'inline-signing' might go away and be replaced by dnssec-policy ?
Matthijs Mekking
matthijs at isc.org
Thu Nov 10 11:04:23 UTC 2022
>>> Since the latest release dnssec-policy requires either inline-signing
>>> to be set to yes, or allow dynamic updates.
>>>
>>> I am thinking of adding inline-signing to dnssec-policy, do you think
>>> that would that be useful?
>>
>> Matthijs,
>>
>> Yes, from my point of view, that would surely be useful. I would very
>> much welcome a configuration option within the
>> dnssec-policy-statement, to globally enable inline-signing for all
>> dnssec-signed zones.
>
> Matthijs, regarding your question about "adding inline-signing to
> dnssec-policy": Is this something you'll be implementing in the near
> future?
tl;dr probably, for some definition of near.
I haven't made up my mind yet.
On the one hand I don't think "inline-signing" is really a *key and
signing* policy option, so it feels misplaced.
On the other hand it is kind of cumbersome to include "inline-signing
yes;" in all of your zones that use/inherit dnssec-policy.
I do believe the latter argument is a stronger one the "it feels wrong"
argument though, so I am leaning more towards of adding an
"inline-signing" option inside "dnssec-policy".
- Matthijs
More information about the bind-users
mailing list