mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-02 15:45:25 +00:00
Code Issues Releases Wiki Activity

Add inline-signing to config examples

Browse Source 
Add 'inline-signing yes;' to configuration examples to have working
copy paste configurations.

(cherry picked from commit 18d230a584)
This commit is contained in:
Matthijs Mekking
2022-09-27 12:04:37 +02:00
parent d1a01d88f9
commit 2abb2b638a
3 changed files with 12 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
doc/arm/dnssec.inc.rst
View File

@@ -99,9 +99,13 @@ up-to-date DNSSEC practices:
type primary; type primary;
file "dnssec.example.db"; file "dnssec.example.db";
dnssec-policy default; dnssec-policy default;
inline-signing yes;
}; };
This single line is sufficient to create the necessary signing keys, and generate The :any:`dnssec-policy` statement requires dynamic DNS to be set up, or
:any:`inline-signing` to be enabled. In the example above we use the latter.
This is sufficient to create the necessary signing keys, and generate
``DNSKEY``, ``RRSIG``, and ``NSEC`` records for the zone. BIND also takes ``DNSKEY``, ``RRSIG``, and ``NSEC`` records for the zone. BIND also takes
care of any DNSSEC maintenance for this zone, including replacing signatures care of any DNSSEC maintenance for this zone, including replacing signatures
that are about to expire and managing :ref:`key_rollovers`. that are about to expire and managing :ref:`key_rollovers`.
@@ -171,6 +175,7 @@ by configuring parental agents:
type primary; type primary;
file "dnssec.example.db"; file "dnssec.example.db";
dnssec-policy default; dnssec-policy default;
inline-signing yes;
parental-agents { 192.0.2.1; }; parental-agents { 192.0.2.1; };
}; };

4
doc/dnssec-guide/recipes.rst
View File

@@ -63,6 +63,7 @@ what the :iscman:`named.conf` zone statement looks like on the primary server, 1
file "db/example.com.db"; file "db/example.com.db";
key-directory "keys/example.com"; key-directory "keys/example.com";
dnssec-policy default; dnssec-policy default;
inline-signing yes;
allow-transfer { 192.168.1.2; 192.168.1.3; 192.168.1.4; }; allow-transfer { 192.168.1.2; 192.168.1.3; 192.168.1.4; };
}; };
@@ -142,6 +143,7 @@ signed data via zone transfer to the other three DNS secondaries. Its
file "db/example.com.db"; file "db/example.com.db";
key-directory "keys/example.com"; key-directory "keys/example.com";
dnssec-policy default; dnssec-policy default;
inline-signing yes;
allow-transfer { 192.168.1.2; 192.168.1.3; 192.168.1.4; }; allow-transfer { 192.168.1.2; 192.168.1.3; 192.168.1.4; };
}; };
@@ -995,6 +997,7 @@ Here is what :iscman:`named.conf` looks like when it is signed:
type primary; type primary;
file "db/example.com.db"; file "db/example.com.db";
dnssec-policy "default"; dnssec-policy "default";
inline-signing yes;
}; };
To indicate the reversion to unsigned, change the :any:`dnssec-policy` line: To indicate the reversion to unsigned, change the :any:`dnssec-policy` line:
@@ -1006,6 +1009,7 @@ To indicate the reversion to unsigned, change the :any:`dnssec-policy` line:
type primary; type primary;
file "db/example.com.db"; file "db/example.com.db";
dnssec-policy "insecure"; dnssec-policy "insecure";
inline-signing yes;
}; };
Then use :option:`rndc reload` to reload the zone. Then use :option:`rndc reload` to reload the zone.

2
doc/dnssec-guide/signing.rst
View File

@@ -835,6 +835,7 @@ this example, we'll add it to the :any:`zone` statement:
zone "example.net" in { zone "example.net" in {
... ...
dnssec-policy standard; dnssec-policy standard;
inline-signing yes;
... ...
}; };
@@ -916,6 +917,7 @@ presence. Let's look at the following configuration excerpt:
zone "example.net" in { zone "example.net" in {
... ...
dnssec-policy standard; dnssec-policy standard;
inline-signing yes;
parental-agents { "net"; }; parental-agents { "net"; };
... ...
}; };