Full automatic DNSSEC for hosted zones/domains

Philippe Maechler pmaechler-ml at glattnet.ch
Tue Apr 7 13:46:20 UTC 2020

Hello bind users

> The answer is almost, as long as the zone has a DNSSEC policy configured:
> zone "newdomain.de" {
>   type master;
>   file "../master/newdomain.de";
>   dnssec-policy default;
> }
> The only thing not yet fully automated is submitting the DS to the
> parent. You can do that as soon as named puts the CDS/CDNSKEY records in
> the zone.

So you're saying, that with a DNSSEC policy configured, bind is creating CDS records for me? If so, then when my registrar is supporting those records (switch.ch), this zone fully automated in regards of DNSSEC?
Is the creation of CDS Records a config option or on by default?

What about going from secure to insecure? Is this possible with dnssec policy or do I then have to put the relevant CDS records in the zone by hand?

Best regards

More information about the bind-users mailing list