Since the latest release dnssec-policy requires either inline-signing
to be set to yes, or allow dynamic updates.
I am thinking of adding inline-signing to dnssec-policy, do you think
that would that be useful?
Matthijs,
Yes, from my point of view, that would surely be useful. I would very
much welcome a configuration option within the
dnssec-policy-statement, to globally enable inline-signing for all
dnssec-signed zones.
Matthijs, regarding your question about "adding inline-signing to
dnssec-policy": Is this something you'll be implementing in the near
future?
tl;dr probably, for some definition of near.
I haven't made up my mind yet.
On the one hand I don't think "inline-signing" is really a *key and
signing* policy option, so it feels misplaced.
On the other hand it is kind of cumbersome to include "inline-signing
yes;" in all of your zones that use/inherit dnssec-policy.
I do believe the latter argument is a stronger one the "it feels wrong"
argument though, so I am leaning more towards of adding an
"inline-signing" option inside "dnssec-policy".
- Matthijs
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
