'inline-signing' might go away and be replaced by dnssec-policy ?

[Matthijs Mekking]

>>> Since the latest release dnssec-policy requires either inline-signing 
>>> to be set to yes, or allow dynamic updates.
>>>
>>> I am thinking of adding inline-signing to dnssec-policy, do you think 
>>> that would that be useful?
>>
>> Matthijs,
>>
>> Yes, from my point of view, that would surely be useful. I would very 
>> much welcome a configuration option within the 
>> dnssec-policy-statement, to globally enable inline-signing for all 
>> dnssec-signed zones.
> 
> Matthijs, regarding your question about "adding inline-signing to 
> dnssec-policy": Is this something you'll be implementing in the near 
> future?

tl;dr probably, for some definition of near.


I haven't made up my mind yet.

On the one hand I don't think "inline-signing" is really a *key and 
signing* policy option, so it feels misplaced.

On the other hand it is kind of cumbersome to include "inline-signing 
yes;" in all of your zones that use/inherit dnssec-policy.

I do believe the latter argument is a stronger one the "it feels wrong" 
argument though, so I am leaning more towards of adding an 
"inline-signing" option inside "dnssec-policy".


- Matthijs