644f0d958a
When dnssec-policy was introduced, it implicitly set inline-signing. But DNSSEC maintenance required either inline-signing to be enabled, or a dynamic zone. In other words, not in all cases you want to DNSSEC maintain your zone with inline-signing. Change the behavior and determine whether inline-signing is required: if the zone is dynamic, don't use inline-signing, otherwise implicitly set it. You can also explicitly set inline-signing to yes with dnssec-policy, the restriction that both inline-signing and dnssec-policy cannot be set at the same time is now lifted. However, 'inline-signing no;' on a non-dynamic zone with a dnssec-policy is not possible.
28 lines
706 B
Plaintext
28 lines
706 B
Plaintext
/*
|
|
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
*
|
|
* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
*
|
|
* See the COPYRIGHT file distributed with this work for additional
|
|
* information regarding copyright ownership.
|
|
*/
|
|
|
|
include "good-kasp.conf";
|
|
|
|
zone "nsec3.net" {
|
|
type master;
|
|
file "nsec3.db";
|
|
dnssec-policy "test";
|
|
auto-dnssec maintain;
|
|
dnskey-sig-validity 3600;
|
|
dnssec-dnskey-kskonly yes;
|
|
dnssec-secure-to-insecure yes;
|
|
dnssec-update-mode maintain;
|
|
inline-signing no;
|
|
sig-validity-interval 3600;
|
|
update-check-ksk yes;
|
|
};
|
|
|