Deprecating auto-dnssec and inline-signing in 9.18+

Matthijs Mekking matthijs at
Tue Aug 10 10:34:56 UTC 2021

Hi Emannuel,

Thanks for your response.

On 10-08-2021 11:28, FUSTE Emmanuel via bind-users wrote:
> Le 10/08/2021 à 10:02, Matthijs Mekking a écrit :
>> Hi users,
>> We are planning to deprecate the options 'auto-dnssec' and
>> 'inline-signing' in BIND 9.18. The reason for this is because
>> 'dnssec-policy' is the preferred way of maintaining your DNSSEC zone.

> Hello,
> As today state, it looks to me very premature.
> inline-signing and auto-dnssec maintain are about transparent signature
> maintenance. > dnssec-policy today is about transparent key maintenance/rotation on top
> of the engine used by "inline-signing and auto-dnssec maintain"
> These are two distinct things for me.

Could you explain what you mean with distinct? You already mention that 
it is "on top of" and to me it is exactly that: the one is the extension 
of the other: 'dnssec-policy' achieves the same things as 'auto-dnssec' 
and 'inline-signing', but is capable of more (key maintenance and 
rollover). So I don't see them as so distinct.

> Please add an example showing a dnssec-policy configuration giving the
> same result as zone configured with inline-signing and auto-dnssec
> maintain : auto signing without automatic key maintenance/rotation. It
> should be another default build-in policy ("default-no-auto-rotate" or
> something like that).

dnssec-policy "no-auto-rotate" {
	keys {
		csk lifetime unlimited algorithm 13;

> HSM support for automatic key management, pkcs11 object name mapping,
> creation, deletion and more is completely missing from dnssec-policy.

This is a good point. Key creation/deletion inside the HSM for 
dnssec-policy is on the roadmap and must be implemented.

> There is even no LTS linux distribution with the open-sc libp11 openssl
> engine packaged to be able to use non-deprecated (non native pkcs11)
> HSM support.
> For now I'm stuck with 9.11 for "on the shelf" pkcs11 support with ISC
> bind packages.
> With 9.16 packages I'm loosing the pkcs11 support because of lack of
> proper version of open-sc libp11 openssl engine in most/all distribs.
> Based on the ISC package, I should rebuild it with deprecated native
> pkcs11 enabled or try do do a proper packaging of open-sc libp11 openssl
> engine. One or the other is on my todo stack for ages but will become
> more and more urgent as 9.11 is approaching definitive EOL.
> With 9.18, I should  have switched to libp11 engine and use deprecated
> 'auto-dnssec' and 'inline-signing'.
> As today plans, with 9.20 I should abandon HSM usage.

This is planned for Q1 2024. So there is time.

Best regards,

More information about the bind-users mailing list