Deprecating auto-dnssec and inline-signing in 9.18+

Matthijs Mekking matthijs at isc.org
Mon Nov 14 09:47:03 UTC 2022 

FYI: We are going forward with deprecating 'auto-dnssec' in 9.18+.

We might deprecate 'inline-signing' too in 9.18, but only if we have 
implemented the replacement code to configure it inside 'dnssec-policy' 
in time.

After last year's discussion on this mailing list I initially wanted to 
make creating keys inside the HSM work with dnssec-policy. But the 
OpenSSL pkcs#11 engine has no capability to do so. Now we are 
transitioning to OpenSSL 3.0 and the engine API is being replaced with 
the provider API, this task has become even more challenging.

But since there is functional parity between 'dnssec-policy' and 
'auto-dnssec', we decided that it is acceptable to deprecate the legacy 
style of DNSSEC maintenance.

You can configure dnssec-policy to do no key rollover (and do key 
maintenance/rotation in a different way) as follows:

dnssec-policy "no-auto-rotate" {
     keys {
         ksk lifetime unlimited algorithm 13;
         zsk lifetime unlimited algorithm 13;
     };
};

Best regards,

Matthijs


On 10-08-2021 10:02, Matthijs Mekking wrote:
> Hi users,
> 
> We are planning to deprecate the options 'auto-dnssec' and 
> 'inline-signing' in BIND 9.18. The reason for this is because 
> 'dnssec-policy' is the preferred way of maintaining your DNSSEC zone.
> 
> Deprecating means that you can still use the options in 9.18, but a 
> warning will be logged and it is very likely that the options will be 
> removed in BIND 9.20.
> 
> We would like to encourage you to change your configurations to 
> 'dnssec-policy'. See this KB article for migration help:
> 
>      https://kb.isc.org/docs/dnssec-key-and-signing-policy
> 
> Do you have reasons for keeping 'inline-signing' or 'auto-dnssec' 
> configurations? Is there a use case that is not (yet) covered by 
> 'dnssec-policy'? Any other concerns? Please let us know.
> 
> Best regards,
> 
> Matthijs
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
> unsubscribe from this list
> 
> ISC funds the development of this software with paid support 
> subscriptions. Contact us at https://www.isc.org/contact/ for more 
> information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list