Thanks for this. It probably should be removed from the docs at this point.
When introducing dnssec-policy, my goal was to reduce the dozens of
DNSSEC related configuration options that are scattered throughout
named.conf and contain them in one stanza. But some options are more
difficult to be replaced than others.
On 24-10-2022 18:16, PGNet Dev wrote:
i've read this comment
'inline-signing' might go away and be replaced by dnssec-policy
now a few times, in posts and in docs
currently, WITH 'dnssec-policy' signing enabled & in-use, i've
zone "example.com" IN {
type master; file "namedb/primary/example.com.zone";
dnssec-policy "test";
inline-signing yes;
...
the 'inline-signing yes;' is needed IN ADDITION to 'dnssec-policy' in
order to _not_ overwrite original zone files/data on signing. e.g.,
with the config above
cd namedb/primary/
ls -1 *example*
example.com.zone <==== THIS is the original, unsigned
zone data
example.com.zone.jbk
example.com.zone.jnl
example.com.zone.signed <==== THIS is the signing-generated
zone data, which gets propagated
example.com.zone.signed.jnl
without it, the original "example.com.zone" is overwritten with signed
data.
is there already config in, or planned for, 'dnssec-policy' that
preserves that separate-file functionality, preserving the original?
There are two ways of DNSSEC maintenance in BIND. One is the
inline-signing approach, that preserves the original zone file. The
other is to apply the changes directly to the zone (and zone file) and
requires the zone to allow dynamic updates.
Since the latest release dnssec-policy requires either inline-signing to
be set to yes, or allow dynamic updates.
I am thinking of adding inline-signing to dnssec-policy, do you think
that would that be useful?
Best regards,
Matthijs
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users