Non-disruptive migration to dnssec-policy possible?
shuque at gmail.com
Thu Mar 26 23:34:55 UTC 2020
On Thu, Mar 26, 2020 at 7:27 PM Håkan Lindqvist via bind-users <
bind-users at lists.isc.org> wrote:
> On 2020-03-26 23:00, Mark Andrews wrote:
> > dnssec-policy should be independent of inline-signing. If it isn’t then
> it is a bug.
> > It just people like editing master files rather than using nsupdate to
> make changes.
> Ok, thank you for clarifying what should be expected.
> I guess that leaves the question of whether I am reading too much into
> the new behavior.
> In addition to my DNSKEY issues, I do get two new files when switching a
> zone to dnssec-policy: .signed + .signed.jnl.
> To me this seems like the result of inline signing having been enabled,
> but maybe this could happen for some other reason?
I suspect dnssec-policy is re-using a lot of the code that did inline
signing, only applying it to local unsigned zone file rather than one that
was fetched from a remote master via zone transfer (hence my last note
about a new interpretation of the term).
In fact, "rndc zonestatus" reports the same for a very simple dnssec-policy
test on a local zone I did:
$ rndc zonestatus foo.test
signed serial: 1000000257
last loaded: Wed, 25 Mar 2020 17:52:09 GMT
inline signing: yes
key maintenance: automatic
next key event: Sat, 28 Mar 2020 20:45:44 GMT
next resign node: foo.test/NS
next resign time: Sat, 28 Mar 2020 08:40:06 GMT
reconfigurable via modzone: no
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bind-users