Problem upgrading to 9.18 - important feature being removed

Matthijs Mekking matthijs at isc.org
Mon Mar 4 14:05:33 UTC 2024 


On 3/1/24 12:23, G.W. Haywood wrote:
> Hi there,
> 
> On Fri, 1 Mar 2024, Ond?ej Sur? wrote:
>> On 26. 2. 2024, at 22:41, Al Whaley wrote:
>>
>> > A lot of pain and suffering in this world comes from people being
>> > sure they have a 'better idea' and everybody needs to do whatever.
>> > This feels a bit like that. ...
>>
>> ... ultimately, the developers working on BIND 9 are just a few
>> people and it's absolutely reasonable to remove rarely used features
>> - especially if there's a replacement ...
>>
>> For every decision we make, be it adding a new feature or removing
>> an old feature, we do carefully consider the implications ...
> 
> And in this case I think it would be unfair to the developers not to
> mention that more than two years ago, before actually implementing
> this change, the developers did ask for comment and there was debate.
> If the OP took a part in that debate I missed it.

See here for the FYI: 
https://lists.isc.org/mailman/htdig/bind-users/2022-November/106948.html

In short, we said we would go forward with the deprecation, despite key 
creation in HSM's was not yet supported (it will be in 9.20, already 
merged in our development release).

There is functional parity, everything you do with auto-dnssec can also 
be done with dnssec-policy. If you don't want to do automatic key 
rollovers, use 'lifetime unlimited' on keys.

There is a section on manual key rollover in our kb article: 
https://kb.isc.org/docs/dnssec-key-and-signing-policy

- Matthijs



> 
> 8<----------------------------------------------------------------------
> Date: Tue, 10 Aug 2021 10:02:59 +0200
> From: Matthijs Mekking <matthijs at isc.org>
> To: bind-users at lists.isc.org
> Subject: Deprecating auto-dnssec and inline-signing in 9.18+
> Message-ID: <b69d059d-3657-0b68-cb69-766d87a1dec3 at isc.org>
> Content-Type: text/plain; charset=utf-8; format=flowed
> 
> Hi users,
> 
> We are planning to deprecate the options 'auto-dnssec' and 
> 'inline-signing' in BIND 9.18. The reason for this is because 
> 'dnssec-policy' is the preferred way of maintaining your DNSSEC zone.
> 
> Deprecating means that you can still use the options in 9.18, but a 
> warning will be logged and it is very likely that the options will be 
> removed in BIND 9.20.
> 
> We would like to encourage you to change your configurations to 
> 'dnssec-policy'. See this KB article for migration help:
> 
>       https://kb.isc.org/docs/dnssec-key-and-signing-policy
> 
> Do you have reasons for keeping 'inline-signing' or 'auto-dnssec' 
> configurations? Is there a use case that is not (yet) covered by 
> 'dnssec-policy'? Any other concerns? Please let us know.
> 8<----------------------------------------------------------------------
> 
> To try to make this more positive, Maybe the lesson here is that if
> you're using BIND other than because it happened to come with your
> distro, then it's probably a good idea to keep an eye on this list to
> monitor the plans for development.  If it says that in the ARM, which
> IMO it probably should, I missed that too.
>

More information about the bind-users mailing list