diff --git a/bin/named/named.conf.rst b/bin/named/named.conf.rst index bc45bdf8ef..7df574e58a 100644 --- a/bin/named/named.conf.rst +++ b/bin/named/named.conf.rst @@ -76,6 +76,8 @@ DNSSEC-POLICY keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime duration_or_unlimited algorithm string [ integer ]; ... }; max-zone-ttl duration; + nsec3param [ iterations integer ] [ optout boolean ] [ salt + string ]; parent-ds-ttl duration; parent-propagation-delay duration; publish-safety duration; diff --git a/bin/tests/system/checkconf/good-kasp.conf b/bin/tests/system/checkconf/good-kasp.conf index 094ad56b06..f3d286eb1a 100644 --- a/bin/tests/system/checkconf/good-kasp.conf +++ b/bin/tests/system/checkconf/good-kasp.conf @@ -22,6 +22,7 @@ dnssec-policy "test" { csk key-directory lifetime unlimited algorithm rsasha256 2048; }; max-zone-ttl 86400; + nsec3param iterations 5 optout no salt "deadbeef"; parent-ds-ttl 7200; parent-propagation-delay PT1H; publish-safety PT3600S; diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf index 0dabe5424c..a07e7c2914 100644 --- a/bin/tests/system/checkconf/good.conf +++ b/bin/tests/system/checkconf/good.conf @@ -22,6 +22,7 @@ dnssec-policy "test" { csk key-directory lifetime P30D algorithm 8 2048; }; max-zone-ttl 86400; + nsec3param ; parent-ds-ttl 7200; parent-propagation-delay PT1H; publish-safety PT3600S; diff --git a/doc/arm/dnssec.rst b/doc/arm/dnssec.rst index 0a8bafd2cc..67d01da364 100644 --- a/doc/arm/dnssec.rst +++ b/doc/arm/dnssec.rst @@ -248,17 +248,21 @@ removed after the update request completes. Converting From NSEC to NSEC3 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -To do this, an NSEC3PARAM record must be added. When the -conversion is complete, the NSEC chain is removed and the -NSEC3PARAM record has a zero flag field. The NSEC3 chain is -generated before the NSEC chain is destroyed. +Add a ``nsec3param`` option to your ``dnssec-policy`` and +run ``rndc reconfig``. -NSEC3 is not yet supported with ``dnssec-policy``. +Or use ``nsupdate`` to add an NSEC3PARAM record. + +In both cases, the NSEC3 chain is generated and the NSEC3PARAM record is +added before the NSEC chain is destroyed. Converting From NSEC3 to NSEC ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -To do this, use ``nsupdate`` to remove all NSEC3PARAM records with a +To do this, remove the ``nsec3param`` option from the ``dnssec-policy`` and +run ``rndc reconfig``. + +Or use ``nsupdate`` to remove all NSEC3PARAM records with a zero flag field. The NSEC chain is generated before the NSEC3 chain is removed. diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index dec927ebbd..61ce2f6e37 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -4938,6 +4938,18 @@ The following options can be specified in a ``dnssec-policy`` statement: A `max-zone-ttl` of zero is treated as if the default value were in use. + ``nsec3param`` + Use NSEC3 instead of NSEC, and optionally set the NSEC3 parameters. + + Here is an example (for illustration purposes only) of + a ``nsec3`` configuration: + + :: + + nsec3param ttl 0 iterations 5 optout no salt "-"; + + The default is to use NSEC. + ``zone-propagation-delay`` This is the expected propagation delay from the time when a zone is first updated to the time when the new version of the diff --git a/doc/design/dnssec-policy b/doc/design/dnssec-policy index 0b43d4fea8..cc93f85129 100644 --- a/doc/design/dnssec-policy +++ b/doc/design/dnssec-policy @@ -126,10 +126,9 @@ dnssec-policy "nsec3" { signatures-validity P14D; signatures-validity-dnskey P14D; - // Denial of existence - denial-type nsec3; - nsec3-param ttl 0 hash algorithm 1 iterations 5 