dnssec-policy default - where/how to determine what all its settings are?

Petr Špaček pspacek at isc.org
Fri Jun 7 08:08:23 UTC 2024 

Hello,

and thank you for reaching out. I agree this was poorly documented.

In recent versions you can use command `named -C` which prints out 
default configuration, including the default DNSSEC policy.

I'm going to update documentation to reflect that:
https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/9092/diffs

Petr Špaček
Internet Systems Consortium

On 06. 06. 24 21:01, Michael Paoli via bind-users wrote:
> Ah, thanks!
> 
> Yeah, that's what I was looking to find:
> https://github.com/isc-projects/bind9/blob/main/doc/misc/dnssec-policy.default.conf
> https://gitlab.isc.org/isc-projects/bind9/-/blob/main/doc/misc/dnssec-policy.default.conf
> Alas, not in the ISC distribution tarballs,
> and the documentation refers to
> doc/misc/dnssec-policy.default.conf
> without indicating where to find that.
> 
> On Thu, Jun 6, 2024 at 8:31 AM Andrew Latham <lathama at gmail.com> wrote:
>>
>> I took a quick look
>>
>> * https://github.com/isc-projects/bind9/blob/main/doc/misc/dnssec-policy.default.conf
>> * https://gitlab.isc.org/isc-projects/bind9/-/blob/main/doc/misc/dnssec-policy.default.conf
>>
>> On Thu, Jun 6, 2024 at 8:19 AM Michael Paoli via bind-users <bind-users at lists.isc.org> wrote:
>>>
>>> dnssec-policy default - where/how to determine what all its settings are?
>>> Documentation
>>> doc/bind9-doc/arm/reference.html#dnssec-policy-default
>>> https://bind9.readthedocs.io/en/v9.18.27/reference.html#dnssec-policy-default
>>> says:
>>> A verbose copy of this policy may be found in the source tree, in the
>>> file doc/misc/dnssec-policy.default.conf
>>> But I'm not finding that in source nor elsewhere.
>>> There doesn't even seem to be an rndc command that can list
>>> defined dnssec-policy sets that are in place, nor that
>>> can list how they're configured.  This information should be much more
>>> visible/findable, so ... where is it?  I'm sure it must be present
>>> somewhere in the source, but haven't easily located it by searching.
>>> Shouldn't be necessary to run debugging to track down where this is
>>> and where in the source it comes from.  So ... where does one find it?
>>>
>>> I've been looking at Debian BIND9 packages:
>>> bind9          1:9.18.24-1
>>> bind9-doc      1:9.18.24-1
>>> and also ISC BIND 9.18.24 source and 9.18.27 source and documentation.

More information about the bind-users mailing list