Migration to inline-signing
Crist Clark
cjc+bind-users at pumpky.net
Sat May 17 04:39:24 UTC 2025
Tired of looking at the log messages warning me that inline-signing will be
the default in 9.20. I want to convert my 9.18 to using inline-signing.
Right now all of the zones use dnssec-policy and are dynamic.
I tried just simply adding the "inlien-signing yes" line to a zone with
dynamic updates that has the DNSSEC records in the file, but it flat out
stopped the zone from loading at all when I issued a reconfig.
I assume I could freeze, sync, clean DNSSEC records in the file, and reload
with inline-signing. But manually cleaning the zone file isn't trivial. Not
hard, but takes some work to get right.
Is there a right way to just reconfigure named.conf to make this work
without messing with the zone file directly? Even if it maybe takes steps?
If this really takes cleaning the DNSSEC from the zone file, is there a way
to coax the existing BIND tools to do this? Took a quick look at
named-compilezone, dnssec-signzone, etc. None seem to have the capability.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250516/172618ee/attachment-0001.htm>
More information about the bind-users
mailing list