Hi Philippe,
On 4/7/20 3:46 PM, Philippe Maechler wrote:
> Hello bind users
>
>> The answer is almost, as long as the zone has a DNSSEC policy configured:
>>
>> zone "newdomain.de" {
>> type master;
>> file "../master/newdomain.de";
>> dnssec-policy default;
>> }
>>
>> The only thing not yet fully automated is submitting the DS to the
>> parent. You can do that as soon as named puts the CDS/CDNSKEY records in
>> the zone.
>
> So you're saying, that with a DNSSEC policy configured, bind is creating CDS
> records for me? If so, then when my registrar is supporting those records
> (switch.ch), this zone fully automated in regards of DNSSEC?
> Is the creation of CDS Records a config option or on by default?Yes, that is right. The creation of CDS and CDNSKEY records happens always and cannot be turned off with an option. > What about going from secure to insecure? Is this possible with dnssec policy > or do I then have to put the relevant CDS records in the zone by hand? This is not possible yet with dnssec-policy. I suggest to put the deletion CDS record in the zone, set dnssec-policy to none, and dnssec-signzone your zone temporarily. Best regards, Matthijs > > Best regards > Philippe > >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
