AW: Deprecating auto-dnssec and inline-signing in 9.18+

Klaus Darilion klaus.darilion at
Tue Aug 10 11:38:02 UTC 2021

Hi Matthijs!

> We would like to encourage you to change your configurations to
> 'dnssec-policy'. See this KB article for migration help:

Some comments to this KB article and dnssec-policy:

- The article should mention how to retrieve the DS record from Bind.
- How does Bind handle duplicate keyids when generating new keys? Will Bind ensure that there will not be any duplicate key ideas or will it just use the duplicate keys? In the latter case the " rndc dnssec -checkds -key 12345 ..." commands will be ambiguous. (From an user perspective duplicate keyids should be avoided)


More information about the bind-users mailing list