Since the latest release dnssec-policy requires either inline-signing
to be set to yes, or allow dynamic updates.
I am thinking of adding inline-signing to dnssec-policy, do you think
that would that be useful?
Matthijs,
Yes, from my point of view, that would surely be useful. I would
named.conf and contain them in one stanza. But some options are more
difficult to be replaced than others.
On 24-10-2022 18:16, PGNet Dev wrote:
i've read this comment
'inline-signing' might go away and be replaced by dnssec-policy
now a few times, in posts and in docs
currently, WITH 'dnssec
' might go away and be replaced by dnssec-policy ?
Retried my named.conf with BIND 9.19.7-dev (Development Release)
which reports:
26-Oct-2022 21:31:42.021 /private/tmp/b/named.conf:11: 'inline-signing
yes;' must also be configured explicitly for zones using dnssec-policy without
a configured
Retried my named.conf with BIND 9.19.7-dev (Development Release)
which reports:
26-Oct-2022 21:31:42.021 /private/tmp/b/named.conf:11: 'inline-signing
yes;' must also be configured explicitly for zones using dnssec-policy without
a configured 'allow-update' or 'update-policy'. See
the 'inline-signing yes;' is needed IN ADDITION to 'dnssec-policy' in order to
_not_ overwrite original zone files/data on signing.
I cannot confirm that (9.17.22):
sry, fat thumbed copying my reply into email :-/
should have been wrapped in niceties, including "hmm, I can here with 9.18.8
ls -1 keys/dnssec/example.com/
(empty)
ls -1 namedb/primary/example.com*
namedb/primary/example.com.zone<== ORIGINAL, unsigned zone file
cat etc/named.conf
...
zone "example.com" IN {
type master; file "namedb/primary/example.com.zone";
the 'inline-signing yes;' is needed IN ADDITION to 'dnssec-policy' in order to
_not_ overwrite original zone files/data on signing.
I cannot confirm that (9.17.22):
% ls -1
example.aa
named.conf
% cat named.conf
options {
directory ".";
listen-on port 5301 { 127.0.0.2; };
There are two ways of DNSSEC maintenance in BIND. One is the inline-signing
approach, that preserves the original zone file. The other is to apply the
changes directly to the zone (and zone file) and requires the zone to allow
dynamic updates.
Since the latest release dnssec-policy requires
onfiguration options that are scattered throughout
named.conf and contain them in one stanza. But some options are more
difficult to be replaced than others.
On 24-10-2022 18:16, PGNet Dev wrote:
i've read this comment
'inline-signing' might go away and be replaced by dnssec-policy
now a few times,
stanza. But some options are more
difficult to be replaced than others.
On 24-10-2022 18:16, PGNet Dev wrote:
i've read this comment
'inline-signing' might go away and be replaced by dnssec-policy
now a few times, in posts and in docs
currently, WITH 'dnssec-policy' signing enabled & in
to be replaced than others.
On 24-10-2022 18:16, PGNet Dev wrote:
i've read this comment
'inline-signing' might go away and be replaced by dnssec-policy
now a few times, in posts and in docs
currently, WITH 'dnssec-policy' signing enabled & in-use, i've
zone "ex
i've read this comment
'inline-signing' might go away and be replaced by dnssec-policy
now a few times, in posts and in docs
currently, WITH 'dnssec-policy' signing enabled & in-use, i've
zone "example.com" IN {
type master; file "namedb/prima
12 matches
Mail list logo