propagation-delay PT3600S;
-    zone-soa-ttl 3600;
-    zone-soa-minimum 3600;
-    zone-soa-serial-update-method unixtime;
    zone-max-ttl 24H;

    // Parent properties
    parent-propagation-delay PT24H;
+    parent-registration-delay 1h;
    parent-ds-ttl 3600;
-    parent-soa-ttl 3600;
-    parent-soa-minimum 3600;
 };
 ```

@ -219,7 +191,7 @@ of keys:

 Currently if you want to sign your zone with NSEC3 you can do so by introducing
 an NSEC3PARAM record via Dynamic Update. This is no longer necessary with
-`dnssec-policy` as you can configure NSEC3 usage in `named.conf`.
+`dnssec-policy` as you can configure NSEC3 usage in `named.conf` (NOT IMPLEMENTED YET).

 ## Changing policies

@ -239,7 +211,7 @@ information:

 ## Configuration

-1. You can configure DNSSEC for a zone with a single configuration option (`dnssec-policy _default`).
+1. You can configure DNSSEC for a zone with a single configuration option (`dnssec-policy default`).

 1. You can configure DNSSEC for a zone manually (`dnssec-policy` statement).

@ -280,4 +252,4 @@ information:

 ## Key purging

-1.A Removed keys may be purged from storage.
+1.A Removed keys may be purged from storage. (NOT IMPLEMENTED YET)