On 19-01-2021 16:47, Shumon Huque wrote:
On Tue, Jan 19, 2021 at 8:44 AM Viktor Dukhovni <[email protected]
<mailto:[email protected]>> wrote:
Sorry for leaving this vague. Changing the salt requires rebuilding the
entire NSEC3 chain, and so is difficult to combine with incremental zone
signing (such as BIND's "auto-dnssec maintain"). If you're doing
periodic whole zone signing, which reconstructs the entire chain, you
can change the salt at will each time the zone is signed from scratch.
If, on the other hand, the zone is signed incrementally as individual
records are modified, then there is not an opportunity to change the
salt, which needs to be consistent across the entire chain.
It should work with incremental signing too. I haven't actually tried it
with
BIND's 'auto-dnssec maintain' - perhaps ISC folks can confirm.
Yes, that should work.
BIND 9 is able to keep multiple chains. If you change the NSEC3
parameters on a DNSSEC maintained zone the new NSEC3 chain will be built
and only if it is complete the old NSEC3 chain will be removed from the
zone.
- Matthijs
The way it should work is that you tell the BIND signing server that you're
updating the NSEC3 parameters (by dynamic update or issuing an 'rndc'
control command). It will then in the background rebuild a second complete
NSEC3 chain. While doing this, it will temporarily house the NSEC3PARAM
data in a private record (so that the auth servers don't instantly start
using
that chain to construct negative responses), and will only make that visible
in the apex NSEC3PARAM record once the chain has been fully built. You
can then delete the old NSEC3PARAM.
Shumon.
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
