There are two ways of DNSSEC maintenance in BIND. One is the inline-signing
approach, that preserves the original zone file. The other is to apply the
changes directly to the zone (and zone file) and requires the zone to allow
dynamic updates.
Since the latest release dnssec-policy requires either inline-signing to be set
to yes, or allow dynamic updates.
I am thinking of adding inline-signing to dnssec-policy, do you think that
would that be useful?
Yes, from my point of view, that would surely be useful. I would very much
welcome a configuration option within the dnssec-policy-statement, to globally
enable inline-signing for all dnssec-signed zones.
If that's an option to preserve the unsigned zone files that will remain &
retain that capability, then agreed -- a 'global' option within dnssec-policy, with
option to override per-zone, would be useful in simplifying config.
bottom line: i'd prefer to retain my flatfile/text unsigned/original zone
data, and have bind create/push separate, signed data.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users