9a769d8b16eb4e3d088ba1e5bd6ccb65504e1c9eTinderbox User - Copyright (C) 2010, 2011, 2015-2017 Internet Systems Consortium, Inc. ("ISC")
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - This Source Code Form is subject to the terms of the Mozilla Public
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - License, v. 2.0. If a copy of the MPL was not distributed with this
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - file, You can obtain one at http://mozilla.org/MPL/2.0/.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<!-- Converted by db4-upgrade version 1.0 -->
83a28ca274521e15086fc39febde507bcc4e145eMark Andrews<section xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="dnssec.dynamic.zones"><info><title>DNSSEC, Dynamic Zones, and Automatic Signing</title></info>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <section><info><title>Converting from insecure to secure</title></info>
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <para>Changing a zone from insecure to secure can be done in two
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews ways: using a dynamic DNS update, or the
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <command>auto-dnssec</command> zone option.</para>
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews <para>For either method, you need to configure
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews <command>named</command> so that it can see the
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <filename>K*</filename> files which contain the public and private
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt parts of the keys that will be used to sign the zone. These files
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews will have been generated by
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <command>dnssec-keygen</command>. You can do this by placing them
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews in the key-directory, as specified in
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <programlisting>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt type master;
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt update-policy local;
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt</programlisting>
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <para>If one KSK and one ZSK DNSKEY key have been generated, this
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt configuration will cause all records in the zone to be signed
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt with the ZSK, and the DNSKEY RRset to be signed with the KSK as
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt well. An NSEC chain will be generated as part of the initial
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt signing process.</para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <section><info><title>Dynamic DNS update method</title></info>
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <para>To insert the keys via dynamic update:</para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt > ttl 3600
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt > update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt > update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <para>While the update request will complete almost immediately,
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews the zone will not be completely signed until
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <command>named</command> has had time to walk the zone and
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt generate the NSEC and RRSIG records. The NSEC record at the apex
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt will be added last, to signal that there is a complete NSEC
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt chain.</para>
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <para>If you wish to sign using NSEC3 instead of NSEC, you should
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt add an NSEC3PARAM record to the initial update request. If you
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt wish the NSEC3 chain to have the OPTOUT bit set, set it in the
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt flags field of the NSEC3PARAM record.</para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt > ttl 3600
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt > update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt > update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt > update add example.net NSEC3PARAM 1 1 100 1234567890
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <para>Again, this update request will complete almost
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews immediately; however, the record won't show up until
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <command>named</command> has had a chance to build/remove the
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt relevant chain. A private type record will be created to record
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt the state of the operation (see below for more details), and will
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt be removed once the operation completes.</para>
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <para>While the initial signing and NSEC/NSEC3 chain generation
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt is happening, other updates are possible as well.</para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <section><info><title>Fully automatic zone signing</title></info>
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews <para>To enable automatic signing, add the
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews <command>auto-dnssec</command> option to the zone statement in
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews <command>auto-dnssec</command> has two possible arguments:
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <command>named</command> can search the key directory for keys
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt matching the zone, insert them into the zone, and use them to
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews sign the zone. It will do so only when it receives an
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Hunt <command>rndc sign <zonename></command>.</para>
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <!-- TODO: this is repeated in the ARM -->
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <command>auto-dnssec maintain</command> includes the above
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt functionality, but will also automatically adjust the zone's
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt DNSKEY records on schedule according to the keys' timing metadata.
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews <xref linkend="man.dnssec-settime"/> for more information.)
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Hunt <command>named</command> will periodically search the key directory
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Hunt for keys matching the zone, and if the keys' metadata indicates
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Hunt that any change should be made the zone, such as adding, removing,
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Hunt or revoking a key, then that action will be carried out. By default,
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Hunt the key directory is checked for changes every 60 minutes; this period
87002e151b8507e2deb8a72e475b77a87cb35045Automatic Updater can be adjusted with the <option>dnssec-loadkeys-interval</option>, up
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Hunt to a maximum of 24 hours. The <command>rndc loadkeys</command> forces
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Hunt <command>named</command> to check for key updates immediately.
