Re: 'inline-signing' might go away and be replaced by dnssec-policy ?

Wed, 26 Oct 2022 04:25:55 -0700

Yes - I think "automated" in-line signing would be useful in "dnssec-policy" run zones.
We didn't need this some versions of BIND ago ( I had to add it recently on a zone that I've been testing with - untouched from a year or so ago) 


We don't generally edit the signed zone - just the unsigned zone (at 
least that is how this zone is modified!)


On 2022/10/26 10:19, Matthijs Mekking wrote:

Thanks for this. It probably should be removed from the docs at this 
point.



When introducing dnssec-policy, my goal was to reduce the dozens of 
DNSSEC related configuration options that are scattered throughout 
named.conf and contain them in one stanza. But some options are more 
difficult to be replaced than others.


On 24-10-2022 18:16, PGNet Dev wrote:

i've read this comment


'inline-signing' might go away and be replaced by dnssec-policy


now a few times, in posts and in docs

currently, WITH 'dnssec-policy' signing enabled & in-use, i've

     zone "example.com" IN {
         type master; file "namedb/primary/example.com.zone";
         dnssec-policy "test";
         inline-signing yes;
         ...


the 'inline-signing yes;' is needed IN ADDITION to 'dnssec-policy' in 
order to _not_ overwrite original zone files/data on signing.  e.g., 
with the config above


     cd namedb/primary/
     ls -1 *example*

         example.com.zone          <==== THIS is the original, 
unsigned zone data

         example.com.zone.jbk
         example.com.zone.jnl

         example.com.zone.signed   <==== THIS is the 
signing-generated zone data, which gets propagated

         example.com.zone.signed.jnl


without it, the original "example.com.zone" is overwritten with 
signed data.



is there already config in, or planned for, 'dnssec-policy' that 
preserves that separate-file functionality, preserving the original?



There are two ways of DNSSEC maintenance in BIND. One is the 
inline-signing approach, that preserves the original zone file. The 
other is to apply the changes directly to the zone (and zone file) and 
requires the zone to allow dynamic updates.



Since the latest release dnssec-policy requires either inline-signing 
to be set to yes, or allow dynamic updates.



I am thinking of adding inline-signing to dnssec-policy, do you think 
that would that be useful?


Best regards,

Matthijs

--

Mark James ELKINS  -  Posix Systems - (South) Africa
[email protected]       Tel: +27.826010496 <tel:+27826010496>

For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za 
<https://ftth.posix.co.za>


Posix SystemsVCARD for MJ Elkins




Attachment:
OpenPGP_0xB6FA15470B82C101.asc

Description: application/pgp-keys



Attachment:
OpenPGP_signature

Description: OpenPGP digital signature


-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users






















					Reply via email to