Change default of dnssec-dnskey-kskonly to yes

The extra RRSIG on DNSKEY, CDS and CDNSKEY RRsets add to the payload, without having added value.
2021-10-06 16:05:12 +02:00
parent bfabf5489e
commit 2abad4d969
9 changed files with 13 additions and 2 deletions
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -222,7 +222,7 @@ options {\n\
 	check-srv-cname warn;\n\
 	check-wildcard yes;\n\
 	dialup no;\n\
-	dnssec-dnskey-kskonly no;\n\
+	dnssec-dnskey-kskonly yes;\n\
 	dnssec-loadkeys-interval 60;\n\
 	dnssec-secure-to-insecure no;\n\
 	dnssec-update-mode maintain;\n\
--- a/bin/tests/system/autosign/ns1/named.conf.in
+++ b/bin/tests/system/autosign/ns1/named.conf.in
@@ -40,6 +40,7 @@ zone "." {
 	allow-query { any; };
 	allow-update { any; };
 	auto-dnssec maintain;
+	dnssec-dnskey-kskonly no;
 };

 include "trusted.conf";
--- a/bin/tests/system/autosign/ns3/named.conf.in
+++ b/bin/tests/system/autosign/ns3/named.conf.in
@@ -253,6 +253,7 @@ zone "sync.example" {
 	type primary;
 	file "sync.example.db";
 	allow-update { any; };
+	dnssec-dnskey-kskonly no;
 	auto-dnssec maintain;
 };

--- a/bin/tests/system/dnssec/ns2/named.conf.in
+++ b/bin/tests/system/dnssec/ns2/named.conf.in
@@ -117,6 +117,7 @@ zone "cds-x.secure" {

 zone "cds-update.secure" {
 	type primary;
+	dnssec-dnskey-kskonly no;
 	file "cds-update.secure.db.signed";
 	allow-update { any; };
 };
@@ -130,6 +131,7 @@ zone "cds-kskonly.secure" {

 zone "cds-auto.secure" {
 	type primary;
+	dnssec-dnskey-kskonly no;
 	file "cds-auto.secure.db.signed";
 	auto-dnssec maintain;
 	allow-update { any; };
@@ -147,6 +149,7 @@ zone "cdnskey-x.secure" {

 zone "cdnskey-update.secure" {
 	type primary;
+	dnssec-dnskey-kskonly no;
 	file "cdnskey-update.secure.db.signed";
 	allow-update { any; };
 };
@@ -160,6 +163,7 @@ zone "cdnskey-kskonly.secure" {

 zone "cdnskey-auto.secure" {
 	type primary;
+	dnssec-dnskey-kskonly no;
 	file "cdnskey-auto.secure.db.signed";
 	auto-dnssec maintain;
 	allow-update { any; };
--- a/bin/tests/system/dnssec/ns3/named.conf.in
+++ b/bin/tests/system/dnssec/ns3/named.conf.in
@@ -284,6 +284,7 @@ zone "publish-inactive.example" {
 	type primary;
 	file "publish-inactive.example.db";
 	auto-dnssec maintain;
+	dnssec-dnskey-kskonly no;
 	update-policy local;
 };

--- a/bin/tests/system/inline/ns3/named.conf.in
+++ b/bin/tests/system/inline/ns3/named.conf.in
@@ -108,6 +108,7 @@ zone "externalkey" {
 	type primary;
 	inline-signing yes;
 	auto-dnssec maintain;
+	dnssec-dnskey-kskonly no;
 	allow-update { any; };
 	file "externalkey.db";
 };
--- a/bin/tests/system/views/ns2/named1.conf.in
+++ b/bin/tests/system/views/ns2/named1.conf.in
@@ -48,4 +48,5 @@ zone "inline" {
 	key-directory "external";
 	auto-dnssec maintain;
 	inline-signing yes;
+	dnssec-dnskey-kskonly no;
 };
--- a/bin/tests/system/views/ns2/named2.conf.in
+++ b/bin/tests/system/views/ns2/named2.conf.in
@@ -62,6 +62,7 @@ view "internal" {
 		key-directory "internal";
 		auto-dnssec maintain;
 		inline-signing yes;
+		dnssec-dnskey-kskonly no;
 	};
 };

@@ -94,5 +95,6 @@ view "external" {
 		key-directory "external";
 		auto-dnssec maintain;
 		inline-signing yes;
+		dnssec-dnskey-kskonly no;
 	};
 };
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -2218,7 +2218,7 @@ Boolean Options
   the remainder of the zone, but not the DNSKEY RRset. This is similar
   to the ``dnssec-signzone -x`` command-line option.

-   The default is ``no``. If ``update-check-ksk`` is set to ``no``, this
+   The default is ``yes``. If ``update-check-ksk`` is set to ``no``, this
   option is ignored.

 ``try-tcp-refresh``