On 2/27/24 19:35, Michael Richardson wrote:
Matthijs Mekking <[email protected]> wrote:
> As the main developer of dnssec-policy, I would like to confirm that
> what has been said by Michael and Nick are correct.
Cool.
> - When migrating to dnssec-policy, make sure the configuration matches
> your existing keys.
Is there a way to validate the policy against what's in a specific
zone/directory?
Effectively, "do your key management stuff --just-kidding --verbose"?
There is nothing like that today.
> - Most issues that were shared on this list have to do with migrating
> to dnssec-policy.
Agreed: and it bit me, and I am still a bit shell shocked.
> - If you feel like the DS is stuck in 'rumoured' state you might need
> to run 'rndc dnssec -checkds seen' on the key.
okay, good to know this.
. o O ( Umbrella Academy )
> - It is not recommended to switch to dnssec-policy if you are currently
> in a rollover.
> I acknowledge that migration takes some care and I wish the process was
> easier. We have some ideas to make it less error prone, but I haven't
> found the time to work on that.
Are there open issues?
So far this were only ideas and not turned into gitlab issues, but
things that I have been considering is a check to see if migration is
complete (that would prevent any other policy changes), a
named-checkconf option to see if the dnssec-policy configuration matches
the existing key-directory.
Carsten created an issue for dry-running a migration:
https://gitlab.isc.org/isc-projects/bind9/-/issues/4606
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
