Matthijs Mekking <matth...@isc.org> wrote:
> As the main developer of dnssec-policy, I would like to confirm that
> what has been said by Michael and Nick are correct.
Cool.
> - When migrating to dnssec-policy, make sure the configuration matches
> your existing keys.
Is there a way to validate the policy against what's in a specific
zone/directory?
Effectively, "do your key management stuff --just-kidding --verbose"?
> - Most issues that were shared on this list have to do with migrating
> to dnssec-policy.
Agreed: and it bit me, and I am still a bit shell shocked.
> - If you feel like the DS is stuck in 'rumoured' state you might need
> to run 'rndc dnssec -checkds seen' on the key.
okay, good to know this.
. o O ( Umbrella Academy )
> - It is not recommended to switch to dnssec-policy if you are currently
> in a rollover.
> I acknowledge that migration takes some care and I wish the process was
> easier. We have some ideas to make it less error prone, but I haven't
> found the time to work on that.
Are there open issues?
signature.asc
Description: PGP signature
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
