'inline-signing' might go away and be replaced by dnssec-policy ?
PGNet Dev
pgnet.dev at gmail.com
Mon Oct 24 16:16:09 UTC 2022
i've read this comment
> 'inline-signing' might go away and be replaced by dnssec-policy
now a few times, in posts and in docs
currently, WITH 'dnssec-policy' signing enabled & in-use, i've
zone "example.com" IN {
type master; file "namedb/primary/example.com.zone";
dnssec-policy "test";
inline-signing yes;
...
the 'inline-signing yes;' is needed IN ADDITION to 'dnssec-policy' in order to _not_ overwrite original zone files/data on signing. e.g., with the config above
cd namedb/primary/
ls -1 *example*
example.com.zone <==== THIS is the original, unsigned zone data
example.com.zone.jbk
example.com.zone.jnl
example.com.zone.signed <==== THIS is the signing-generated zone data, which gets propagated
example.com.zone.signed.jnl
without it, the original "example.com.zone" is overwritten with signed data.
is there already config in, or planned for, 'dnssec-policy' that preserves that separate-file functionality, preserving the original?
More information about the bind-users
mailing list