'inline-signing' might go away and be replaced by dnssec-policy ?
Tom
lists at verreckte-cheib.ch
Wed Oct 26 11:13:17 UTC 2022
On 10/26/22 10:19, Matthijs Mekking wrote:
> Thanks for this. It probably should be removed from the docs at this point.
>
> When introducing dnssec-policy, my goal was to reduce the dozens of
> DNSSEC related configuration options that are scattered throughout
> named.conf and contain them in one stanza. But some options are more
> difficult to be replaced than others.
>
> On 24-10-2022 18:16, PGNet Dev wrote:
>> i've read this comment
>>
>>> 'inline-signing' might go away and be replaced by dnssec-policy
>>
>> now a few times, in posts and in docs
>>
>> currently, WITH 'dnssec-policy' signing enabled & in-use, i've
>>
>> zone "example.com" IN {
>> type master; file "namedb/primary/example.com.zone";
>> dnssec-policy "test";
>> inline-signing yes;
>> ...
>>
>> the 'inline-signing yes;' is needed IN ADDITION to 'dnssec-policy' in
>> order to _not_ overwrite original zone files/data on signing. e.g.,
>> with the config above
>>
>> cd namedb/primary/
>> ls -1 *example*
>> example.com.zone <==== THIS is the original,
>> unsigned zone data
>> example.com.zone.jbk
>> example.com.zone.jnl
>> example.com.zone.signed <==== THIS is the signing-generated
>> zone data, which gets propagated
>> example.com.zone.signed.jnl
>>
>> without it, the original "example.com.zone" is overwritten with signed
>> data.
>>
>> is there already config in, or planned for, 'dnssec-policy' that
>> preserves that separate-file functionality, preserving the original?
>
> There are two ways of DNSSEC maintenance in BIND. One is the
> inline-signing approach, that preserves the original zone file. The
> other is to apply the changes directly to the zone (and zone file) and
> requires the zone to allow dynamic updates.
>
> Since the latest release dnssec-policy requires either inline-signing to
> be set to yes, or allow dynamic updates.
>
> I am thinking of adding inline-signing to dnssec-policy, do you think
> that would that be useful?
Matthijs,
Yes, from my point of view, that would surely be useful. I would very
much welcome a configuration option within the dnssec-policy-statement,
to globally enable inline-signing for all dnssec-signed zones.
>
> Best regards,
>
> Matthijs
More information about the bind-users
mailing list