diff --git a/CHANGES b/CHANGES
index d6bcfc2939..128da21376 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,13 @@
+5316. [func] A new "dnssec-policy" option has been added to
+ named.conf to implement a key and signing policy
+ (KASP) for zones. When this option is in use,
+ named can generate new keys as needed and
+ automatically roll both ZSK and KSK keys. (Note
+ that the syntax for this statement differs from
+ the dnssec policy used by dnssec-keymgr.)
+
+ See the ARM for configuration details. [GL #1134]
+
5315. [bug] Apply the inital RRSIG expiration spread fixed
to all dynamically created records in the zone
including NSEC3. Also fix the signature clusters
diff --git a/README.md b/README.md
index ac0abb5ad2..9bd13231c7 100644
--- a/README.md
+++ b/README.md
@@ -127,6 +127,8 @@ BIND 9.15 is the newest development branch of BIND 9. It includes a
number of changes from BIND 9.14 and earlier releases. New features
include:
+* New "dnssec-policy" statement to configure a key and signing policy
+ for zones, enabling automatic key regeneration and rollover.
* Support for the new GeoIP2 geolocation API
* Improved DNSSEC key configuration using `dnssec-keys`
* YAML output for `dig`, `mdig`, and `delv`.
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 2562c1f348..a7092fb8c0 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -3127,6 +3127,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
describes a DNSSEC key and signing policy for zones.
+ See for details.
@@ -11043,8 +11044,8 @@ example.com CNAME rpz-tcp-only.
dnskey-ttl
- The TTL of the DNSKEY resource records.
- Default is 3600 seconds.
+ The TTL of the DNSKEY resource records.
+ Default is 3600 seconds.
@@ -11053,9 +11054,9 @@ example.com CNAME rpz-tcp-only.
keys
- A list of keys to use. Each line represents one key. Here is
- an example (for illustration purposes only) of some possible
- keys in a dnssec-policy:
+ A list of keys to use. Each line represents one key. Here is
+ an example (for illustration purposes only) of some possible
+ keys in a dnssec-policy:
keys {
@@ -11066,29 +11067,29 @@ example.com CNAME rpz-tcp-only.
- This example lists three keys. The first token determines
- what RRsets the key will sign. If set to
- ksk the key will sign the DNSKEY, CDS,
- and CDNSKEY RRsets, if set to zsk the
- key will sign the other RRsets, and if set to
- csk the key will sign all RRsets.
+ This example lists three keys. The first token determines
+ what RRsets the key will sign. If set to
+ ksk the key will sign the DNSKEY, CDS,
+ and CDNSKEY RRsets, if set to zsk the
+ key will sign the other RRsets, and if set to
+ csk the key will sign all RRsets.
- The following part determines where the key will be stored.
- Currently keys can only be stored in the configured
- key-directory.
+ The following part determines where the key will be stored.
+ Currently keys can only be stored in the configured
+ key-directory.
- The third token tells how long the key may be used. In the
- example the first key has a lifetime of 5 years, the second
- key may be used for 30 days and the third key has a rather
- peculiar lifetime of 6 months, 12 hours, 3 minutes and 15
- seconds.
+ The third token tells how long the key may be used. In the
+ example the first key has a lifetime of 5 years, the second
+ key may be used for 30 days and the third key has a rather
+ peculiar lifetime of 6 months, 12 hours, 3 minutes and 15
+ seconds.
- The last token(s) are the key's algorithm and algorithm length.
- The length may be omitted as shown in the example for the
- second and third key.
+ The last token(s) are the key's algorithm and algorithm
+ length. The length may be omitted as shown in the
+ example for the second and third key.
@@ -11097,9 +11098,10 @@ example.com CNAME rpz-tcp-only.
publish-safety
- A margin that is added to the publish interval in key timing
- equations to give some extra time to cover unforeseen events.
- Default is PT5M (5 minutes).
+ A margin that is added to the publish interval in key
+ timing equations to give some extra time to cover
+ unforeseen events. Default is PT5M
+ (5 minutes).
@@ -11108,9 +11110,10 @@ example.com CNAME rpz-tcp-only.
retire-safety
- A margin that is added to the retire interval in key timing
- equations to give some extra time to cover unforeseen events.
- Default is PT5M (5 minutes).
+ A margin that is added to the retire interval in key
+ timing equations to give some extra time to cover
+ unforeseen events. Default is PT5M
+ (5 minutes).
@@ -11119,13 +11122,13 @@ example.com CNAME rpz-tcp-only.
signatures-refresh
- This determines when a RRSIG record needs to be refreshed.
- The signatures is renewed when the time until the expiration
- time is closer than signatures-refresh.
- signatures-resign interval.
- Default is P5D (5 days), meaning a
- signature that will expire in 5 days or sooner will be
- refreshed.
