AW: Deprecating auto-dnssec and inline-signing in 9.18+
Klaus Darilion
klaus.darilion at nic.at
Tue Aug 10 11:38:02 UTC 2021
Hi Matthijs!
> We would like to encourage you to change your configurations to
> 'dnssec-policy'. See this KB article for migration help:
>
> https://kb.isc.org/docs/dnssec-key-and-signing-policy
Some comments to this KB article and dnssec-policy:
- The article should mention how to retrieve the DS record from Bind.
- How does Bind handle duplicate keyids when generating new keys? Will Bind ensure that there will not be any duplicate key ideas or will it just use the duplicate keys? In the latter case the " rndc dnssec -checkds -key 12345 ..." commands will be ambiguous. (From an user perspective duplicate keyids should be avoided)
Thanks
Klaus
More information about the bind-users
mailing list