Re: 'inline-signing' might go away and be replaced by dnssec-policy ?

Wed, 26 Oct 2022 01:20:32 -0700 

Thanks for this. It probably should be removed from the docs at this point.
When introducing dnssec-policy, my goal was to reduce the dozens of DNSSEC related configuration options that are scattered throughout named.conf and contain them in one stanza. But some options are more difficult to be replaced than others. 

On 24-10-2022 18:16, PGNet Dev wrote:

i've read this comment


'inline-signing' might go away and be replaced by dnssec-policy


now a few times, in posts and in docs

currently, WITH 'dnssec-policy' signing enabled & in-use, i've

     zone "example.com" IN {
         type master; file "namedb/primary/example.com.zone";
         dnssec-policy "test";
         inline-signing yes;
         ...
the 'inline-signing yes;' is needed IN ADDITION to 'dnssec-policy' in order to _not_ overwrite original zone files/data on signing.  e.g., with the config above 

     cd namedb/primary/
     ls -1 *example*
        example.com.zone          <==== THIS is the original, unsigned zone data 
         example.com.zone.jbk
         example.com.zone.jnl
        example.com.zone.signed   <==== THIS is the signing-generated zone data, which gets propagated 
         example.com.zone.signed.jnl
without it, the original "example.com.zone" is overwritten with signed data.
is there already config in, or planned for, 'dnssec-policy' that preserves that separate-file functionality, preserving the original?
There are two ways of DNSSEC maintenance in BIND. One is the inline-signing approach, that preserves the original zone file. The other is to apply the changes directly to the zone (and zone file) and requires the zone to allow dynamic updates.
Since the latest release dnssec-policy requires either inline-signing to be set to yes, or allow dynamic updates.
I am thinking of adding inline-signing to dnssec-policy, do you think that would that be useful? 

Best regards,

Matthijs
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to