Re: Is inline-signing recommended?
Hello Alessandro, On 18.10.19 19:20, Alessandro Vesely wrote: > Did a better way arrive between 2014 and 2017? What does that warning > mean? The how to in this article manually creates keys or does key rollovers. Most DNS software have automated that part, see for example section Policy Configuration: https://ftp.isc.org/isc/bind9/9.14.7/doc/arm/man.dnssec-keymgr.html Kind regards, Daniel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Is inline-signing recommended?
Hi all, reading about the various ways to sign zones, inline-signing seems to be the simplest one. However, a 2014 Swiss howto I found has this obscure warning: Update Nov 2017: DNSSEC zone signing as described here is outdated. We strongly recommend against the method described in this blog post. Newer BIND versions or other DNS software have greatly simplified DNSSEC signing. https://securityblog.switch.ch/2014/11/13/dnssec-signing-your-domain-with-bind-inline-signing/ The (old) text has inline signing exemplified like so: zone example.com { type master; file "/etc/bind/zones/db.example.com”; # publish and activate dnssec keys auto-dnssec maintain; # use inline signing inline-signing yes; }; Did a better way arrive between 2014 and 2017? What does that warning mean? Thank you Ale -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users