'inline-signing' might go away and be replaced by dnssec-policy ?
Mark Elkins
mje at posix.co.za
Wed Oct 26 11:24:11 UTC 2022
Yes - I think "automated" in-line signing would be useful in
"dnssec-policy" run zones.
We didn't need this some versions of BIND ago ( I had to add it recently
on a zone that I've been testing with - untouched from a year or so ago)
We don't generally edit the signed zone - just the unsigned zone (at
least that is how this zone is modified!)
On 2022/10/26 10:19, Matthijs Mekking wrote:
> Thanks for this. It probably should be removed from the docs at this
> point.
>
> When introducing dnssec-policy, my goal was to reduce the dozens of
> DNSSEC related configuration options that are scattered throughout
> named.conf and contain them in one stanza. But some options are more
> difficult to be replaced than others.
>
> On 24-10-2022 18:16, PGNet Dev wrote:
>> i've read this comment
>>
>>> 'inline-signing' might go away and be replaced by dnssec-policy
>>
>> now a few times, in posts and in docs
>>
>> currently, WITH 'dnssec-policy' signing enabled & in-use, i've
>>
>> zone "example.com" IN {
>> type master; file "namedb/primary/example.com.zone";
>> dnssec-policy "test";
>> inline-signing yes;
>> ...
>>
>> the 'inline-signing yes;' is needed IN ADDITION to 'dnssec-policy' in
>> order to _not_ overwrite original zone files/data on signing. e.g.,
>> with the config above
>>
>> cd namedb/primary/
>> ls -1 *example*
>> example.com.zone <==== THIS is the original,
>> unsigned zone data
>> example.com.zone.jbk
>> example.com.zone.jnl
>> example.com.zone.signed <==== THIS is the
>> signing-generated zone data, which gets propagated
>> example.com.zone.signed.jnl
>>
>> without it, the original "example.com.zone" is overwritten with
>> signed data.
>>
>> is there already config in, or planned for, 'dnssec-policy' that
>> preserves that separate-file functionality, preserving the original?
>
> There are two ways of DNSSEC maintenance in BIND. One is the
> inline-signing approach, that preserves the original zone file. The
> other is to apply the changes directly to the zone (and zone file) and
> requires the zone to allow dynamic updates.
>
> Since the latest release dnssec-policy requires either inline-signing
> to be set to yes, or allow dynamic updates.
>
> I am thinking of adding inline-signing to dnssec-policy, do you think
> that would that be useful?
>
> Best regards,
>
> Matthijs
--
Mark James ELKINS - Posix Systems - (South) Africa
mje at posix.co.za Tel: +27.826010496 <tel:+27826010496>
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
<https://ftth.posix.co.za>
Posix SystemsVCARD for MJ Elkins
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20221026/0be91287/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: abessive_logo.jpg
Type: image/jpeg
Size: 6410 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20221026/0be91287/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: QR-MJElkins.png
Type: image/png
Size: 2163 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20221026/0be91287/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xB6FA15470B82C101.asc
Type: application/pgp-keys
Size: 627 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20221026/0be91287/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20221026/0be91287/attachment.sig>
More information about the bind-users
mailing list