Merge branch '3677-dnssec-policy-inline-signing' into 'main'

Add inline-signing to dnssec-policy

Closes #3677

See merge request isc-projects/bind9!7204

CHANGES

@@ -1,3 +1,5 @@
+6218.	[func]		Add inline-signing to dnssec-policy. [GL #3677]
+
 6217.	[func]		The dns_badcache unit was refactored to use cds_lfht
 			instead of hand-crafted locked hashtable. [GL #4223]
 

bin/named/config.c

@@ -294,6 +294,7 @@ dnssec-policy \"default\" {\n\
 	cdnskey yes;\n\
 	cds-digest-types { 2; };\n\
 	dnskey-ttl " DNS_KASP_KEY_TTL ";\n\
+	inline-signing yes;\n\
 	publish-safety " DNS_KASP_PUBLISH_SAFETY "; \n\
 	retire-safety " DNS_KASP_RETIRE_SAFETY "; \n\
 	purge-keys " DNS_KASP_PURGE_KEYS "; \n\
@@ -308,6 +309,7 @@ dnssec-policy \"default\" {\n\
 \n\
 dnssec-policy \"insecure\" {\n\
 	keys { };\n\
+	inline-signing yes;\n\
 };\n\
 \n\
 "

bin/named/include/named/zoneconf.h

@@ -44,7 +44,9 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
  */
 
 bool
-named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig);
+named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig,
+		    const cfg_obj_t *vconfig, const cfg_obj_t *config,
+		    dns_kasplist_t *kasplist);
 /*%<
  * If 'zone' can be safely reconfigured according to the configuration
  * data in 'zconfig', return true.  If the configuration data is so
@@ -53,10 +55,12 @@ named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig);
  */
 
 bool
-named_zone_inlinesigning(const cfg_obj_t *zconfig);
+named_zone_inlinesigning(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
+			 const cfg_obj_t *config, dns_kasplist_t *kasplist);
 /*%<
  * Determine if zone uses inline-signing. This is true if inline-signing
- * is set to yes.
+ * is set to yes, in the zone clause or in the zone's dnssec-policy clause.
+ * By default, dnssec-policy uses inline-signing.
  */
 
 isc_result_t

bin/named/server.c

@@ -6715,7 +6715,9 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 		goto cleanup;
 	}
 
-	if (zone != NULL && !named_zone_reusable(zone, zconfig)) {
+	if (zone != NULL &&
+	    !named_zone_reusable(zone, zconfig, vconfig, config, kasplist))
+	{
 		dns_zone_detach(&zone);
 		fullsign = true;
 	}
@@ -6788,7 +6790,8 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 			      strcasecmp(ztypestr, "slave") == 0));
 
 	if (zone_maybe_inline) {
-		inline_signing = named_zone_inlinesigning(zconfig);
+		inline_signing = named_zone_inlinesigning(zconfig, vconfig,
+							  config, kasplist);
 	}
 	if (inline_signing) {
 		dns_zone_getraw(zone, &raw);

bin/named/zoneconf.c

@@ -1917,7 +1917,9 @@ named_zone_configure_writeable_dlz(dns_dlzdb_t *dlzdatabase, dns_zone_t *zone,
 }
 
 bool
-named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) {
+named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig,
+		    const cfg_obj_t *vconfig, const cfg_obj_t *config,
+		    dns_kasplist_t *kasplist) {
 	const cfg_obj_t *zoptions = NULL;
 	const cfg_obj_t *obj = NULL;
 	const char *cfilename;
@@ -1951,7 +1953,8 @@ named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) {
 		has_raw = false;
 	}
 
-	inline_signing = named_zone_inlinesigning(zconfig);
+	inline_signing = named_zone_inlinesigning(zconfig, vconfig, config,
+						  kasplist);
 	if (!inline_signing && has_raw) {
 		dns_zone_log(zone, ISC_LOG_DEBUG(1),
 			     "not reusable: old zone was inline-signing");
@@ -1988,15 +1991,53 @@ named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) {
 }
 
 bool
-named_zone_inlinesigning(const cfg_obj_t *zconfig) {
+named_zone_inlinesigning(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
-	const cfg_obj_t *zoptions = NULL;
+			 const cfg_obj_t *config, dns_kasplist_t *kasplist) {
+	const cfg_obj_t *maps[4];
 	const cfg_obj_t *signing = NULL;
+	const cfg_obj_t *policy = NULL;
+	dns_kasp_t *kasp = NULL;
+	isc_result_t res;
 	bool inline_signing = false;
+	int i = 0;
 
