Re: Is inline-signing recommended?

2019-10-18 Thread Daniel Stirnimann 
Hello Alessandro,

On 18.10.19 19:20, Alessandro Vesely wrote:
> Did a better way arrive between 2014 and 2017?  What does that warning
> mean?

The how to in this article manually creates keys or does key rollovers.
Most DNS software have automated that part, see for example section
Policy Configuration:

https://ftp.isc.org/isc/bind9/9.14.7/doc/arm/man.dnssec-keymgr.html

Kind regards,
Daniel
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Is inline-signing recommended?

2019-10-18 Thread Alessandro Vesely 
Hi all,

reading about the various ways to sign zones, inline-signing seems to be the 
simplest one.  However, a 2014 Swiss howto I found has this obscure warning:

Update Nov 2017: DNSSEC zone signing as described here is outdated.
We strongly recommend against the method described in this blog post.
Newer BIND versions or other DNS software have greatly simplified
DNSSEC signing.

https://securityblog.switch.ch/2014/11/13/dnssec-signing-your-domain-with-bind-inline-signing/

The (old) text has inline signing exemplified like so:

zone example.com {
type master;
file "/etc/bind/zones/db.example.com”;
# publish and activate dnssec keys
auto-dnssec maintain;
# use inline signing 
inline-signing yes;
};

Did a better way arrive between 2014 and 2017?  What does that warning mean?


Thank you
Ale
-- 








___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users