Non-disruptive migration to dnssec-policy possible?
Shumon Huque
shuque at gmail.com
Thu Mar 26 23:34:55 UTC 2020
On Thu, Mar 26, 2020 at 7:27 PM Håkan Lindqvist via bind-users <
bind-users at lists.isc.org> wrote:
> On 2020-03-26 23:00, Mark Andrews wrote:
> > dnssec-policy should be independent of inline-signing. If it isn’t then
> it is a bug.
> >
> > It just people like editing master files rather than using nsupdate to
> make changes.
>
> Ok, thank you for clarifying what should be expected.
>
> I guess that leaves the question of whether I am reading too much into
> the new behavior.
>
> In addition to my DNSKEY issues, I do get two new files when switching a
> zone to dnssec-policy: .signed + .signed.jnl.
> To me this seems like the result of inline signing having been enabled,
> but maybe this could happen for some other reason?
>
I suspect dnssec-policy is re-using a lot of the code that did inline
signing, only applying it to local unsigned zone file rather than one that
was fetched from a remote master via zone transfer (hence my last note
about a new interpretation of the term).
In fact, "rndc zonestatus" reports the same for a very simple dnssec-policy
test on a local zone I did:
$ rndc zonestatus foo.test
name: foo.test
type: master
files: zones/foo.test/zonefile
serial: 1000000251
signed serial: 1000000257
nodes: 5
last loaded: Wed, 25 Mar 2020 17:52:09 GMT
secure: yes
inline signing: yes
^^^^^^^^^^^^^^^^^
key maintenance: automatic
next key event: Sat, 28 Mar 2020 20:45:44 GMT
next resign node: foo.test/NS
next resign time: Sat, 28 Mar 2020 08:40:06 GMT
dynamic: yes
frozen: no
reconfigurable via modzone: no
Shumon Huque
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200326/94ca35db/attachment-0001.htm>
More information about the bind-users
mailing list