AW: Deprecating auto-dnssec and inline-signing in 9.18+

raf bind at
Wed Aug 11 00:32:15 UTC 2021

On Tue, Aug 10, 2021 at 08:51:04AM -0500, Tim Daneliuk via bind-users <bind-users at> wrote:

> On 8/10/21 7:51 AM, Matthijs Mekking wrote:
> > Hi Klaus,
> > 
> > On 10-08-2021 13:38, Klaus Darilion wrote:
> >> Hi Matthijs!
> >>
> >>> We would like to encourage you to change your configurations to
> >>> 'dnssec-policy'. See this KB article for migration help:
> >>>
> >>>
> >>
> >> Some comments to this KB article and dnssec-policy:
> >>
> >> - The article should mention how to retrieve the DS record from
> >> Bind.
> So just to be sure I'm doing the right thing, I've added this to my
> options stanza:
>     dnssec-policy "default";
> Then restarted named and now all the signing magic is taken care of for
> me for all zones?  (I was not previously using signing.)
> TIA,

I'm very new to this myself (so be warned) but that seems
to be almost it. BUT: You also MUST convey the DS
for the default Combined Signing Key (CSK) to your
registrar. That will be a manual process that your
registrar can tell you about. For some, there's a web
interface. For others, it's via email. For others, you
have to use their DNS servers and let them do it for
you (but that's a dull option).

To get the DS record information to convey to the
registrar, after starting to use the default policy.
look for the CDS record (the child version of the DS
record) with dig:


For the default policy, you'll only have to do this
once (or until your server gets compromised and you
start again). But until you've done this, it's not
done. The trust chain has to go all the way to the
root, so you need the involvement of your registrar
(to get your DS published and signed).

Syntax question:
the double quotes are never used in the zone stanza
where the dnssec-policy is referred to. The double
quotes sometimes (but not always) appear in the
dnssec-policy definition stanza.

Are the double quotes optional in both cases?

> -- 
> ----------------------------------------------------------------------------
> Tim Daneliuk     tundra at
> PGP Key:
> _______________________________________________


More information about the bind-users mailing list