there are separate cases to consider. the docs
https://bind9.readthedocs.io/en/latest/reference.html#dnssec-policy-block-definition-and-usage state The dnssec-policy statement requires dynamic DNS to be set up, or inline-signing to be enabled. If inline-signing is enabled, this means that a signed version of the zone is maintained separately and is written out to a different file on disk (the zone’s filename plus a .signed extension). If the zone is dynamic because it is configured with an update-policy or allow-update, the DNSSEC records are written to the filename set in the original zone’s file, unless inline-signing is explicitly set. -------- Original Message -------- From: Jan-Piet Mens via bind-users [mailto:bind-users@lists.isc.org] Sent: Wednesday, October 26, 2022 at 3:41 PM EDT To: bind-users@lists.isc.org Subject: 'inline-signing' might go away and be replaced by dnssec-policy ?
Retried my named.conf with BIND 9.19.7-dev (Development Release) <id:e004ca4> which reports: 26-Oct-2022 21:31:42.021 /private/tmp/b/named.conf:11: 'inline-signing yes;' must also be configured explicitly for zones using dnssec-policy without a configured 'allow-update' or 'update-policy'. See https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing If I add an allow-update{} or inline-signing{} stanza, the server starts and neither combination overwrites the primary zone file. -JP
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users