-	zoptions = cfg_tuple_get(zconfig, "options");
+	maps[i++] = cfg_tuple_get(zconfig, "options");
-	inline_signing = (cfg_map_get(zoptions, "inline-signing", &signing) ==
+	if (vconfig != NULL) {
-				  ISC_R_SUCCESS &&
+		maps[i++] = cfg_tuple_get(vconfig, "options");
-			  cfg_obj_asboolean(signing));
+	}
+	if (config != NULL) {
+		const cfg_obj_t *options = NULL;
+		(void)cfg_map_get(config, "options", &options);
+		if (options != NULL) {
+			maps[i++] = options;
+		}
+	}
+	maps[i] = NULL;
+
+	/* "inline-signing" is a zone-only clause, so look in maps[0] only. */
+	res = cfg_map_get(maps[0], "inline-signing", &signing);
+	if (res == ISC_R_SUCCESS && cfg_obj_isboolean(signing)) {
+		return (cfg_obj_asboolean(signing));
+	}
+
+	/* If inline-signing is not set, check the value in dnssec-policy. */
+	policy = NULL;
+	res = named_config_get(maps, "dnssec-policy", &policy);
+	/* If no dnssec-policy found, then zone is not using inline-signing. */
+	if (res != ISC_R_SUCCESS ||
+	    strcmp(cfg_obj_asstring(policy), "none") == 0)
+	{
+		return (false);
+	}
+
+	/* Lookup the policy. */
+	res = dns_kasplist_find(kasplist, cfg_obj_asstring(policy), &kasp);
+	if (res != ISC_R_SUCCESS) {
+		return (false);
+	}
+
+	inline_signing = dns_kasp_inlinesigning(kasp);
+	dns_kasp_detach(&kasp);
 
 	return (inline_signing);
 }

bin/tests/system/autosign/ns2/named.conf.in

@@ -81,6 +81,7 @@ zone "example" {
 	allow-query { any; };
 	allow-transfer { any; };
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy autosign;
 	sig-signing-type 65280;
 };
@@ -99,6 +100,7 @@ zone "private.secure.example" {
 	allow-query { any; };
 	allow-transfer { any; };
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy private;
 };
 
@@ -108,6 +110,7 @@ zone "insecure.secure.example" {
 	allow-query { any; };
 	allow-transfer { any; };
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy autosign;
 };
 
@@ -117,6 +120,7 @@ zone "child.nsec3.example" {
 	allow-query { any; };
 	allow-transfer { any; };
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy nsec3;
 };
 
@@ -126,6 +130,7 @@ zone "child.optout.example" {
 	allow-query { any; };
 	allow-transfer { any; };
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy optout;
 };
 
@@ -135,6 +140,7 @@ zone "optout-with-ent" {
 	allow-query { any; };
 	allow-transfer { any; };
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy optout;
 };
 

bin/tests/system/autosign/ns3/named.conf.in

@@ -141,6 +141,7 @@ zone "secure.example" {
 	type primary;
 	file "secure.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy autosign;
 };
 
@@ -154,6 +155,7 @@ zone "nsec3.example" {
 	type primary;
 	file "nsec3.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy nsec3;
 };
 
@@ -161,6 +163,7 @@ zone "autonsec3.example" {
 	type primary;
 	file "autonsec3.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy nsec3;
 };
 
@@ -168,6 +171,7 @@ zone "optout.nsec3.example" {
 	type primary;
 	file "optout.nsec3.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy optout;
 };
 
@@ -175,6 +179,7 @@ zone "nsec3.nsec3.example" {
 	type primary;
 	file "nsec3.nsec3.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy nsec3;
 };
 
@@ -182,6 +187,7 @@ zone "jitter.nsec3.example" {
 	type primary;
 	file "jitter.nsec3.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy jitter-nsec3;
 	sig-signing-nodes 1000;
 	sig-signing-signatures 100;
@@ -191,6 +197,7 @@ zone "secure.nsec3.example" {
 	type primary;
 	file "secure.nsec3.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy nsec3;
 };
 
@@ -205,6 +212,7 @@ zone "secure.optout.example" {
 	type primary;
 	file "secure.optout.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy optout;
 };
 
@@ -212,6 +220,7 @@ zone "nsec3.optout.example" {
 	type primary;
 	file "nsec3.optout.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy optout;
 };
 
@@ -219,6 +228,7 @@ zone "optout.optout.example" {
 	type primary;
 	file "optout.optout.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy optout;
 };
 
@@ -226,6 +236,7 @@ zone "rsasha256.example" {
 	type primary;
 	file "rsasha256.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy rsasha256;
 };
 
@@ -233,6 +244,7 @@ zone "rsasha512.example" {
 	type primary;
 	file "rsasha512.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy rsasha512;
 };
 
@@ -240,6 +252,7 @@ zone "nsec-only.example" {
 	type primary;
 	file "nsec-only.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy autosign;
 };
 
@@ -247,6 +260,7 @@ zone "nsec3-to-nsec.example" {
 	type primary;
 	file "nsec3-to-nsec.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy nsec3;
 };
 
