[dns-operations] NSEC3 parameter selection (BCP: 1 0 0 -)

[Matthijs Mekking]

On 19-01-2021 16:47, Shumon Huque wrote:
> On Tue, Jan 19, 2021 at 8:44 AM Viktor Dukhovni <ietf-dane at dukhovni.org 
> <mailto:ietf-dane at dukhovni.org>> wrote:
> 
> 
>     Sorry for leaving this vague.  Changing the salt requires rebuilding the
>     entire NSEC3 chain, and so is difficult to combine with incremental zone
>     signing (such as BIND's "auto-dnssec maintain").  If you're doing
>     periodic whole zone signing, which reconstructs the entire chain, you
>     can change the salt at will each time the zone is signed from scratch.
> 
>     If, on the other hand, the zone is signed incrementally as individual
>     records are modified, then there is not an opportunity to change the
>     salt, which needs to be consistent across the entire chain.
> 
> 
> It should work with incremental signing too. I haven't actually tried it 
> with
> BIND's 'auto-dnssec maintain' - perhaps ISC folks can confirm.

Yes, that should work.

BIND 9 is able to keep multiple chains. If you change the NSEC3 
parameters on a DNSSEC maintained zone the new NSEC3 chain will be built 
and only if it is complete the old NSEC3 chain will be removed from the 
zone.

- Matthijs

> 
> The way it should work is that you tell the BIND signing server that you're
> updating the NSEC3 parameters (by dynamic update or issuing an 'rndc'
> control command). It will then in the background rebuild a second complete
> NSEC3 chain. While doing this, it will temporarily house the NSEC3PARAM
> data in a private record (so that the auth servers don't instantly start 
> using
> that chain to construct negative responses), and will only make that visible
> in the apex NSEC3PARAM record once the chain has been fully built. You
> can then delete the old NSEC3PARAM.
> 
> Shumon.
> 
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>