kasp-policy and catalog zones

Matthijs Mekking matthijs at isc.org
Tue Sep 22 14:17:54 UTC 2020

Hi Christian,

There are no plans for this.

While technically a secondary can have a "dnssec-policy" statement
(acting as a bump-in-the-wire signer), signing a zone is mainly a
primary server responsibility and a policy configuration does not need
to be transferred to its secondaries.

For now I would suggest just add the zone with `rndc addzone` to the
primary or update the primary name server configuration and add the
"dnssec-policy" option.

Best regards,


On 9/18/20 7:52 PM, BÖSCH Christian wrote:
> Hi,
> Is there a plan when the option for KASP "dnssec-policy" within
> a catalog member zone will be available?
> Just like with allow-transfer.catalog.example. IN APL ….
> Thanks,
> Christian
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200922/8cf7c454/attachment.bin>

More information about the bind-users mailing list