@@ -254,6 +268,7 @@ zone "oldsigs.example" {
 	type primary;
 	file "oldsigs.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy jitter;
 	sig-signing-nodes 1000;
 	sig-signing-signatures 100;
@@ -263,6 +278,7 @@ zone "prepub.example" {
 	type primary;
 	file "prepub.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy autosign;
 };
 
@@ -270,6 +286,7 @@ zone "ttl1.example" {
 	type primary;
 	file "ttl1.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy autosign;
 };
 
@@ -277,6 +294,7 @@ zone "ttl2.example" {
 	type primary;
 	file "ttl2.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy autosign;
 };
 
@@ -284,6 +302,7 @@ zone "ttl3.example" {
 	type primary;
 	file "ttl3.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy autosign;
 };
 
@@ -291,6 +310,7 @@ zone "ttl4.example" {
 	type primary;
 	file "ttl4.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy autosign;
 };
 
@@ -303,6 +323,7 @@ zone "nozsk.example" {
 	type primary;
 	file "nozsk.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy autosign;
 };
 
@@ -310,6 +331,7 @@ zone "inaczsk.example" {
 	type primary;
 	file "inaczsk.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy autosign;
 };
 
@@ -317,6 +339,7 @@ zone "noksk.example" {
 	type primary;
 	file "noksk.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy autosign;
 };
 
@@ -324,6 +347,7 @@ zone "sync.example" {
 	type primary;
 	file "sync.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy sync;
 };
 
@@ -338,6 +362,7 @@ zone "inaczsk2.example" {
 	type primary;
 	file "inaczsk2.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy autosign;
 };
 
@@ -345,6 +370,7 @@ zone "delzsk.example." {
 	type primary;
 	file "delzsk.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy nsec3;
 };
 
@@ -352,6 +378,7 @@ zone "dname-at-apex-nsec3.example" {
 	type primary;
 	file "dname-at-apex-nsec3.example.db";
 	allow-update { any; };
+	inline-signing no;
 	dnssec-policy nsec3;
 };
 

bin/tests/system/checkconf/bad-kasp-inline-signing.conf

@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * inline-signing is a boolean value.
+ */
+dnssec-policy "inline" {
+	inline-signing never-ever;
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+	dnssec-policy "inline";
+};

bin/tests/system/checkconf/bad-noddns.conf

@@ -11,9 +11,13 @@
  * information regarding copyright ownership.
  */
 
+dnssec-policy "test" {
+	inline-signing no;
+};
+
 zone example {
 	type primary;
 	file "example.db";
-	dnssec-policy default;
+	dnssec-policy test;
 	allow-update { none; };
 };

bin/tests/system/checkconf/good-kasp.conf

@@ -22,6 +22,7 @@ dnssec-policy "test" {
 		"sha-256";
 	};
 	dnskey-ttl 3600;
+	inline-signing yes;
 	keys {
 		ksk key-directory lifetime P1Y algorithm ecdsa256;
 		zsk lifetime P30D algorithm 13;
@@ -44,7 +45,6 @@ options {
 zone "example1" {
 	type primary;
 	file "example1.db";
-	inline-signing yes;
 };
 zone "example2" {
 	type primary;
@@ -57,7 +57,6 @@ zone "example2" {
 zone "example3" {
 	type primary;
 	file "example3.db";
-	inline-signing yes;
 	dnssec-policy "default";
 };
 zone "dnssec-policy-none-shared-zonefile1" {

bin/tests/system/checkconf/good-key-directory.conf

@@ -46,7 +46,6 @@ view "localhost" {
         type primary;
         file "localhost/example.com.zone";
         dnssec-policy "localhost";
-        inline-signing yes;
     };
 };
 
@@ -57,7 +56,6 @@ view "external" {
         type primary;
         file "external/example.com.zone";
         dnssec-policy "internet";
-        inline-signing yes;
     };
 };
 
@@ -68,6 +66,5 @@ view "internal" {
         type primary;
         file "internal/example.com.zone";
         dnssec-policy "intranet";
-        inline-signing yes;
     };
 };

