On Thu, Mar 26, 2020 at 7:27 PM Håkan Lindqvist via bind-users < bind-users@lists.isc.org> wrote:
> On 2020-03-26 23:00, Mark Andrews wrote: > > dnssec-policy should be independent of inline-signing. If it isn’t then > it is a bug. > > > > It just people like editing master files rather than using nsupdate to > make changes. > > Ok, thank you for clarifying what should be expected. > > I guess that leaves the question of whether I am reading too much into > the new behavior. > > In addition to my DNSKEY issues, I do get two new files when switching a > zone to dnssec-policy: .signed + .signed.jnl. > To me this seems like the result of inline signing having been enabled, > but maybe this could happen for some other reason? > I suspect dnssec-policy is re-using a lot of the code that did inline signing, only applying it to local unsigned zone file rather than one that was fetched from a remote master via zone transfer (hence my last note about a new interpretation of the term). In fact, "rndc zonestatus" reports the same for a very simple dnssec-policy test on a local zone I did: $ rndc zonestatus foo.test name: foo.test type: master files: zones/foo.test/zonefile serial: 1000000251 signed serial: 1000000257 nodes: 5 last loaded: Wed, 25 Mar 2020 17:52:09 GMT secure: yes inline signing: yes ^^^^^^^^^^^^^^^^^ key maintenance: automatic next key event: Sat, 28 Mar 2020 20:45:44 GMT next resign node: foo.test/NS next resign time: Sat, 28 Mar 2020 08:40:06 GMT dynamic: yes frozen: no reconfigurable via modzone: no Shumon Huque
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users