[dns-operations] NSEC3 parameter selection (BCP: 1 0 0 -)

Shumon Huque shuque at gmail.com
Tue Jan 19 15:47:36 UTC 2021

On Tue, Jan 19, 2021 at 8:44 AM Viktor Dukhovni <ietf-dane at dukhovni.org>

> Sorry for leaving this vague.  Changing the salt requires rebuilding the
> entire NSEC3 chain, and so is difficult to combine with incremental zone
> signing (such as BIND's "auto-dnssec maintain").  If you're doing
> periodic whole zone signing, which reconstructs the entire chain, you
> can change the salt at will each time the zone is signed from scratch.
> If, on the other hand, the zone is signed incrementally as individual
> records are modified, then there is not an opportunity to change the
> salt, which needs to be consistent across the entire chain.

It should work with incremental signing too. I haven't actually tried it
BIND's 'auto-dnssec maintain' - perhaps ISC folks can confirm.

The way it should work is that you tell the BIND signing server that you're
updating the NSEC3 parameters (by dynamic update or issuing an 'rndc'
control command). It will then in the background rebuild a second complete
NSEC3 chain. While doing this, it will temporarily house the NSEC3PARAM
data in a private record (so that the auth servers don't instantly start
that chain to construct negative responses), and will only make that visible
in the apex NSEC3PARAM record once the chain has been fully built. You
can then delete the old NSEC3PARAM.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20210119/05006322/attachment.html>

More information about the dns-operations mailing list