bin/tests/system/checkconf/good.conf.in

@@ -104,7 +104,6 @@ view "first" {
 	zone "clone" {
 		type primary;
 		file "yyy";
-		inline-signing yes;
 		max-ixfr-ratio unlimited;
 	};
 	dnssec-validation auto;
@@ -168,12 +167,10 @@ view "third" {
 	zone "p" {
 		type primary;
 		file "pfile";
-		inline-signing yes;
 	};
 	zone "s" {
 		type secondary;
 		file "sfile";
-		inline-signing yes;
 		primaries {
 			1.2.3.4;
 		};
@@ -185,7 +182,6 @@ view "fourth" {
 		type primary;
 		checkds explicit;
 		file "dnssec-test.db";
-		inline-signing yes;
 		parental-agents {
 			1.2.3.4;
 			1.2.3.5;
@@ -196,7 +192,6 @@ view "fourth" {
 	zone "dnssec-default" {
 		type primary;
 		file "dnssec-default.db";
-		inline-signing yes;
 		parental-agents {
 			"parents";
 		};
@@ -206,7 +201,6 @@ view "fourth" {
 		type primary;
 		checkds no;
 		file "dnssec-inherit.db";
-		inline-signing yes;
 	};
 	zone "dnssec-none" {
 		type primary;
@@ -217,13 +211,11 @@ view "fourth" {
 		type primary;
 		checkds yes;
 		file "dnssec-view41.db";
-		inline-signing yes;
 		dnssec-policy "test";
 	};
 	zone "dnssec-view2" {
 		type primary;
 		file "dnssec-view42.db";
-		inline-signing yes;
 	};
 	zone "dnssec-view3" {
 		type primary;
@@ -243,20 +235,17 @@ view "fifth" {
 	zone "dnssec-view1" {
 		type primary;
 		file "dnssec-view51.db";
-		inline-signing yes;
 		dnssec-policy "test";
 	};
 	zone "dnssec-view2" {
 		type primary;
 		file "dnssec-view52.db";
-		inline-signing yes;
 		dnssec-policy "test";
 		key-directory "keys";
 	};
 	zone "dnssec-view3" {
 		type primary;
 		file "dnssec-view53.db";
-		inline-signing yes;
 		dnssec-policy "default";
 		key-directory "keys";
 	};
@@ -271,7 +260,6 @@ view "chaos" chaos {
 	zone "hostname.bind" chaos {
 		type primary;
 		database "_builtin hostname";
-		inline-signing yes;
 	};
 };
 dyndb "name" "library.so" {

bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf

@@ -57,5 +57,4 @@ zone "example.net" {
 	type primary;
 	file "example.db";
 	dnssec-policy "default";
-	inline-signing yes;
 };

bin/tests/system/checkconf/kasp-bad-signatures-refresh.conf

@@ -34,13 +34,11 @@ dnssec-policy "bad-sigrefresh-dnskey" {
 zone "sigrefresh.example.net" {
 	type primary;
 	file "sigrefresh.example.db";
-	inline-signing yes;
 	dnssec-policy "bad-sigrefresh";
 };
 
 zone "dnskey.example.net" {
 	type primary;
 	file "dnskey.example.db";
-	inline-signing yes;
 	dnssec-policy "bad-sigrefresh-dnskey";
 };

bin/tests/system/checkconf/kasp-ignore-keylen.conf

@@ -22,6 +22,5 @@ zone "example.net" {
 	type primary;
 	file "example.db";
 	dnssec-policy "warn-length";
-	inline-signing yes;
 };
 

bin/tests/system/checkconf/kasp-warning.conf

@@ -42,21 +42,18 @@ dnssec-policy "warn3" {
 zone "warn1.example.net" {
 	type primary;
 	file "warn1.example.db";
-	inline-signing yes;
 	dnssec-policy "warn1";
 };
 
 zone "warn2.example.net" {
 	type primary;
 	file "warn2.example.db";
-	inline-signing yes;
 	dnssec-policy "warn2";
 };
 
 zone "warn3.example.net" {
 	type primary;
 	file "warn3.example.db";
-	inline-signing yes;
 	dnssec-policy "warn3";
 };
 

bin/tests/system/checkds/ns9/named.conf.in

@@ -54,7 +54,6 @@ zone "." {
 zone "good.explicit.dspublish.ns2" {
 	type primary;
 	file "good.explicit.dspublish.ns2.db";
-	inline-signing yes;
 	dnssec-policy "default";
 	parental-agents { 10.53.0.8 port @PORT@; };
 };
@@ -63,7 +62,6 @@ zone "good.explicit.dspublish.ns2" {
 zone "reference.explicit.dspublish.ns2" {
 	type primary;
 	file "reference.explicit.dspublish.ns2.db";
-	inline-signing yes;
 	dnssec-policy "default";
 	parental-agents { "ns8"; };
 };
@@ -72,7 +70,6 @@ zone "reference.explicit.dspublish.ns2" {
 zone "resolver.explicit.dspublish.ns2" {
 	type primary;
 	file "resolver.explicit.dspublish.ns2.db";
-	inline-signing yes;
 	dnssec-policy "default";
 	parental-agents {
 		10.53.0.3 port @PORT@;
@@ -83,7 +80,6 @@ zone "resolver.explicit.dspublish.ns2" {
 zone "good.yes.dspublish.ns2" {
 	type primary;
 	file "good.yes.dspublish.ns2.db";
-	inline-signing yes;
 	dnssec-policy "default";
 };
 
