'inline-signing' might go away and be replaced by dnssec-policy ?
Jan-Piet Mens
list at mens.de
Wed Oct 26 16:59:56 UTC 2022
>the 'inline-signing yes;' is needed IN ADDITION to 'dnssec-policy' in order to
>_not_ overwrite original zone files/data on signing.
I cannot confirm that (9.17.22):
% ls -1
example.aa
named.conf
% cat named.conf
options {
directory ".";
listen-on port 5301 { 127.0.0.2; };
recursion no;
dnssec-validation no;
};
zone "example.aa" in {
type primary;
file "example.aa";
dnssec-policy "default";
};
% named -g -c named.conf &
% ls -1
Kexample.aa.+013+11677.key
Kexample.aa.+013+11677.private
Kexample.aa.+013+11677.state
example.aa
example.aa.jbk
example.aa.signed
example.aa.signed.jnl
named.conf
The .signed has the signed zone from which BIND serves data, and the original
source file is unchanged.
-JP
More information about the bind-users
mailing list