5f464d15a0
'dnssec-policy' can now also be set on the options and view level and a zone that does not set 'dnssec-policy' explicitly will inherit it from the view or options level. This requires a new keyword to be introduced: 'none'. If set to 'none' the zone will not be DNSSEC maintained, in other words it will stay unsigned. You can use this to break the inheritance. Of course you can also break the inheritance by referring to a different policy. The keywords 'default' and 'none' are not allowed when configuring your own dnssec-policy statement. Add appropriate tests for checking the configuration (checkconf) and add tests to the kasp system test to verify the inheritance works. Edit the kasp system test such that it can deal with unsigned zones and views (so setting a TSIG on the query).
16 lines
402 B
Plaintext
16 lines
402 B
Plaintext
example1 IN first master
|
|
clone IN first master
|
|
example1 IN second master
|
|
example2 IN second static-stub
|
|
clone IN second in-view first
|
|
. IN second redirect
|
|
clone IN third in-view first
|
|
dnssec IN third master
|
|
p IN third primary
|
|
s IN third secondary
|
|
dnssec-test IN fourth master
|
|
dnssec-default IN fourth master
|
|
dnssec-inherit IN fourth master
|
|
dnssec-none IN fourth master
|
|
hostname.bind chaos chaos master
|