Is inline-signing recommended?

[Alessandro Vesely]

Hi all,

reading about the various ways to sign zones, inline-signing seems to be the simplest one.  However, a 2014 Swiss howto I found has this obscure warning:

    Update Nov 2017: DNSSEC zone signing as described here is outdated.
    We strongly recommend against the method described in this blog post.
    Newer BIND versions or other DNS software have greatly simplified
    DNSSEC signing.
    https://securityblog.switch.ch/2014/11/13/dnssec-signing-your-domain-with-bind-inline-signing/

The (old) text has inline signing exemplified like so:

    zone example.com {
        type master;
        file "/etc/bind/zones/db.example.com”;
        # publish and activate dnssec keys
        auto-dnssec maintain;
        # use inline signing 
        inline-signing yes;
    };

Did a better way arrive between 2014 and 2017?  What does that warning mean?


Thank you
Ale
--