@@ -91,7 +87,6 @@ zone "good.yes.dspublish.ns2" {
 zone "good.no.dspublish.ns2" {
 	type primary;
 	file "good.no.dspublish.ns2.db";
-	inline-signing yes;
 	dnssec-policy "default";
 	checkds no;
 };
@@ -100,7 +95,6 @@ zone "good.no.dspublish.ns2" {
 zone "no-ent.ns2" {
 	type primary;
 	file "no-ent.ns2.db";
-	inline-signing yes;
 	dnssec-policy "default";
 };
 
@@ -112,7 +106,6 @@ zone "no-ent.ns2" {
 zone "not-yet.explicit.dspublish.ns5" {
 	type primary;
 	file "not-yet.explicit.dspublish.ns5.db";
-	inline-signing yes;
 	dnssec-policy "default";
 	parental-agents {
 		10.53.0.5 port @PORT@; // missing
@@ -122,7 +115,6 @@ zone "not-yet.explicit.dspublish.ns5" {
 zone "not-yet.yes.dspublish.ns5" {
 	type primary;
 	file "not-yet.yes.dspublish.ns5.db";
-	inline-signing yes;
 	dnssec-policy "default";
 };
 
@@ -134,7 +126,6 @@ zone "not-yet.yes.dspublish.ns5" {
 zone "bad.explicit.dspublish.ns6" {
 	type primary;
 	file "bad.explicit.dspublish.ns6.db";
-	inline-signing yes;
 	dnssec-policy "default";
 	parental-agents {
 		10.53.0.6 port @PORT@; // bad
@@ -144,7 +135,6 @@ zone "bad.explicit.dspublish.ns6" {
 zone "bad.yes.dspublish.ns6" {
 	type primary;
 	file "bad.yes.dspublish.ns6.db";
-	inline-signing yes;
 	dnssec-policy "default";
 };
 
@@ -163,7 +153,6 @@ zone "bad.yes.dspublish.ns6" {
 zone "good.explicit.dspublish.ns2-4" {
 	type primary;
 	file "good.explicit.dspublish.ns2-4.db";
-	inline-signing yes;
 	dnssec-policy "default";
 	parental-agents {
 		10.53.0.8 port @PORT@;
@@ -174,14 +163,12 @@ zone "good.explicit.dspublish.ns2-4" {
 zone "good.yes.dspublish.ns2-4" {
 	type primary;
 	file "good.yes.dspublish.ns2-4.db";
-	inline-signing yes;
 	dnssec-policy "default";
 };
 
 zone "good.no.dspublish.ns2-4" {
 	type primary;
 	file "good.no.dspublish.ns2-4.db";
-	inline-signing yes;
 	dnssec-policy "default";
 	checkds no;
 };
@@ -194,7 +181,6 @@ zone "good.no.dspublish.ns2-4" {
 zone "incomplete.explicit.dspublish.ns2-4-5" {
 	type primary;
 	file "incomplete.explicit.dspublish.ns2-4-5.db";
-	inline-signing yes;
 	dnssec-policy "default";
 	parental-agents {
 		10.53.0.8 port @PORT@;
@@ -206,7 +192,6 @@ zone "incomplete.explicit.dspublish.ns2-4-5" {
 zone "incomplete.yes.dspublish.ns2-4-5" {
 	type primary;
 	file "incomplete.yes.dspublish.ns2-4-5.db";
-	inline-signing yes;
 	dnssec-policy "default";
 };
 
@@ -218,7 +203,6 @@ zone "incomplete.yes.dspublish.ns2-4-5" {
 zone "bad.explicit.dspublish.ns2-4-6" {
 	type primary;
 	file "bad.explicit.dspublish.ns2-4-6.db";
-	inline-signing yes;
 	dnssec-policy "default";
 	parental-agents {
 		10.53.0.8 port @PORT@;
@@ -230,7 +214,6 @@ zone "bad.explicit.dspublish.ns2-4-6" {
 zone "bad.yes.dspublish.ns2-4-6" {
 	type primary;
 	file "bad.yes.dspublish.ns2-4-6.db";
-	inline-signing yes;
 	dnssec-policy "default";
 };
 
@@ -253,7 +236,6 @@ zone "bad.yes.dspublish.ns2-4-6" {
 zone "good.explicit.dsremoved.ns5" {
 	type primary;
 	file "good.explicit.dsremoved.ns5.db";
-	inline-signing yes;
 	dnssec-policy "insecure";
 	parental-agents { 10.53.0.10 port @PORT@; };
 };
@@ -261,7 +243,6 @@ zone "good.explicit.dsremoved.ns5" {
 zone "resolver.explicit.dsremoved.ns5" {
 	type primary;
 	file "resolver.explicit.dsremoved.ns5.db";
-	inline-signing yes;
 	dnssec-policy "default";
 	parental-agents {
 		10.53.0.3 port @PORT@;
@@ -271,14 +252,12 @@ zone "resolver.explicit.dsremoved.ns5" {
 zone "good.yes.dsremoved.ns5" {
 	type primary;
 	file "good.yes.dsremoved.ns5.db";
-	inline-signing yes;
 	dnssec-policy "insecure";
 };
 
 zone "good.no.dsremoved.ns5" {
 	type primary;
 	file "good.no.dsremoved.ns5.db";
-	inline-signing yes;
 	dnssec-policy "insecure";
 	checkds no;
 };
@@ -286,7 +265,6 @@ zone "good.no.dsremoved.ns5" {
 zone "no-ent.ns5" {
 	type primary;
 	file "no-ent.ns5.db";
-	inline-signing yes;
 	dnssec-policy "default";
 };
 