optout; - nsec3-salt length 8 resalt P100D; + // Denial of existence (default NSEC) + nsec3param iterations 5 optout no salt "-"; + nsec3-resalt P100D; // Keys dnskey-ttl 3600; diff --git a/doc/man/named.conf.5in b/doc/man/named.conf.5in index 3afab59a19..ff002cbb5b 100644 --- a/doc/man/named.conf.5in +++ b/doc/man/named.conf.5in @@ -105,6 +105,8 @@ dnssec\-policy string { keys { ( csk | ksk | zsk ) [ ( key\-directory ) ] lifetime duration_or_unlimited algorithm string [ integer ]; ... }; max\-zone\-ttl duration; + nsec3param [ iterations integer ] [ optout boolean ] [ salt + string ]; parent\-ds\-ttl duration; parent\-propagation\-delay duration; publish\-safety duration; diff --git a/doc/misc/dnssec-policy.grammar.rst b/doc/misc/dnssec-policy.grammar.rst index 951983cf1d..c9771fcb3d 100644 --- a/doc/misc/dnssec-policy.grammar.rst +++ b/doc/misc/dnssec-policy.grammar.rst @@ -5,6 +5,8 @@ keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime algorithm [ ]; ... }; max-zone-ttl ; + nsec3param [ iterations ] [ optout ] [ salt + ]; parent-ds-ttl ; parent-propagation-delay ; publish-safety ; diff --git a/doc/misc/options b/doc/misc/options index 692880347c..58a8c22728 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -26,6 +26,8 @@ dnssec-policy { keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime algorithm [ ]; ... }; max-zone-ttl ; + nsec3param [ iterations ] [ optout ] [ salt + ]; parent-ds-ttl ; parent-propagation-delay ; parent-registration-delay ; // obsolete diff --git a/doc/misc/options.active b/doc/misc/options.active index ae39dc029f..0ef3b52ef6 100644 --- a/doc/misc/options.active +++ b/doc/misc/options.active @@ -26,6 +26,8 @@ dnssec-policy { keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime algorithm [ ]; ... }; max-zone-ttl ; + nsec3param [ iterations ] [ optout ] [ salt + ]; parent-ds-ttl ; parent-propagation-delay ; publish-safety ; diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 0694863f70..42e4e1968f 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -567,6 +567,40 @@ static cfg_type_t cfg_type_kaspkey = { "kaspkey", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple, kaspkey_fields }; +/*% + * NSEC3 parameters. + */ +static keyword_type_t nsec3iter_kw = { "iterations", &cfg_type_uint32 }; +static cfg_type_t cfg_type_nsec3iter = { + "iterations", parse_optional_keyvalue, print_keyvalue, + doc_optional_keyvalue, &cfg_rep_uint32, &nsec3iter_kw +}; + +static keyword_type_t nsec3optout_kw = { "optout", &cfg_type_boolean }; +static cfg_type_t cfg_type_nsec3optout = { + "optout", parse_optional_keyvalue, + print_keyvalue, doc_optional_keyvalue, + &cfg_rep_boolean, &nsec3optout_kw +}; + +static keyword_type_t nsec3salt_kw = { "salt", &cfg_type_sstring }; +static cfg_type_t cfg_type_nsec3salt = { + "salt", parse_optional_keyvalue, + print_keyvalue, doc_optional_keyvalue, + &cfg_rep_string, &nsec3salt_kw +}; + +static cfg_tuplefielddef_t nsec3param_fields[] = { + { "iterations", &cfg_type_nsec3iter, 0 }, + { "optout", &cfg_type_nsec3optout, 0 }, + { "salt", &cfg_type_nsec3salt, 0 }, + { NULL, NULL, 0 } +}; + +static cfg_type_t cfg_type_nsec3 = { "nsec3param", cfg_parse_tuple, + cfg_print_tuple, cfg_doc_tuple, + &cfg_rep_tuple, nsec3param_fields }; + /*% * Wild class, type, name. */ @@ -2089,6 +2123,7 @@ static cfg_clausedef_t dnssecpolicy_clauses[] = { { "dnskey-ttl", &cfg_type_duration, 0 }, { "keys", &cfg_type_kaspkeys, 0 }, { "max-zone-ttl", &cfg_type_duration, 0 }, + { "nsec3param", &cfg_type_nsec3, 0 }, { "parent-ds-ttl", &cfg_type_duration, 0 }, { "parent-propagation-delay", &cfg_type_duration, 0 }, { "parent-registration-delay", &cfg_type_duration,