'inline-signing' might go away and be replaced by dnssec-policy ?
PGNet Dev
pgnet.dev at gmail.com
Wed Oct 26 17:55:13 UTC 2022
ls -1 keys/dnssec/example.com/
(empty)
ls -1 namedb/primary/example.com*
namedb/primary/example.com.zone <====== ORIGINAL, unsigned zone file
cat etc/named.conf
...
zone "example.com" IN {
type master; file "namedb/primary/example.com.zone";
dnssec-policy "test";
key-directory "keys/dnssec/example.com";
update-policy {
grant local-ddns zonesub any;
grant test-key zonesub txt;
};
};
...
rndc reload
ls -al keys/dnssec/example.com/
keys/dnssec/example.com/Kexample.com.+013+22094.key
keys/dnssec/example.com/Kexample.com.+013+22094.private
keys/dnssec/example.com/Kexample.com.+013+22094.state
keys/dnssec/example.com/Kexample.com.+013+51905.key
keys/dnssec/example.com/Kexample.com.+013+51905.private
keys/dnssec/example.com/Kexample.com.+013+51905.state
ls -1 namedb/primary/example.com*
namedb/primary/example.com.zone <====== OVERWRITTEN, *signed* zone file
namedb/primary/example.com.zone.jnl
More information about the bind-users
mailing list