<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
Michael,<br>
There are several layers to respond to your question.<br>
(Looking at ISC source code can at times be fairly easy, but
sometimes it's challenging, if for example the author included some
private new undocumented macro system.)<br>
<br>
First, the official definitions are at IANA:<br>
<a class="moz-txt-link-freetext" href="https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml">https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml</a><br>
<a class="moz-txt-link-freetext" href="https://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml">https://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml</a><br>
<br>
Second, in working with BIND and DNSSEC over the years, it is not my
impression that BIND restricts the algorithm number in any way.<br>
I don't think it even knows which types have sub-types, but I could
be wrong about that.<br>
<br>
Third, the real list is whatever the TLD is taking these days.
There was a time that one TLD (IIRC .us) didn't take DNSSEC, and
some orgranizations were refusing until the DS-delete option was
more widely implemented. A complicated landscape. The easiest way
I've found is to go to a large registrar and look at the drop-down
options it thinks that particular TLD will accept. It used to be
everyone was advised to move to 8/2 but now the move is on to 13,
but it's not 100% with everyone.<br>
<br>
A side not on a complication of choosing an algorithm. BIND s/w
developers have focused more on automatic-everything, so if you
don't want to be involved in choosing anything, BIND will take care
of everything. For those of us that want BIND to maintain
re-signing RRs automatically ala version 9.16 but don't want the
expanded automatic part of redoing KSKs and ZSKs and choosing
algorithms, there is considerable opposition within ISC to adding an
option to disable the new behavior and distinguish between the two
functions. While there is a limited feature to give unlimited
lifetime to a key, there is no way to disable the relatively opaque
and subject-to-change decision process of whether the chosen keys
are not appropriate in some way and should be replaced. Trying to
specify different default algorithms and control that behavior gets
difficult, especially for those of us with a large portfolio of
domains and disparate TLDs.<br>
<br>
regards<br>
Al<br>
<br>
<div class="moz-cite-prefix">On 6/6/2024 08:46, Andrew Latham wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CA+qj4S-p0g5qXk4LA2z94VF2znEh_YT22kd-3kb_WNxrDoTWpA@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Link for the Debian packaged version you mentioned
is at <a
href="https://bind9.readthedocs.io/en/v9.18.24/reference.html#namedconf-statement-dnssec-policy"
moz-do-not-send="true" class="moz-txt-link-freetext">https://bind9.readthedocs.io/en/v9.18.24/reference.html#namedconf-statement-dnssec-policy</a>
<div><br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, Jun 6, 2024 at 9:31 AM
Andrew Latham <<a href="mailto:lathama@gmail.com"
moz-do-not-send="true" class="moz-txt-link-freetext">lathama@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">I took a quick look<br>
<br>
* <a
href="https://github.com/isc-projects/bind9/blob/main/doc/misc/dnssec-policy.default.conf"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://github.com/isc-projects/bind9/blob/main/doc/misc/dnssec-policy.default.conf</a><br>
<div>* <a
href="https://gitlab.isc.org/isc-projects/bind9/-/blob/main/doc/misc/dnssec-policy.default.conf"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://gitlab.isc.org/isc-projects/bind9/-/blob/main/doc/misc/dnssec-policy.default.conf</a></div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, Jun 6, 2024 at
8:19 AM Michael Paoli via bind-users <<a
href="mailto:bind-users@lists.isc.org" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">bind-users@lists.isc.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">dnssec-policy
default - where/how to determine what all its settings
are?<br>
Documentation<br>
doc/bind9-doc/arm/reference.html#dnssec-policy-default<br>
<a
href="https://bind9.readthedocs.io/en/v9.18.27/reference.html#dnssec-policy-default"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://bind9.readthedocs.io/en/v9.18.27/reference.html#dnssec-policy-default</a><br>
says:<br>
A verbose copy of this policy may be found in the source
tree, in the<br>
file doc/misc/dnssec-policy.default.conf<br>
But I'm not finding that in source nor elsewhere.<br>
There doesn't even seem to be an rndc command that can
list<br>
defined dnssec-policy sets that are in place, nor that<br>
can list how they're configured. This information should
be much more<br>
visible/findable, so ... where is it? I'm sure it must be
present<br>
somewhere in the source, but haven't easily located it by
searching.<br>
Shouldn't be necessary to run debugging to track down
where this is<br>
and where in the source it comes from. So ... where does
one find it?<br>
<br>
I've been looking at Debian BIND9 packages:<br>
bind9 1:9.18.24-1<br>
bind9-doc 1:9.18.24-1<br>
and also ISC BIND 9.18.24 source and 9.18.27 source and
documentation.<br>
-- <br>
Visit <a
href="https://lists.isc.org/mailman/listinfo/bind-users"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.isc.org/mailman/listinfo/bind-users</a>
to unsubscribe from this list<br>
<br>
ISC funds the development of this software with paid
support subscriptions. Contact us at <a
href="https://www.isc.org/contact/" rel="noreferrer"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://www.isc.org/contact/</a>
for more information.<br>
<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">bind-users@lists.isc.org</a><br>
<a
href="https://lists.isc.org/mailman/listinfo/bind-users"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</blockquote>
</div>
<br clear="all">
<div><br>
</div>
<span class="gmail_signature_prefix">-- </span><br>
<div dir="ltr" class="gmail_signature">
<div dir="ltr">- Andrew "lathama" Latham -</div>
</div>
</blockquote>
</div>
<br clear="all">
<div><br>
</div>
<span class="gmail_signature_prefix">-- </span><br>
<div dir="ltr" class="gmail_signature">
<div dir="ltr">- Andrew "lathama" Latham -</div>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
</blockquote>
<br>
</body>
</html>