'inline-signing' might go away and be replaced by dnssec-policy ?
PGNet Dev
pgnet.dev at gmail.com
Wed Oct 26 19:53:37 UTC 2022
there are separate cases to consider.
the docs
https://bind9.readthedocs.io/en/latest/reference.html#dnssec-policy-block-definition-and-usage
state
The dnssec-policy statement requires dynamic DNS to be set up, or inline-signing to be enabled.
If inline-signing is enabled, this means that a signed version of the zone is maintained separately and is written out to a different file on disk (the zone’s filename plus a .signed extension).
If the zone is dynamic because it is configured with an update-policy or allow-update, the DNSSEC records are written to the filename set in the original zone’s file, unless inline-signing is explicitly set.
-------- Original Message --------
From: Jan-Piet Mens via bind-users [mailto:bind-users at lists.isc.org]
Sent: Wednesday, October 26, 2022 at 3:41 PM EDT
To: bind-users at lists.isc.org
Subject: 'inline-signing' might go away and be replaced by dnssec-policy ?
> Retried my named.conf with BIND 9.19.7-dev (Development Release) <id:e004ca4> which reports:
>
> 26-Oct-2022 21:31:42.021 /private/tmp/b/named.conf:11: 'inline-signing yes;' must also be configured explicitly for zones using dnssec-policy without a configured 'allow-update' or 'update-policy'. See https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing
>
> If I add an allow-update{} or inline-signing{} stanza, the server starts and
> neither combination overwrites the primary zone file.
>
> -JP
More information about the bind-users
mailing list