@@ -298,7 +276,6 @@ zone "no-ent.ns5" {
 zone "still-there.explicit.dsremoved.ns2" {
 	type primary;
 	file "still-there.explicit.dsremoved.ns2.db";
-	inline-signing yes;
 	dnssec-policy "insecure";
 	parental-agents {
 		10.53.0.2 port @PORT@; // still published
@@ -308,7 +285,6 @@ zone "still-there.explicit.dsremoved.ns2" {
 zone "still-there.yes.dsremoved.ns2" {
 	type primary;
 	file "still-there.yes.dsremoved.ns2.db";
-	inline-signing yes;
 	dnssec-policy "insecure";
 };
 
@@ -320,7 +296,6 @@ zone "still-there.yes.dsremoved.ns2" {
 zone "bad.explicit.dsremoved.ns6" {
 	type primary;
 	file "bad.explicit.dsremoved.ns6.db";
-	inline-signing yes;
 	dnssec-policy "insecure";
 	parental-agents {
 		10.53.0.6 port @PORT@; // bad
@@ -330,7 +305,6 @@ zone "bad.explicit.dsremoved.ns6" {
 zone "bad.yes.dsremoved.ns6" {
 	type primary;
 	file "bad.yes.dsremoved.ns6.db";
-	inline-signing yes;
 	dnssec-policy "insecure";
 };
 
@@ -349,7 +323,6 @@ zone "bad.yes.dsremoved.ns6" {
 zone "good.explicit.dsremoved.ns5-7" {
 	type primary;
 	file "good.explicit.dsremoved.ns5-7.db";
-	inline-signing yes;
 	dnssec-policy "insecure";
 	parental-agents {
 		10.53.0.10 port @PORT@;
@@ -360,14 +333,12 @@ zone "good.explicit.dsremoved.ns5-7" {
 zone "good.yes.dsremoved.ns5-7" {
 	type primary;
 	file "good.yes.dsremoved.ns5-7.db";
-	inline-signing yes;
 	dnssec-policy "insecure";
 };
 
 zone "good.no.dsremoved.ns5-7" {
 	type primary;
 	file "good.no.dsremoved.ns5-7.db";
-	inline-signing yes;
 	dnssec-policy "insecure";
 	checkds no;
 };
@@ -380,7 +351,6 @@ zone "good.no.dsremoved.ns5-7" {
 zone "incomplete.explicit.dsremoved.ns2-5-7" {
 	type primary;
 	file "incomplete.explicit.dsremoved.ns2-5-7.db";
-	inline-signing yes;
 	dnssec-policy "insecure";
 	parental-agents {
 		10.53.0.2 port @PORT@; // still published
@@ -392,7 +362,6 @@ zone "incomplete.explicit.dsremoved.ns2-5-7" {
 zone "incomplete.yes.dsremoved.ns2-5-7" {
 	type primary;
 	file "incomplete.yes.dsremoved.ns2-5-7.db";
-	inline-signing yes;
 	dnssec-policy "insecure";
 };
 
@@ -404,7 +373,6 @@ zone "incomplete.yes.dsremoved.ns2-5-7" {
 zone "bad.explicit.dsremoved.ns5-6-7" {
 	type primary;
 	file "bad.explicit.dsremoved.ns5-6-7.db";
-	inline-signing yes;
 	dnssec-policy "insecure";
 	parental-agents {
 		10.53.0.10 port @PORT@;
@@ -416,7 +384,6 @@ zone "bad.explicit.dsremoved.ns5-6-7" {
 zone "bad.yes.dsremoved.ns5-6-7" {
 	type primary;
 	file "bad.yes.dsremoved.ns5-6-7.db";
-	inline-signing yes;
 	dnssec-policy "insecure";
 };
 

bin/tests/system/kasp/ns2/named.conf.in

@@ -49,7 +49,6 @@ zone "signed.tld" {
 	type primary;
 	file "signed.tld.db";
 	dnssec-policy "default";
-	inline-signing yes;
 };
 
