Problem upgrading to 9.18 - important feature being removed
Matthijs Mekking
matthijs at isc.org
Wed Feb 28 08:04:30 UTC 2024
On 2/27/24 19:35, Michael Richardson wrote:
>
> Matthijs Mekking <matthijs at isc.org> wrote:
> > As the main developer of dnssec-policy, I would like to confirm that
> > what has been said by Michael and Nick are correct.
>
> Cool.
>
> > - When migrating to dnssec-policy, make sure the configuration matches
> > your existing keys.
>
> Is there a way to validate the policy against what's in a specific zone/directory?
> Effectively, "do your key management stuff --just-kidding --verbose"?
There is nothing like that today.
> > - Most issues that were shared on this list have to do with migrating
> > to dnssec-policy.
>
> Agreed: and it bit me, and I am still a bit shell shocked.
>
> > - If you feel like the DS is stuck in 'rumoured' state you might need
> > to run 'rndc dnssec -checkds seen' on the key.
>
> okay, good to know this.
> . o O ( Umbrella Academy )
>
> > - It is not recommended to switch to dnssec-policy if you are currently
> > in a rollover.
>
> > I acknowledge that migration takes some care and I wish the process was
> > easier. We have some ideas to make it less error prone, but I haven't
> > found the time to work on that.
>
> Are there open issues?
So far this were only ideas and not turned into gitlab issues, but
things that I have been considering is a check to see if migration is
complete (that would prevent any other policy changes), a
named-checkconf option to see if the dnssec-policy configuration matches
the existing key-directory.
Carsten created an issue for dry-running a migration:
https://gitlab.isc.org/isc-projects/bind9/-/issues/4606
More information about the bind-users
mailing list