'inline-signing' might go away and be replaced by dnssec-policy ?
Tom
lists at verreckte-cheib.ch
Wed Nov 9 13:20:58 UTC 2022
On 10/26/22 13:13, Tom wrote:
>
>
> On 10/26/22 10:19, Matthijs Mekking wrote:
>> Thanks for this. It probably should be removed from the docs at this
>> point.
>>
>> When introducing dnssec-policy, my goal was to reduce the dozens of
>> DNSSEC related configuration options that are scattered throughout
>> named.conf and contain them in one stanza. But some options are more
>> difficult to be replaced than others.
>>
>> On 24-10-2022 18:16, PGNet Dev wrote:
>>> i've read this comment
>>>
>>>> 'inline-signing' might go away and be replaced by dnssec-policy
>>>
>>> now a few times, in posts and in docs
>>>
>>> currently, WITH 'dnssec-policy' signing enabled & in-use, i've
>>>
>>> zone "example.com" IN {
>>> type master; file "namedb/primary/example.com.zone";
>>> dnssec-policy "test";
>>> inline-signing yes;
>>> ...
>>>
>>> the 'inline-signing yes;' is needed IN ADDITION to 'dnssec-policy' in
>>> order to _not_ overwrite original zone files/data on signing. e.g.,
>>> with the config above
>>>
>>> cd namedb/primary/
>>> ls -1 *example*
>>> example.com.zone <==== THIS is the original,
>>> unsigned zone data
>>> example.com.zone.jbk
>>> example.com.zone.jnl
>>> example.com.zone.signed <==== THIS is the
>>> signing-generated zone data, which gets propagated
>>> example.com.zone.signed.jnl
>>>
>>> without it, the original "example.com.zone" is overwritten with
>>> signed data.
>>>
>>> is there already config in, or planned for, 'dnssec-policy' that
>>> preserves that separate-file functionality, preserving the original?
>>
>> There are two ways of DNSSEC maintenance in BIND. One is the
>> inline-signing approach, that preserves the original zone file. The
>> other is to apply the changes directly to the zone (and zone file) and
>> requires the zone to allow dynamic updates.
>>
>> Since the latest release dnssec-policy requires either inline-signing
>> to be set to yes, or allow dynamic updates.
>>
>> I am thinking of adding inline-signing to dnssec-policy, do you think
>> that would that be useful?
>
> Matthijs,
>
> Yes, from my point of view, that would surely be useful. I would very
> much welcome a configuration option within the dnssec-policy-statement,
> to globally enable inline-signing for all dnssec-signed zones.
Matthijs, regarding your question about "adding inline-signing to
dnssec-policy": Is this something you'll be implementing in the near future?
>
>>
>> Best regards,
>>
>> Matthijs
More information about the bind-users
mailing list