AW: Deprecating auto-dnssec and inline-signing in 9.18+
Matthijs Mekking
matthijs at isc.org
Tue Aug 10 15:07:05 UTC 2021
On 10-08-2021 15:51, Tim Daneliuk via bind-users wrote:
> On 8/10/21 7:51 AM, Matthijs Mekking wrote:
>> Hi Klaus,
>>
>> On 10-08-2021 13:38, Klaus Darilion wrote:
>>> Hi Matthijs!
>>>
>>>> We would like to encourage you to change your configurations to 'dnssec-policy'. See this KB article for migration help:
>>>>
>>>> https://kb.isc.org/docs/dnssec-key-and-signing-policy
>>>
>>> Some comments to this KB article and dnssec-policy:
>>>
>>> - The article should mention how to retrieve the DS record from
>>> Bind.
>
>
> So just to be sure I'm doing the right thing, I've added this to my
> options stanza:
>
> dnssec-policy "default";
>
> Then restarted named and now all the signing magic is taken care of for
> me for all zones? (I was not previously using signing.)
Correct.
But you still need to manually submit the DS record to your
registrar/parent and if you see the DS published run:
rndc dnssec -checkds published <zone>.
>
> TIA,
>
More information about the bind-users
mailing list