Problem upgrading to 9.18 - important feature being removed
Michael Richardson
mcr at sandelman.ca
Tue Feb 27 18:35:10 UTC 2024
Matthijs Mekking <matthijs at isc.org> wrote:
> As the main developer of dnssec-policy, I would like to confirm that
> what has been said by Michael and Nick are correct.
Cool.
> - When migrating to dnssec-policy, make sure the configuration matches
> your existing keys.
Is there a way to validate the policy against what's in a specific zone/directory?
Effectively, "do your key management stuff --just-kidding --verbose"?
> - Most issues that were shared on this list have to do with migrating
> to dnssec-policy.
Agreed: and it bit me, and I am still a bit shell shocked.
> - If you feel like the DS is stuck in 'rumoured' state you might need
> to run 'rndc dnssec -checkds seen' on the key.
okay, good to know this.
. o O ( Umbrella Academy )
> - It is not recommended to switch to dnssec-policy if you are currently
> in a rollover.
> I acknowledge that migration takes some care and I wish the process was
> easier. We have some ideas to make it less error prone, but I haven't
> found the time to work on that.
Are there open issues?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 511 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20240227/c21748d4/attachment.sig>
More information about the bind-users
mailing list