DNSSec Setup ARM Manual vs KB article on adding inline-signing for non-dynamic zones
Matthijs Mekking
matthijs at isc.org
Tue Jul 25 06:49:35 UTC 2023
On 7/24/23 20:14, E R wrote:
> As if DNSSec is not confusing enough...It seems the ARM manual that
> matches my release is out of step with the web site. I followed the
> "Easy-Start Guide for Signing Authoritative Zones" in the ARM manual
> after manually signing my test zone for my starting point. The ARM says
> you ONLY need to specify "dnssec-policy default;" in your zone, view or
> options clause for the newer way to sign things. I completed the steps
> successfully (except for one command that no longer works as shown in
> the manual which is not important). I cannot find anything broken
> with BIND 9.16.23-RH (Extended Support Version) when I follow the ARM
> manual.
>
> This document https://kb.isc.org/docs/dnssec-key-and-signing-policy
> <https://kb.isc.org/docs/dnssec-key-and-signing-policy> says I need to
> have dynamic zone for things to work. Don't need or design anything
> other than a good ole static zone since an entry is changed like 3-4
> times per year. The newest ARM has a new section that mentions needing
> to setup Dynamic DNS but it also states that BIND previously used
> implicit inline-signing. It is really difficult for a casual observer
> to sort this out. No reference to what they mean by "previously".
It says in the blue box dynamic zones required **or** inline-signing
enabled.
> Did they break builds newer than 9.16.23 and that is why I am not seeing
> any issues? Or is it the fact that I am not an DNSSEC expert I am not
> seeing a glaring issue?
This has been true since 9.16.33.
Best regards,
Matthijs
More information about the bind-users
mailing list