On 24-10-2022 20:43, Richard T.A. Neal wrote:
Jan-Piet Mens wrote:
A Beginner's Guide to DNSSEC with BIND 9.
Well done! A few comments, if I may:
{snip}
Thanks JP, I really appreciate the feedback. I'll take all of that onboard,
change my zones and guide from master/slave to primary/secondary, and take a
look at TSIG as well.
As PGNet Dev said, I would also be interested to hear more about "inline-signing
might go away". In fact when creating my first DNSSEC zone I initially *did not*
include this statement in the zone file, but this caused named to fail to start and it
threw the following error:
'dnssec-policy;' requires dynamic DNS or inline-signing to be configured for
the zone
Like PGNet Dev I would also prefer to continue to hand-edit my zone files for
the time being (rather than using a tool such as nsupdate) so I'm interested to
hear if this will still be supported or what the roadmap is for deprecating the
ability to hand-edit these files for DNSSEC-enabled zones.
The inline-signing feature will not go away.
When introducing dnssec-policy, my goal was to reduce the dozens of
DNSSEC related configuration options, but despite what I thought earlier
when I started to work on this, the inline-signing options is still needed.
Best regards,
Matthijs
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
