Deprecating auto-dnssec and inline-signing in 9.18+
FUSTE Emmanuel
emmanuel.fuste at thalesgroup.com
Tue Aug 10 09:28:46 UTC 2021
Le 10/08/2021 à 10:02, Matthijs Mekking a écrit :
> Hi users,
>
> We are planning to deprecate the options 'auto-dnssec' and
> 'inline-signing' in BIND 9.18. The reason for this is because
> 'dnssec-policy' is the preferred way of maintaining your DNSSEC zone.
>
> Deprecating means that you can still use the options in 9.18, but a
> warning will be logged and it is very likely that the options will be
> removed in BIND 9.20.
>
> We would like to encourage you to change your configurations to
> 'dnssec-policy'. See this KB article for migration help:
>
> https://kb.isc.org/docs/dnssec-key-and-signing-policy
>
> Do you have reasons for keeping 'inline-signing' or 'auto-dnssec'
> configurations? Is there a use case that is not (yet) covered by
> 'dnssec-policy'? Any other concerns? Please let us know.
>
> Best regards,
>
> Matthijs
>
Hello,
As today state, it looks to me very premature.
inline-signing and auto-dnssec maintain are about transparent signature
maintenance.
dnssec-policy today is about transparent key maintenance/rotation on top
of the engine used by "inline-signing and auto-dnssec maintain"
These are two distinct things for me.
Please add an example showing a dnssec-policy configuration giving the
same result as zone configured with inline-signing and auto-dnssec
maintain : auto signing without automatic key maintenance/rotation. It
should be another default build-in policy ("default-no-auto-rotate" or
something like that).
HSM support for automatic key management, pkcs11 object name mapping,
creation, deletion and more is completely missing from dnssec-policy.
There is even no LTS linux distribution with the open-sc libp11 openssl
engine packaged to be able to use non-deprecated (non native pkcs11)
HSM support.
For now I'm stuck with 9.11 for "on the shelf" pkcs11 support with ISC
bind packages.
With 9.16 packages I'm loosing the pkcs11 support because of lack of
proper version of open-sc libp11 openssl engine in most/all distribs.
Based on the ISC package, I should rebuild it with deprecated native
pkcs11 enabled or try do do a proper packaging of open-sc libp11 openssl
engine. One or the other is on my todo stack for ages but will become
more and more urgent as 9.11 is approaching definitive EOL.
With 9.18, I should have switched to libp11 engine and use deprecated
'auto-dnssec' and 'inline-signing'.
As today plans, with 9.20 I should abandon HSM usage.
Something is missing for me: in real life using HSM always rhymes with
using deprecated mechanism after Bind 9.11.
Best regards,
Emmanuel.
More information about the bind-users
mailing list