Deprecating auto-dnssec and inline-signing in 9.18+
Matthijs Mekking
matthijs at isc.org
Mon Nov 14 09:47:03 UTC 2022
FYI: We are going forward with deprecating 'auto-dnssec' in 9.18+.
We might deprecate 'inline-signing' too in 9.18, but only if we have
implemented the replacement code to configure it inside 'dnssec-policy'
in time.
After last year's discussion on this mailing list I initially wanted to
make creating keys inside the HSM work with dnssec-policy. But the
OpenSSL pkcs#11 engine has no capability to do so. Now we are
transitioning to OpenSSL 3.0 and the engine API is being replaced with
the provider API, this task has become even more challenging.
But since there is functional parity between 'dnssec-policy' and
'auto-dnssec', we decided that it is acceptable to deprecate the legacy
style of DNSSEC maintenance.
You can configure dnssec-policy to do no key rollover (and do key
maintenance/rotation in a different way) as follows:
dnssec-policy "no-auto-rotate" {
keys {
ksk lifetime unlimited algorithm 13;
zsk lifetime unlimited algorithm 13;
};
};
Best regards,
Matthijs
On 10-08-2021 10:02, Matthijs Mekking wrote:
> Hi users,
>
> We are planning to deprecate the options 'auto-dnssec' and
> 'inline-signing' in BIND 9.18. The reason for this is because
> 'dnssec-policy' is the preferred way of maintaining your DNSSEC zone.
>
> Deprecating means that you can still use the options in 9.18, but a
> warning will be logged and it is very likely that the options will be
> removed in BIND 9.20.
>
> We would like to encourage you to change your configurations to
> 'dnssec-policy'. See this KB article for migration help:
>
> https://kb.isc.org/docs/dnssec-key-and-signing-policy
>
> Do you have reasons for keeping 'inline-signing' or 'auto-dnssec'
> configurations? Is there a use case that is not (yet) covered by
> 'dnssec-policy'? Any other concerns? Please let us know.
>
> Best regards,
>
> Matthijs
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list