Non-disruptive migration to dnssec-policy possible?

Shumon Huque shuque at
Thu Mar 26 23:34:55 UTC 2020

On Thu, Mar 26, 2020 at 7:27 PM Håkan Lindqvist via bind-users <
bind-users at> wrote:

> On 2020-03-26 23:00, Mark Andrews wrote:
> > dnssec-policy should be independent of inline-signing.  If it isn’t then
> it is a bug.
> >
> > It just people like editing master files rather than using nsupdate to
> make changes.
> Ok, thank you for clarifying what should be expected.
> I guess that leaves the question of whether I am reading too much into
> the new behavior.
> In addition to my DNSKEY issues, I do get two new files when switching a
> zone to dnssec-policy: .signed + .signed.jnl.
> To me this seems like the result of inline signing having been enabled,
> but maybe this could happen for some other reason?

I suspect dnssec-policy is re-using a lot of the code that did inline
signing, only applying it to local unsigned zone file rather than one that
was fetched from a remote master via zone transfer (hence my last note
about a new interpretation of the term).

In fact, "rndc zonestatus" reports the same for a very simple dnssec-policy
test on a local zone I did:

$ rndc zonestatus foo.test
name: foo.test
type: master
files: zones/foo.test/zonefile
serial: 1000000251
signed serial: 1000000257
nodes: 5
last loaded: Wed, 25 Mar 2020 17:52:09 GMT
secure: yes
inline signing: yes
key maintenance: automatic
next key event: Sat, 28 Mar 2020 20:45:44 GMT
next resign node: foo.test/NS
next resign time: Sat, 28 Mar 2020 08:40:06 GMT
dynamic: yes
frozen: no
reconfigurable via modzone: no

Shumon Huque
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list