Non-disruptive migration to dnssec-policy possible?
Mark Andrews
marka at isc.org
Thu Mar 26 22:00:53 UTC 2020
dnssec-policy should be independent of inline-signing. If it isn’t then it is a bug.
It just people like editing master files rather than using nsupdate to make changes.
> On 27 Mar 2020, at 08:02, Shumon Huque <shuque at gmail.com> wrote:
>
> On Thu, Mar 26, 2020 at 3:35 PM Håkan Lindqvist via bind-users <bind-users at lists.isc.org> wrote:
>
> A related thing that I've noticed in my tests is that "dnssec-policy x"
> seems to also imply "inline-signing yes"?
> Is this intended as a strict requirement, it seems a little awkward?
>
> I'm sure ISC colleagues will elucidate more, but it sounds to me like a new interpretation. of "inline-signing", i.e. the dnssec-policy feature takes an unsigned local zone file as input, and generates and maintains a new signed file ("origfile.signed"). UPDATEs continue to go to the orig file and ("inline?") signed deltas go into the signed file (well journal first and synced later). It would probably be helpful to have the mechanics of this new feature written up in detail somewhere so that operators know what is actually going on.
>
> Shumon Huque
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list