 /* Primary service for ns3 */

bin/tests/system/kasp/ns3/ed25519.conf

@@ -24,6 +24,5 @@ dnssec-policy "ed25519" {
 zone "ed25519.kasp" {
         type primary;
         file "ed25519.kasp.db";
-	inline-signing yes;
         dnssec-policy "ed25519";
 };

bin/tests/system/kasp/ns3/ed448.conf

@@ -24,6 +24,5 @@ dnssec-policy "ed448" {
 zone "ed448.kasp" {
         type primary;
         file "ed448.kasp.db";
-	inline-signing yes;
         dnssec-policy "ed448";
 };

bin/tests/system/kasp/ns3/named-fips.conf.in

@@ -45,7 +45,6 @@ controls {
 zone "default.kasp" {
 	type primary;
 	file "default.kasp.db";
-	inline-signing yes;
 	dnssec-policy "default";
 };
 
@@ -53,7 +52,6 @@ zone "default.kasp" {
 zone "checkds-ksk.kasp" {
 	type primary;
 	file "checkds-ksk.kasp.db";
-	inline-signing yes;
 	dnssec-policy "checkds-ksk";
 };
 
@@ -61,7 +59,6 @@ zone "checkds-ksk.kasp" {
 zone "checkds-doubleksk.kasp" {
 	type primary;
 	file "checkds-doubleksk.kasp.db";
-	inline-signing yes;
 	dnssec-policy "checkds-doubleksk";
 };
 
@@ -69,7 +66,6 @@ zone "checkds-doubleksk.kasp" {
 zone "checkds-csk.kasp" {
 	type primary;
 	file "checkds-csk.kasp.db";
-	inline-signing yes;
 	dnssec-policy "checkds-csk";
 };
 
@@ -77,7 +73,6 @@ zone "checkds-csk.kasp" {
 zone "unlimited.kasp" {
 	type primary;
 	file "unlimited.kasp.db";
-	inline-signing yes;
 	dnssec-policy "unlimited";
 };
 
@@ -85,14 +80,12 @@ zone "unlimited.kasp" {
 zone "manual-rollover.kasp" {
 	type primary;
 	file "manual-rollover.kasp.db";
-	inline-signing yes;
 	dnssec-policy "manual-rollover";
 };
 
 /* A zone that inherits dnssec-policy. */
 zone "inherit.kasp" {
 	type primary;
-	inline-signing yes;
 	file "inherit.kasp.db";
 };
 
@@ -100,7 +93,6 @@ zone "inherit.kasp" {
 zone "unsigned.kasp" {
 	type primary;
 	file "unsigned.kasp.db";
-	inline-signing yes;
 	dnssec-policy "none";
 };
 
@@ -108,7 +100,6 @@ zone "unsigned.kasp" {
 zone "insecure.kasp" {
 	type primary;
 	file "insecure.kasp.db";
-	inline-signing yes;
 	dnssec-policy "insecure";
 };
 
@@ -116,7 +107,6 @@ zone "insecure.kasp" {
 zone "dnssec-keygen.kasp" {
 	type primary;
 	file "dnssec-keygen.kasp.db";
-	inline-signing yes;
 	dnssec-policy "rsasha256";
 };
 
@@ -125,7 +115,6 @@ zone "secondary.kasp" {
 	type secondary;
 	primaries { 10.53.0.2; };
 	file "secondary.kasp.db";
-	inline-signing yes;
 	dnssec-policy "rsasha256";
 };
 
@@ -133,7 +122,7 @@ zone "secondary.kasp" {
 zone "dynamic.kasp" {
 	type primary;
 	file "dynamic.kasp.db";
-	dnssec-policy "default";
+	dnssec-policy "default-dynamic";
 	allow-update { any; };
 };
 
@@ -143,7 +132,6 @@ zone "dynamic-inline-signing.kasp" {
 	file "dynamic-inline-signing.kasp.db";
 	dnssec-policy "default";
 	allow-update { any; };
-	inline-signing yes;
 };
 
 /* An inline-signed zone with dnssec-policy. */
@@ -151,7 +139,6 @@ zone "inline-signing.kasp" {
 	type primary;
 	file "inline-signing.kasp.db";
 	dnssec-policy "default";
-	inline-signing yes;
 };
 
 /*
@@ -160,7 +147,6 @@ zone "inline-signing.kasp" {
 zone "some-keys.kasp" {
 	type primary;
 	file "some-keys.kasp.db";
-	inline-signing yes;
 	dnssec-policy "rsasha256";
 };
 
@@ -170,7 +156,6 @@ zone "some-keys.kasp" {
 zone "legacy-keys.kasp" {
 	type primary;
 	file "legacy-keys.kasp.db";
-	inline-signing yes;
 	dnssec-policy "migrate-to-dnssec-policy";
 };
 
@@ -180,7 +165,6 @@ zone "legacy-keys.kasp" {
 zone "pregenerated.kasp" {
 	type primary;
 	file "pregenerated.kasp.db";
-	inline-signing yes;
 	dnssec-policy "rsasha256";
 };
 
