running
bind 9.18.7
i've enabled dnssec-policy signing
current KSK & ZSK keys had been generated with
dnssec-policy "prod01" {
...
nsec3param iterations 5 optout no salt-length 8;
...
}
noting
Change default for nsec3param to iterations 0 salt-length 0
https://gitlab.isc.org/isc-projects/bind9/-/issues/2956
Guidance for NSEC3 Parameter Settings
https://datatracker.ietf.org/doc/rfc9276/
i'm changing that to,
- nsec3param iterations 5 optout no salt-length 8;
+ nsec3param iterations 0 optout no salt-length 0;
the rfc notes,
"Changing a zone's salt value requires the construction of a complete
new NSEC3 chain. This is true both when re-signing the entire zone
at once and when incrementally signing it in the background where the
new salt is only activated once every name in the chain has been
completed."
since dnssec management it 'fully automated' using dnssec-policy, in addition
to the 'nsec3param' change in named.conf, and a a server reload/restart,
what's the correct procedure for force re-signing all nsec3 signed zones 'now'?
is changing one of the timing values in the -policy sufficient? and bind9 will
automate the rest?
or, is a manual intervention with 'dnssec-signzone' required?
in either case, iiuc, re-signing will re-generate zone data with updated RRSIGs
for published records.
the DS record for each zone, extracted from its KSK, was manually pushed to
registrar, and subsequently to the zone's approrpiate parent.
with the does the DS record need to be touched? i.e., will the changed to
nsec3param change the zone's KSK?
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
