subject:"DNSSec Setup ARM Manual vs KB article on adding inline\-signing for non\-dynamic zones"

Re: DNSSec Setup ARM Manual vs KB article on adding inline-signing for non-dynamic zones

2023-07-24 Thread Matthijs Mekking




On 7/24/23 20:14, E R wrote:
As if DNSSec is not confusing enough...It seems the ARM manual that 
matches my release is out of step with the web site.  I followed the 
"Easy-Start Guide for Signing Authoritative Zones" in the ARM manual 
after manually signing my test zone for my starting point.  The ARM says 
you ONLY need to specify "dnssec-policy default;" in your zone, view or 
options clause for the newer way to sign things.  I completed the steps 
successfully (except for one command that no longer works as shown in 
the manual which is not important).  I cannot find anything broken 
with BIND 9.16.23-RH (Extended Support Version) when I follow the ARM 
manual.


This document https://kb.isc.org/docs/dnssec-key-and-signing-policy 
 says I need to 
have dynamic zone for things to work.  Don't need or design anything 
other than a good ole static zone since an entry is changed like 3-4 
times per year.  The newest ARM has a new section that mentions needing 
to setup Dynamic DNS but it also states that BIND previously used 
implicit inline-signing.  It is really difficult for a casual observer 
to sort this out.  No reference to what they mean by "previously".


It says in the blue box dynamic zones required **or** inline-signing 
enabled.


Did they break builds newer than 9.16.23 and that is why I am not seeing 
any issues?  Or is it the fact that I am not an DNSSEC expert I am not 
seeing a glaring issue?


This has been true since 9.16.33.

Best regards,

Matthijs
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSec Setup ARM Manual vs KB article on adding inline-signing for non-dynamic zones

2023-07-24 Thread Ondřej Surý

Well, you didn’t say which version of ARM did you follow. Your ARM needs to 
match the BIND 9 version - you need to ask RH for the matching ARM.

And of course, if you find discrepancies between the BIND 9 version as provided 
by ISC and matching ARM as provided by ISC, we would be happy to fix it.

And I need to mention that ISC provides packages for RHEL and generally 
recommends that user use latest upstream version of the BIND 9.

Ondřej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.

> On 24. 7. 2023, at 20:15, E R  wrote:
> 
> 
> As if DNSSec is not confusing enough...It seems the ARM manual that matches 
> my release is out of step with the web site.  I followed the "Easy-Start 
> Guide for Signing Authoritative Zones" in the ARM manual after manually 
> signing my test zone for my starting point.  The ARM says you ONLY need to 
> specify "dnssec-policy default;" in your zone, view or options clause for the 
> newer way to sign things.  I completed the steps successfully (except for one 
> command that no longer works as shown in the manual which is not important).  
> I cannot find anything broken with BIND 9.16.23-RH (Extended Support Version) 
> when I follow the ARM manual.
> 
> This document https://kb.isc.org/docs/dnssec-key-and-signing-policy says I 
> need to have dynamic zone for things to work.  Don't need or design anything 
> other than a good ole static zone since an entry is changed like 3-4 times 
> per year.  The newest ARM has a new section that mentions needing to setup 
> Dynamic DNS but it also states that BIND previously used implicit 
> inline-signing.  It is really difficult for a casual observer to sort this 
> out.  No reference to what they mean by "previously".  
> 
> Did they break builds newer than 9.16.23 and that is why I am not seeing any 
> issues?  Or is it the fact that I am not an DNSSEC expert I am not seeing a 
> glaring issue?
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNSSec Setup ARM Manual vs KB article on adding inline-signing for non-dynamic zones

2023-07-24 Thread E R

As if DNSSec is not confusing enough...It seems the ARM manual that matches
my release is out of step with the web site.  I followed the "Easy-Start
Guide for Signing Authoritative Zones" in the ARM manual after manually
signing my test zone for my starting point.  The ARM says you ONLY need to
specify "dnssec-policy default;" in your zone, view or options clause for
the newer way to sign things.  I completed the steps successfully (except
for one command that no longer works as shown in the manual which is not
important).  I cannot find anything broken with BIND 9.16.23-RH (Extended
Support Version) when I follow the ARM manual.

This document https://kb.isc.org/docs/dnssec-key-and-signing-policy says I
need to have dynamic zone for things to work.  Don't need or design
anything other than a good ole static zone since an entry is changed like
3-4 times per year.  The newest ARM has a new section that mentions needing
to setup Dynamic DNS but it also states that BIND previously used implicit
inline-signing.  It is really difficult for a casual observer to sort this
out.  No reference to what they mean by "previously".

Did they break builds newer than 9.16.23 and that is why I am not seeing
any issues?  Or is it the fact that I am not an DNSSEC expert I am not
seeing a glaring issue?
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSec Setup ARM Manual vs KB article on adding inline-signing for non-dynamic zones

Re: DNSSec Setup ARM Manual vs KB article on adding inline-signing for non-dynamic zones

DNSSec Setup ARM Manual vs KB article on adding inline-signing for non-dynamic zones

3 matches

Site Navigation

Mail list logo

Footer information