Excellent, thanks, looks like that very well covers it (and also the "insecure" policy too). And https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/9092/diffs looks good ... including Suzanne Goldlust's additional suggestions too.
Thanks! On Fri, Jun 7, 2024 at 1:08 AM Petr Špaček <pspa...@isc.org> wrote: > > Hello, > > and thank you for reaching out. I agree this was poorly documented. > > In recent versions you can use command `named -C` which prints out > default configuration, including the default DNSSEC policy. > > I'm going to update documentation to reflect that: > https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/9092/diffs > > Petr Špaček > Internet Systems Consortium > > On 06. 06. 24 21:01, Michael Paoli via bind-users wrote: > > Ah, thanks! > > > > Yeah, that's what I was looking to find: > > https://github.com/isc-projects/bind9/blob/main/doc/misc/dnssec-policy.default.conf > > https://gitlab.isc.org/isc-projects/bind9/-/blob/main/doc/misc/dnssec-policy.default.conf > > Alas, not in the ISC distribution tarballs, > > and the documentation refers to > > doc/misc/dnssec-policy.default.conf > > without indicating where to find that. > > > > On Thu, Jun 6, 2024 at 8:31 AM Andrew Latham <lath...@gmail.com> wrote: > >> > >> I took a quick look > >> > >> * > >> https://github.com/isc-projects/bind9/blob/main/doc/misc/dnssec-policy.default.conf > >> * > >> https://gitlab.isc.org/isc-projects/bind9/-/blob/main/doc/misc/dnssec-policy.default.conf > >> > >> On Thu, Jun 6, 2024 at 8:19 AM Michael Paoli via bind-users > >> <bind-users@lists.isc.org> wrote: > >>> > >>> dnssec-policy default - where/how to determine what all its settings are? > >>> Documentation > >>> doc/bind9-doc/arm/reference.html#dnssec-policy-default > >>> https://bind9.readthedocs.io/en/v9.18.27/reference.html#dnssec-policy-default > >>> says: > >>> A verbose copy of this policy may be found in the source tree, in the > >>> file doc/misc/dnssec-policy.default.conf > >>> But I'm not finding that in source nor elsewhere. > >>> There doesn't even seem to be an rndc command that can list > >>> defined dnssec-policy sets that are in place, nor that > >>> can list how they're configured. This information should be much more > >>> visible/findable, so ... where is it? I'm sure it must be present > >>> somewhere in the source, but haven't easily located it by searching. > >>> Shouldn't be necessary to run debugging to track down where this is > >>> and where in the source it comes from. So ... where does one find it? > >>> > >>> I've been looking at Debian BIND9 packages: > >>> bind9 1:9.18.24-1 > >>> bind9-doc 1:9.18.24-1 > >>> and also ISC BIND 9.18.24 source and 9.18.27 source and documentation. > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