+ This determines when a RRSIG record needs to be
+ refreshed. The signatures is renewed when the time until
+ the expiration time is closer than
+ signatures-refresh.
+ signatures-resign interval. Default
+ is P5D (5 days), meaning a signature
+ that will expire in 5 days or sooner will be refreshed.
@@ -11134,9 +11137,9 @@ example.com CNAME rpz-tcp-only.
signatures-validity
- The validity period of an RRSIG record (minus the inception
- offset and jitter). Default is P2W
- (2 weeks).
+ The validity period of an RRSIG record (minus the
+ inception offset and jitter). Default is
+ P2W (2 weeks).
@@ -11145,8 +11148,9 @@ example.com CNAME rpz-tcp-only.
signatures-validity-dnskey
- Like signatures-validity but for DNSKEY
- records. Default is P2W (2 weeks).
+ Like signatures-validity but for
+ DNSKEY records. Default is P2W (2
+ weeks).
@@ -11155,32 +11159,32 @@ example.com CNAME rpz-tcp-only.
zone-max-ttl
- Like max-zone-ttl, specifies the maximum
- permissible TTL value in seconds. When loading a zone file
- using a or
- text or raw,
- any record encountered with a TTL higher than
- will be capped to the maximum
- permissible TTL value.
+ Like max-zone-ttl, specifies the
+ maximum permissible TTL value in seconds. When loading a
+ zone file using a or
+ text or raw,
+ any record encountered with a TTL higher than
+ will be capped to the
+ maximum permissible TTL value.
- This is needed in DNSSEC-maintained zones because when
- rolling to a new DNSKEY, the old key needs to remain
- available until RRSIG records have expired from
- caches. The option guarantees
- that the largest TTL in the zone will be no higher than the
- set value.
+ This is needed in DNSSEC-maintained zones because when
+ rolling to a new DNSKEY, the old key needs to remain
+ available until RRSIG records have expired from caches.
+ The option guarantees that
+ the largest TTL in the zone will be no higher than the
+ set value.
+
+
+ (NOTE: Because map-format files
+ load directly into memory, this option cannot be
+ used with them.)
+
+
+ The default value is PT24H (24 hours).
+ A of zero is treated as if
+ the default value is in use.
-
- (NOTE: Because map-format files
- load directly into memory, this option cannot be
- used with them.)
-
-
- The default value is PT24H (24 hours).
- A of zero is treated as if
- the default value is in use.
-
@@ -11188,10 +11192,11 @@ example.com CNAME rpz-tcp-only.
zone-propagation-delay
- The expected propagation delay from when a zone is updated
- and when the new version of the zone is served by all its
- name servers. Default is PT5M (5 minutes).
-
+ The expected propagation delay from when a zone is
+ updated and when the new version of the zone is served by
+ all its name servers. Default is
+ PT5M (5 minutes).
+
@@ -11199,9 +11204,9 @@ example.com CNAME rpz-tcp-only.
parent-ds-ttl
- The TTL of the DS RRset that the parent uses. Default is
- PT1H (1 hour).
-
+ The TTL of the DS RRset that the parent uses. Default is
+ PT1H (1 hour).
+
@@ -11209,11 +11214,11 @@ example.com CNAME rpz-tcp-only.
parent-propagation-delay
- The expected propagation delay from when the parent zone is
- updated and when the new version of the parent zone is served
- by all its name servers. Default is
- PT1H (1 hour).
-
+ The expected propagation delay from when the parent zone
+ is updated and when the new version of the parent zone is
+ served by all its name servers. Default is
+ PT1H (1 hour).
+
@@ -11221,15 +11226,14 @@ example.com CNAME rpz-tcp-only.
parent-registration-delay
- The expected registration delay from when a DS RRset change
- is requested and when the DS RRset has been updated in the
- parent zone. Default is P1D (1 day).
+ The expected registration delay from when a DS RRset
+ change is requested and when the DS RRset has been
+ updated in the parent zone. Default is
+ P1D (1 day).
-
-
<command>managed-keys</command> Statement Grammar
diff --git a/doc/arm/notes-new-features.xml b/doc/arm/notes-new-features.xml
index 95c27fb0db..5f10e70476 100644
--- a/doc/arm/notes-new-features.xml
+++ b/doc/arm/notes-new-features.xml
@@ -11,6 +11,16 @@
New Features
+
+
+ The new dnssec-policy option allows the
+ configuration key and signing policy (KASP) for zones. This
+ option enables named to generate new keys
+ as needed and automatically roll both ZSK and KSK keys.
+ (Note that the syntax for this statement differs from the dnssec
+ policy used by dnssec-keymgr.) [GL #1134]
+
+
Added a new statistics variable tcp-highwater