'inline-signing' might go away and be replaced by dnssec-policy ?
Matthijs Mekking
matthijs at isc.org
Wed Oct 26 08:19:53 UTC 2022
Thanks for this. It probably should be removed from the docs at this point.
When introducing dnssec-policy, my goal was to reduce the dozens of
DNSSEC related configuration options that are scattered throughout
named.conf and contain them in one stanza. But some options are more
difficult to be replaced than others.
On 24-10-2022 18:16, PGNet Dev wrote:
> i've read this comment
>
>> 'inline-signing' might go away and be replaced by dnssec-policy
>
> now a few times, in posts and in docs
>
> currently, WITH 'dnssec-policy' signing enabled & in-use, i've
>
> zone "example.com" IN {
> type master; file "namedb/primary/example.com.zone";
> dnssec-policy "test";
> inline-signing yes;
> ...
>
> the 'inline-signing yes;' is needed IN ADDITION to 'dnssec-policy' in
> order to _not_ overwrite original zone files/data on signing. e.g.,
> with the config above
>
> cd namedb/primary/
> ls -1 *example*
> example.com.zone <==== THIS is the original, unsigned
> zone data
> example.com.zone.jbk
> example.com.zone.jnl
> example.com.zone.signed <==== THIS is the signing-generated
> zone data, which gets propagated
> example.com.zone.signed.jnl
>
> without it, the original "example.com.zone" is overwritten with signed
> data.
>
> is there already config in, or planned for, 'dnssec-policy' that
> preserves that separate-file functionality, preserving the original?
There are two ways of DNSSEC maintenance in BIND. One is the
inline-signing approach, that preserves the original zone file. The
other is to apply the changes directly to the zone (and zone file) and
requires the zone to allow dynamic updates.
Since the latest release dnssec-policy requires either inline-signing to
be set to yes, or allow dynamic updates.
I am thinking of adding inline-signing to dnssec-policy, do you think
that would that be useful?
Best regards,
Matthijs
More information about the bind-users
mailing list