Deprecating auto-dnssec and inline-signing in 9.18+

FUSTE Emmanuel emmanuel.fuste at
Tue Aug 10 09:28:46 UTC 2021

Le 10/08/2021 à 10:02, Matthijs Mekking a écrit :
> Hi users,
> We are planning to deprecate the options 'auto-dnssec' and 
> 'inline-signing' in BIND 9.18. The reason for this is because 
> 'dnssec-policy' is the preferred way of maintaining your DNSSEC zone.
> Deprecating means that you can still use the options in 9.18, but a 
> warning will be logged and it is very likely that the options will be 
> removed in BIND 9.20.
> We would like to encourage you to change your configurations to 
> 'dnssec-policy'. See this KB article for migration help:
> Do you have reasons for keeping 'inline-signing' or 'auto-dnssec' 
> configurations? Is there a use case that is not (yet) covered by 
> 'dnssec-policy'? Any other concerns? Please let us know.
> Best regards,
> Matthijs

As today state, it looks to me very premature.
inline-signing and auto-dnssec maintain are about transparent signature 
dnssec-policy today is about transparent key maintenance/rotation on top 
of the engine used by "inline-signing and auto-dnssec maintain"
These are two distinct things for me.

Please add an example showing a dnssec-policy configuration giving the 
same result as zone configured with inline-signing and auto-dnssec 
maintain : auto signing without automatic key maintenance/rotation. It 
should be another default build-in policy ("default-no-auto-rotate" or 
something like that).

HSM support for automatic key management, pkcs11 object name mapping, 
creation, deletion and more is completely missing from dnssec-policy.
There is even no LTS linux distribution with the open-sc libp11 openssl 
engine packaged to be able to use non-deprecated (non native pkcs11)  
HSM support.
For now I'm stuck with 9.11 for "on the shelf" pkcs11 support with ISC 
bind packages.
With 9.16 packages I'm loosing the pkcs11 support because of lack of 
proper version of open-sc libp11 openssl engine in most/all distribs.
Based on the ISC package, I should rebuild it with deprecated native 
pkcs11 enabled or try do do a proper packaging of open-sc libp11 openssl 
engine. One or the other is on my todo stack for ages but will become 
more and more urgent as 9.11 is approaching definitive EOL.
With 9.18, I should  have switched to libp11 engine and use deprecated 
'auto-dnssec' and 'inline-signing'.
As today plans, with 9.20 I should abandon HSM usage.
Something is missing for me: in real life using HSM always rhymes with 
using deprecated mechanism after Bind 9.11.

Best regards,

More information about the bind-users mailing list