dnssec-policy default - where/how to determine what all its settings are?

Al awsiscorg at sunnyside.com
Thu Jun 6 16:27:39 UTC 2024 

Michael,
There are several layers to respond to your question.
(Looking at ISC source code can at times be fairly easy, but sometimes 
it's challenging, if for example the author included some private new 
undocumented macro system.)

First, the official definitions are at IANA:
https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml
https://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml

Second, in working with BIND and DNSSEC over the years, it is not my 
impression that BIND restricts the algorithm number in any way.
I don't think it even knows which types have sub-types, but I could be 
wrong about that.

Third, the real list is whatever the TLD is taking these days. There was 
a time that one TLD (IIRC .us) didn't take DNSSEC, and some 
orgranizations were refusing until the DS-delete option was more widely 
implemented.  A complicated landscape.  The easiest way I've found is to 
go to a large registrar and look at the drop-down options it thinks that 
particular TLD will accept.  It used to be everyone was advised to move 
to 8/2 but now the move is on to 13, but it's not 100% with everyone.

A side not on a complication of choosing an algorithm.  BIND s/w 
developers have focused more on automatic-everything, so if you don't 
want to be involved in choosing anything, BIND will take care of 
everything.  For those of us that want BIND to maintain re-signing RRs 
automatically ala version 9.16 but don't want the expanded automatic 
part of redoing KSKs and ZSKs and choosing algorithms, there is 
considerable opposition within ISC to adding an option to disable the 
new behavior and distinguish between the two functions.  While there is 
a limited feature to give unlimited lifetime to a key, there is no way 
to disable the relatively opaque and subject-to-change decision process 
of whether the chosen keys are not appropriate in some way and should be 
replaced.  Trying to specify different default algorithms and control 
that behavior gets difficult, especially for those of us with a large 
portfolio of domains and disparate TLDs.

regards
Al

On 6/6/2024 08:46, Andrew Latham wrote:
> Link for the Debian packaged version you mentioned is at 
> https://bind9.readthedocs.io/en/v9.18.24/reference.html#namedconf-statement-dnssec-policy 
>
>
>
> On Thu, Jun 6, 2024 at 9:31 AM Andrew Latham <lathama at gmail.com> wrote:
>
>     I took a quick look
>
>     *
>     https://github.com/isc-projects/bind9/blob/main/doc/misc/dnssec-policy.default.conf
>     *
>     https://gitlab.isc.org/isc-projects/bind9/-/blob/main/doc/misc/dnssec-policy.default.conf
>
>     On Thu, Jun 6, 2024 at 8:19 AM Michael Paoli via bind-users
>     <bind-users at lists.isc.org> wrote:
>
>         dnssec-policy default - where/how to determine what all its
>         settings are?
>         Documentation
>         doc/bind9-doc/arm/reference.html#dnssec-policy-default
>         https://bind9.readthedocs.io/en/v9.18.27/reference.html#dnssec-policy-default
>         says:
>         A verbose copy of this policy may be found in the source tree,
>         in the
>         file doc/misc/dnssec-policy.default.conf
>         But I'm not finding that in source nor elsewhere.
>         There doesn't even seem to be an rndc command that can list
>         defined dnssec-policy sets that are in place, nor that
>         can list how they're configured.  This information should be
>         much more
>         visible/findable, so ... where is it?  I'm sure it must be present
>         somewhere in the source, but haven't easily located it by
>         searching.
>         Shouldn't be necessary to run debugging to track down where
>         this is
>         and where in the source it comes from.  So ... where does one
>         find it?
>
>         I've been looking at Debian BIND9 packages:
>         bind9          1:9.18.24-1
>         bind9-doc      1:9.18.24-1
>         and also ISC BIND 9.18.24 source and 9.18.27 source and
>         documentation.
>         -- 
>         Visit https://lists.isc.org/mailman/listinfo/bind-users to
>         unsubscribe from this list
>
>         ISC funds the development of this software with paid support
>         subscriptions. Contact us at https://www.isc.org/contact/ for
>         more information.
>
>
>         bind-users mailing list
>         bind-users at lists.isc.org
>         https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
>     -- 
>     - Andrew "lathama" Latham -
>
>
>
> -- 
> - Andrew "lathama" Latham -
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20240606/4f30a0c5/attachment.htm>

More information about the bind-users mailing list