<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Yes - I think "automated" in-line signing would be useful in "dnssec-policy"
run zones.<br>
</p>
<p>We didn't need this some versions of BIND ago ( I had to add it
recently on a zone that I've been testing with - untouched from a
year or so ago)<br>
</p>
<p>We don't generally edit the signed zone - just the unsigned zone
(at least that is how this zone is modified!)<br>
</p>
<div class="moz-cite-prefix">On 2022/10/26 10:19, Matthijs Mekking
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:21c12a8b-60b2-f5b1-80be-c623524b01a7@isc.org">Thanks for
this. It probably should be removed from the docs at this point.
<br>
<br>
When introducing dnssec-policy, my goal was to reduce the dozens
of DNSSEC related configuration options that are scattered
throughout named.conf and contain them in one stanza. But some
options are more difficult to be replaced than others.
<br>
<br>
On 24-10-2022 18:16, PGNet Dev wrote:
<br>
<blockquote type="cite">i've read this comment
<br>
<br>
<blockquote type="cite">'inline-signing' might go away and be
replaced by dnssec-policy
<br>
</blockquote>
<br>
now a few times, in posts and in docs
<br>
<br>
currently, WITH 'dnssec-policy' signing enabled & in-use,
i've
<br>
<br>
zone "example.com" IN {
<br>
type master; file "namedb/primary/example.com.zone";
<br>
dnssec-policy "test";
<br>
inline-signing yes;
<br>
...
<br>
<br>
the 'inline-signing yes;' is needed IN ADDITION to
'dnssec-policy' in order to _not_ overwrite original zone
files/data on signing. e.g., with the config above
<br>
<br>
cd namedb/primary/
<br>
ls -1 *example*
<br>
example.com.zone <==== THIS is the
original, unsigned zone data
<br>
example.com.zone.jbk
<br>
example.com.zone.jnl
<br>
example.com.zone.signed <==== THIS is the
signing-generated zone data, which gets propagated
<br>
example.com.zone.signed.jnl
<br>
<br>
without it, the original "example.com.zone" is overwritten with
signed data.
<br>
<br>
is there already config in, or planned for, 'dnssec-policy' that
preserves that separate-file functionality, preserving the
original?
<br>
</blockquote>
<br>
There are two ways of DNSSEC maintenance in BIND. One is the
inline-signing approach, that preserves the original zone file.
The other is to apply the changes directly to the zone (and zone
file) and requires the zone to allow dynamic updates.
<br>
<br>
Since the latest release dnssec-policy requires either
inline-signing to be set to yes, or allow dynamic updates.
<br>
<br>
I am thinking of adding inline-signing to dnssec-policy, do you
think that would that be useful?
<br>
<br>
Best regards,
<br>
<br>
Matthijs
<br>
</blockquote>
<div class="moz-signature">-- <br>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title></title>
<p>Mark James ELKINS - Posix Systems - (South) Africa<br>
<a class="moz-txt-link-abbreviated" href="mailto:mje@posix.co.za">mje@posix.co.za</a> Tel: <a href="tel:+27826010496">+27.826010496</a><br>
For fast, reliable, low cost Internet in ZA: <a
href="https://ftth.posix.co.za">https://ftth.posix.co.za</a><br>
<br>
<img moz-do-not-send="false"
src="cid:part3.998C9852.ACCBE1AB@posix.co.za" alt="Posix
Systems" width="250" height="165"><img moz-do-not-send="false"
src="cid:part4.199FE5B4.53FB7DB6@posix.co.za" alt="VCARD for
MJ Elkins" title="VCARD, Scan me please!" width="164"
height="164"><br>
</p>
</div>
</body>
</html>