Migration to inline-signing
Matthijs Mekking
matthijs at isc.org
Tue May 20 08:44:59 UTC 2025
On 17-05-2025 06:39, Crist Clark wrote:
> Tired of looking at the log messages warning me that inline-signing will
> be the default in 9.20. I want to convert my 9.18 to using
> inline-signing. Right now all of the zones use dnssec-policy and are
> dynamic.
>
> I tried just simply adding the "inlien-signing yes" line to a zone with
> dynamic updates that has the DNSSEC records in the file, but it flat out
> stopped the zone from loading at all when I issued a reconfig.
Can you tell me the error message? I would not expect the zone stopping
from loading, but it's hard to tell without full configuration.
Note that when switching, signatures and NSEC records from the dynamic
zone would be removed and moving to inline-signing requires a full
re-sign of the zone.
- Matthijs
> I assume I could freeze, sync, clean DNSSEC records in the file, and
> reload with inline-signing. But manually cleaning the zone file isn't
> trivial. Not hard, but takes some work to get right.
>
> Is there a right way to just reconfigure named.conf to make this work
> without messing with the zone file directly? Even if it maybe takes steps?
>
> If this really takes cleaning the DNSSEC from the zone file, is there a
> way to coax the existing BIND tools to do this? Took a quick look at
> named-compilezone, dnssec-signzone, etc. None seem to have the capability.
>
More information about the bind-users
mailing list