'inline-signing' might go away and be replaced by dnssec-policy ?

Tom lists at verreckte-cheib.ch
Wed Nov 9 13:20:58 UTC 2022 


On 10/26/22 13:13, Tom wrote:
> 
> 
> On 10/26/22 10:19, Matthijs Mekking wrote:
>> Thanks for this. It probably should be removed from the docs at this 
>> point.
>>
>> When introducing dnssec-policy, my goal was to reduce the dozens of 
>> DNSSEC related configuration options that are scattered throughout 
>> named.conf and contain them in one stanza. But some options are more 
>> difficult to be replaced than others.
>>
>> On 24-10-2022 18:16, PGNet Dev wrote:
>>> i've read this comment
>>>
>>>> 'inline-signing' might go away and be replaced by dnssec-policy
>>>
>>> now a few times, in posts and in docs
>>>
>>> currently, WITH 'dnssec-policy' signing enabled & in-use, i've
>>>
>>>      zone "example.com" IN {
>>>          type master; file "namedb/primary/example.com.zone";
>>>          dnssec-policy "test";
>>>          inline-signing yes;
>>>          ...
>>>
>>> the 'inline-signing yes;' is needed IN ADDITION to 'dnssec-policy' in 
>>> order to _not_ overwrite original zone files/data on signing.  e.g., 
>>> with the config above
>>>
>>>      cd namedb/primary/
>>>      ls -1 *example*
>>>          example.com.zone          <==== THIS is the original, 
>>> unsigned zone data
>>>          example.com.zone.jbk
>>>          example.com.zone.jnl
>>>          example.com.zone.signed   <==== THIS is the 
>>> signing-generated zone data, which gets propagated
>>>          example.com.zone.signed.jnl
>>>
>>> without it, the original "example.com.zone" is overwritten with 
>>> signed data.
>>>
>>> is there already config in, or planned for, 'dnssec-policy' that 
>>> preserves that separate-file functionality, preserving the original?
>>
>> There are two ways of DNSSEC maintenance in BIND. One is the 
>> inline-signing approach, that preserves the original zone file. The 
>> other is to apply the changes directly to the zone (and zone file) and 
>> requires the zone to allow dynamic updates.
>>
>> Since the latest release dnssec-policy requires either inline-signing 
>> to be set to yes, or allow dynamic updates.
>>
>> I am thinking of adding inline-signing to dnssec-policy, do you think 
>> that would that be useful?
> 
> Matthijs,
> 
> Yes, from my point of view, that would surely be useful. I would very 
> much welcome a configuration option within the dnssec-policy-statement, 
> to globally enable inline-signing for all dnssec-signed zones.

Matthijs, regarding your question about "adding inline-signing to 
dnssec-policy": Is this something you'll be implementing in the near future?

> 
>>
>> Best regards,
>>
>> Matthijs

More information about the bind-users mailing list