Non-disruptive migration to dnssec-policy possible?
Shumon Huque
shuque at gmail.com
Thu Mar 26 21:02:43 UTC 2020
On Thu, Mar 26, 2020 at 3:35 PM Håkan Lindqvist via bind-users <
bind-users at lists.isc.org> wrote:
>
> A related thing that I've noticed in my tests is that "dnssec-policy x"
> seems to also imply "inline-signing yes"?
> Is this intended as a strict requirement, it seems a little awkward?
>
I'm sure ISC colleagues will elucidate more, but it sounds to me like a new
interpretation. of "inline-signing", i.e. the dnssec-policy feature takes
an unsigned local zone file as input, and generates and maintains a new
signed file ("origfile.signed"). UPDATEs continue to go to the orig file
and ("inline?") signed deltas go into the signed file (well journal first
and synced later). It would probably be helpful to have the mechanics of
this new feature written up in detail somewhere so that operators know what
is actually going on.
Shumon Huque
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200326/9eca2933/attachment.htm>
More information about the bind-users
mailing list