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt If keys are present in the key directory the first time the zone
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews is loaded, the zone will be signed immediately, without waiting for an
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews <command>rndc sign</command> or <command>rndc loadkeys</command>
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews command. (Those commands can still be used when there are unscheduled
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews key changes, however.)
03f979494f5c80e05a72f876914d9d44085fbd6aEvan Hunt When new keys are added to a zone, the TTL is set to match that
03f979494f5c80e05a72f876914d9d44085fbd6aEvan Hunt of any existing DNSKEY RRset. If there is no existing DNSKEY RRset,
03f979494f5c80e05a72f876914d9d44085fbd6aEvan Hunt then the TTL will be set to the TTL specified when the key was
03f979494f5c80e05a72f876914d9d44085fbd6aEvan Hunt created (using the <command>dnssec-keygen -L</command> option), if
03f979494f5c80e05a72f876914d9d44085fbd6aEvan Hunt any, or to the SOA TTL.
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Hunt If you wish the zone to be signed using NSEC3 instead of NSEC,
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Hunt submit an NSEC3PARAM record via dynamic update prior to the
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Hunt scheduled publication and activation of the keys. If you wish the
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Hunt NSEC3 chain to have the OPTOUT bit set, set it in the flags field
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Hunt of the NSEC3PARAM record. The NSEC3PARAM record will not appear in
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Hunt the zone immediately, but it will be stored for later reference. When
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Hunt the zone is signed and the NSEC3 chain is completed, the NSEC3PARAM
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Hunt record will appear in the zone.
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews <para>Using the
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <command>auto-dnssec</command> option requires the zone to be
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews configured to allow dynamic updates, by adding an
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <command>update-policy</command> statement to the zone
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt configuration. If this has not been done, the configuration will
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt fail.</para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <section><info><title>Private-type records</title></info>
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <para>The state of the signing process is signaled by
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt private-type records (with a default type value of 65534). When
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt signing is complete, these records will have a nonzero value for
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt the final octet (for those records which have a nonzero initial
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt octet).</para>
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <para>The private type record format: If the first octet is
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt non-zero then the record indicates that the zone needs to be
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt signed with the key matching the record, or that all signatures
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt that match the record should be removed.</para>
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <literallayout>
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt<!-- TODO: how to format this? -->
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt algorithm (octet 1)
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt key id in network order (octet 2 and 3)
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt removal flag (octet 4)
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt complete flag (octet 5)
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt</literallayout>
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <para>Only records flagged as "complete" can be removed via
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt dynamic update. Attempts to remove other private type records
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt will be silently ignored.</para>
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <para>If the first octet is zero (this is a reserved algorithm
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt number that should never appear in a DNSKEY record) then the
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt record indicates changes to the NSEC3 chains are in progress. The
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt rest of the record contains an NSEC3PARAM record. The flag field
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt tells what operation to perform based on the flag bits.</para>
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <literallayout>
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt<!-- TODO: how to format this? -->
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt</literallayout>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <section><info><title>DNSKEY rollovers</title></info>
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews <para>As with insecure-to-secure conversions, rolling DNSSEC
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews keys can be done in two ways: using a dynamic DNS update, or the
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews <command>auto-dnssec</command> zone option.</para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <section><info><title>Dynamic DNS update method</title></info>
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews <para> To perform key rollovers via dynamic update, you need to add
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews the <filename>K*</filename> files for the new keys so that
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <command>named</command> can find them. You can then add the new
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews DNSKEY RRs via dynamic update.
