A beginner's guide to DNSSEC with BIND 9
Matthijs Mekking
matthijs at isc.org
Wed Oct 26 08:24:36 UTC 2022
On 24-10-2022 20:43, Richard T.A. Neal wrote:
> Jan-Piet Mens wrote:
>
>>> A Beginner's Guide to DNSSEC with BIND 9.
>
>> Well done! A few comments, if I may:
>
> {snip}
>
> Thanks JP, I really appreciate the feedback. I'll take all of that onboard, change my zones and guide from master/slave to primary/secondary, and take a look at TSIG as well.
>
> As PGNet Dev said, I would also be interested to hear more about "inline-signing might go away". In fact when creating my first DNSSEC zone I initially *did not* include this statement in the zone file, but this caused named to fail to start and it threw the following error:
>
> 'dnssec-policy;' requires dynamic DNS or inline-signing to be configured for the zone
>
> Like PGNet Dev I would also prefer to continue to hand-edit my zone files for the time being (rather than using a tool such as nsupdate) so I'm interested to hear if this will still be supported or what the roadmap is for deprecating the ability to hand-edit these files for DNSSEC-enabled zones.
The inline-signing feature will not go away.
When introducing dnssec-policy, my goal was to reduce the dozens of
DNSSEC related configuration options, but despite what I thought earlier
when I started to work on this, the inline-signing options is still needed.
Best regards,
Matthijs
More information about the bind-users
mailing list