Re: Deprecating auto-dnssec and inline-signing in 9.18+

Mon, 14 Nov 2022 01:47:58 -0800 

FYI: We are going forward with deprecating 'auto-dnssec' in 9.18+.
We might deprecate 'inline-signing' too in 9.18, but only if we have implemented the replacement code to configure it inside 'dnssec-policy' in time.
After last year's discussion on this mailing list I initially wanted to make creating keys inside the HSM work with dnssec-policy. But the OpenSSL pkcs#11 engine has no capability to do so. Now we are transitioning to OpenSSL 3.0 and the engine API is being replaced with the provider API, this task has become even more challenging.
But since there is functional parity between 'dnssec-policy' and 'auto-dnssec', we decided that it is acceptable to deprecate the legacy style of DNSSEC maintenance.
You can configure dnssec-policy to do no key rollover (and do key maintenance/rotation in a different way) as follows: 

dnssec-policy "no-auto-rotate" {
    keys {
        ksk lifetime unlimited algorithm 13;
        zsk lifetime unlimited algorithm 13;
    };
};

Best regards,

Matthijs


On 10-08-2021 10:02, Matthijs Mekking wrote:

Hi users,
We are planning to deprecate the options 'auto-dnssec' and 'inline-signing' in BIND 9.18. The reason for this is because 'dnssec-policy' is the preferred way of maintaining your DNSSEC zone.
Deprecating means that you can still use the options in 9.18, but a warning will be logged and it is very likely that the options will be removed in BIND 9.20.
We would like to encourage you to change your configurations to 'dnssec-policy'. See this KB article for migration help: 

     https://kb.isc.org/docs/dnssec-key-and-signing-policy
Do you have reasons for keeping 'inline-signing' or 'auto-dnssec' configurations? Is there a use case that is not (yet) covered by 'dnssec-policy'? Any other concerns? Please let us know. 

Best regards,

Matthijs
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. 


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to