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <command>named</command> will then cause the zone to be signed
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt with the new keys. When the signing is complete the private type
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt records will be updated so that the last octet is non
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt zero.</para>
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <para>If this is for a KSK you need to inform the parent and any
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt trust anchor repositories of the new KSK.</para>
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <para>You should then wait for the maximum TTL in the zone before
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt removing the old DNSKEY. If it is a KSK that is being updated,
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt you also need to wait for the DS RRset in the parent to be
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt updated and its TTL to expire. This ensures that all clients will
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt be able to verify at least one signature when you remove the old
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt DNSKEY.</para>
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <para>The old DNSKEY can be removed via UPDATE. Take care to
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews specify the correct key.
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <command>named</command> will clean out any signatures generated
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt by the old key after the update completes.</para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <section><info><title>Automatic key rollovers</title></info>
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews <para>When a new key reaches its activation date (as set by
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews <command>dnssec-keygen</command> or <command>dnssec-settime</command>),
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews if the <command>auto-dnssec</command> zone option is set to
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews <constant>maintain</constant>, <command>named</command> will
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews automatically carry out the key rollover. If the key's algorithm
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews has not previously been used to sign the zone, then the zone will
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews be fully signed as quickly as possible. However, if the new key
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews is replacing an existing key of the same algorithm, then the
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews zone will be re-signed incrementally, with signatures from the
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews old key being replaced with signatures from the new key as their
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews signature validity periods expire. By default, this rollover
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews completes in 30 days, after which it will be safe to remove the
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews old key from the DNSKEY RRset.</para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <section><info><title>NSEC3PARAM rollovers via UPDATE</title></info>
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <para>Add the new NSEC3PARAM record via dynamic update. When the
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt new NSEC3 chain has been generated, the NSEC3PARAM flag field
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt will be zero. At this point you can remove the old NSEC3PARAM
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt record. The old chain will be removed after the update request
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt completes.</para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <section><info><title>Converting from NSEC to NSEC3</title></info>
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <para>To do this, you just need to add an NSEC3PARAM record. When
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt the conversion is complete, the NSEC chain will have been removed
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt and the NSEC3PARAM record will have a zero flag field. The NSEC3
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt chain will be generated before the NSEC chain is
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt destroyed.</para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <section><info><title>Converting from NSEC3 to NSEC</title></info>
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <para>To do this, use <command>nsupdate</command> to
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt remove all NSEC3PARAM records with a zero flag
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt field. The NSEC chain will be generated before the NSEC3 chain is
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt removed.</para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <section><info><title>Converting from secure to insecure</title></info>
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <para>To convert a signed zone to unsigned using dynamic DNS,
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt delete all the DNSKEY records from the zone apex using
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <command>nsupdate</command>. All signatures, NSEC or NSEC3 chains,
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt and associated NSEC3PARAM records will be removed automatically.
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt This will take place after the update request completes.</para>
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews <para> This requires the
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews <command>dnssec-secure-to-insecure</command> option to be set to
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <para>In addition, if the <command>auto-dnssec maintain</command>
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt zone statement is used, it should be removed or changed to
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <command>allow</command> instead (or it will re-sign).
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <section><info><title>Periodic re-signing</title></info>
2637d30fbd235fe98145f4312b10cc41a13bf7dcJeremy C. Reed <para>In any secure zone which supports dynamic updates, <command>named</command>
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt will periodically re-sign RRsets which have not been re-signed as
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt a result of some update action. The signature lifetimes will be
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt adjusted so as to spread the re-sign load over time rather than
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt all at once.</para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <section><info><title>NSEC3 and OPTOUT</title></info>
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <command>named</command> only supports creating new NSEC3 chains
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt where all the NSEC3 records in the zone have the same OPTOUT
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <command>named</command> supports UPDATES to zones where the NSEC3
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews records in the chain have mixed OPTOUT state.
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <command>named</command> does not support changing the OPTOUT
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt state of an individual NSEC3 record, the entire chain needs to be
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt changed if the OPTOUT state of an individual NSEC3 needs to be
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt changed.</para>