From 09522c8d73650b477960cc63ec420c72006a5829 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Tue, 27 Sep 2022 11:46:23 +0200 Subject: [PATCH] Add inline-signing requirement to DNSSEC Guide This change was made in !6403, but the appropriate documentation changes were not applied to the DNSSEC Guide. --- doc/dnssec-guide/signing.rst | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/doc/dnssec-guide/signing.rst b/doc/dnssec-guide/signing.rst index 7fb8e147de..d1175cdb0a 100644 --- a/doc/dnssec-guide/signing.rst +++ b/doc/dnssec-guide/signing.rst @@ -66,6 +66,7 @@ To sign a zone, add the following statement to its zone "example.com" in { ... dnssec-policy default; + inline-signing yes; ... }; @@ -77,6 +78,17 @@ for most situations. We cover the creation of a custom policy in :ref:`signing_custom_policy`, but for the moment we are accepting the default values. +Using :any:`dnssec-policy` requires dynamic DNS or :any:`inline-signing` +to be enabled. + +.. note:: + + Previously, if a zone with a :any:`dnssec-policy` did not have dynamic + DNS set up and :any:`inline-signing` was not explicity set, BIND 9 used + inline-signing implicitly. But this caused a lot of problems when operators + switched on or off dynamic DNS for their zones. Therefor, you now have to + configure it explicitly. + When the configuration file is updated, tell :iscman:`named` to reload the configuration file by running :option:`rndc reconfig`: @@ -1358,9 +1370,8 @@ repeated here. A few points are worth noting, though: - The :any:`dnssec-policy` statement in the :iscman:`named` configuration file describes all aspects of the DNSSEC policy, including the signing. -- When using :any:`dnssec-policy`, there is no need to set the - :any:`auto-dnssec` and :any:`inline-signing` options for a zone. The zone's - ``policy`` statement implicitly does this. +- The :any:`dnssec-policy` statement requires to zone to use dynamic DNS, + or that :any:`inline-signing` is enabled. .. _advanced_discussions_manual_key_management_and_signing: