Automatic DNSSEC signing workflow

Tony Finch dot at
Tue Jul 5 14:26:31 UTC 2016

Daniel A. Ramaley <daniel.ramaley at> wrote:
> From the responses i received, it seems i completely misunderstood how
> automatic signing is supposed to work. If i'm now understanding
> correctly, there are 2 mutually exclusive ways to do things:
>   1) Maintain zone files with a text editor, and sign them manually.
>   2) Maintain zones with nsupdate, and let Bind sign them.

Option 2 is best when you have an update-policy clause. There is no need
for inline-signing in this case.

There is a third option:

3) Maintain zone files with a text editor, and use inline-signing mode to
   get named to sign them.

For option 3 you don't want an update-policy clause.

f.anthony.n.finch  <dot at>  -  I xn--zr8h punycode
Dogger: Northwesterly 4 or 5, occasionally 6 in east. Slight or moderate.
Showers. Good.

More information about the bind-users mailing list