[dns-operations] NSEC3 parameter selection (BCP: 1 0 0 -)
matthijs at pletterpet.nl
Wed Jan 20 10:09:28 UTC 2021
On 19-01-2021 16:47, Shumon Huque wrote:
> On Tue, Jan 19, 2021 at 8:44 AM Viktor Dukhovni <ietf-dane at dukhovni.org
> <mailto:ietf-dane at dukhovni.org>> wrote:
> Sorry for leaving this vague. Changing the salt requires rebuilding the
> entire NSEC3 chain, and so is difficult to combine with incremental zone
> signing (such as BIND's "auto-dnssec maintain"). If you're doing
> periodic whole zone signing, which reconstructs the entire chain, you
> can change the salt at will each time the zone is signed from scratch.
> If, on the other hand, the zone is signed incrementally as individual
> records are modified, then there is not an opportunity to change the
> salt, which needs to be consistent across the entire chain.
> It should work with incremental signing too. I haven't actually tried it
> BIND's 'auto-dnssec maintain' - perhaps ISC folks can confirm.
Yes, that should work.
BIND 9 is able to keep multiple chains. If you change the NSEC3
parameters on a DNSSEC maintained zone the new NSEC3 chain will be built
and only if it is complete the old NSEC3 chain will be removed from the
> The way it should work is that you tell the BIND signing server that you're
> updating the NSEC3 parameters (by dynamic update or issuing an 'rndc'
> control command). It will then in the background rebuild a second complete
> NSEC3 chain. While doing this, it will temporarily house the NSEC3PARAM
> data in a private record (so that the auth servers don't instantly start
> that chain to construct negative responses), and will only make that visible
> in the apex NSEC3PARAM record once the chain has been fully built. You
> can then delete the old NSEC3PARAM.
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
More information about the dns-operations