@@ -191,7 +175,6 @@ zone "pregenerated.kasp" {
 zone "rumoured.kasp" {
 	type primary;
 	file "rumoured.kasp.db";
-	inline-signing yes;
 	dnssec-policy "rsasha256";
 };
 
@@ -209,25 +192,21 @@ zone "multisigner-model2.kasp" {
 zone "rsasha256.kasp" {
 	type primary;
 	file "rsasha256.kasp.db";
-	inline-signing yes;
 	dnssec-policy "rsasha256";
 };
 zone "rsasha512.kasp" {
 	type primary;
 	file "rsasha512.kasp.db";
-	inline-signing yes;
 	dnssec-policy "rsasha512";
 };
 zone "ecdsa256.kasp" {
 	type primary;
 	file "ecdsa256.kasp.db";
-	inline-signing yes;
 	dnssec-policy "ecdsa256";
 };
 zone "ecdsa384.kasp" {
 	type primary;
 	file "ecdsa384.kasp.db";
-	inline-signing yes;
 	dnssec-policy "ecdsa384";
 };
 
@@ -237,7 +216,6 @@ zone "ecdsa384.kasp" {
 zone "max-zone-ttl.kasp" {
 	type primary;
 	file "max-zone-ttl.kasp.db";
-	inline-signing yes;
 	dnssec-policy "ttl";
 };
 
@@ -262,7 +240,6 @@ zone "three-is-a-crowd.kasp" {
 zone "expired-sigs.autosign" {
 	type primary;
 	file "expired-sigs.autosign.db";
-	inline-signing yes;
 	dnssec-policy "autosign";
 };
 
@@ -272,7 +249,6 @@ zone "expired-sigs.autosign" {
 zone "fresh-sigs.autosign" {
 	type primary;
 	file "fresh-sigs.autosign.db";
-	inline-signing yes;
 	dnssec-policy "autosign";
 };
 
@@ -282,7 +258,6 @@ zone "fresh-sigs.autosign" {
 zone "unfresh-sigs.autosign" {
 	type primary;
 	file "unfresh-sigs.autosign.db";
-	inline-signing yes;
 	dnssec-policy "autosign";
 };
 
@@ -292,7 +267,6 @@ zone "unfresh-sigs.autosign" {
 zone "ksk-missing.autosign" {
 	type primary;
 	file "ksk-missing.autosign.db";
-	inline-signing yes;
 	dnssec-policy "autosign";
 };
 
@@ -302,7 +276,6 @@ zone "ksk-missing.autosign" {
 zone "zsk-missing.autosign" {
 	type primary;
 	file "zsk-missing.autosign.db";
-	inline-signing yes;
 	dnssec-policy "autosign";
 };
 
@@ -312,7 +285,6 @@ zone "zsk-missing.autosign" {
 zone "zsk-retired.autosign" {
 	type primary;
 	file "zsk-retired.autosign.db";
-	inline-signing yes;
 	dnssec-policy "autosign";
 };
 
@@ -322,25 +294,21 @@ zone "zsk-retired.autosign" {
 zone "step1.enable-dnssec.autosign" {
 	type primary;
 	file "step1.enable-dnssec.autosign.db";
-	inline-signing yes;
 	dnssec-policy "enable-dnssec";
 };
 zone "step2.enable-dnssec.autosign" {
 	type primary;
 	file "step2.enable-dnssec.autosign.db";
-	inline-signing yes;
 	dnssec-policy "enable-dnssec";
 };
 zone "step3.enable-dnssec.autosign" {
 	type primary;
 	file "step3.enable-dnssec.autosign.db";
-	inline-signing yes;
 	dnssec-policy "enable-dnssec";
 };
 zone "step4.enable-dnssec.autosign" {
 	type primary;
 	file "step4.enable-dnssec.autosign.db";
-	inline-signing yes;
 	dnssec-policy "enable-dnssec";
 };
 
@@ -350,37 +318,31 @@ zone "step4.enable-dnssec.autosign" {
 zone "step1.zsk-prepub.autosign" {
 	type primary;
 	file "step1.zsk-prepub.autosign.db";
-	inline-signing yes;
 	dnssec-policy "zsk-prepub";
 };
 zone "step2.zsk-prepub.autosign" {
 	type primary;
 	file "step2.zsk-prepub.autosign.db";
-	inline-signing yes;
 	dnssec-policy "zsk-prepub";
 };
 zone "step3.zsk-prepub.autosign" {
 	type primary;
 	file "step3.zsk-prepub.autosign.db";
-	inline-signing yes;
 	dnssec-policy "zsk-prepub";
 };
 zone "step4.zsk-prepub.autosign" {
 	type primary;
 	file "step4.zsk-prepub.autosign.db";
-	inline-signing yes;
 	dnssec-policy "zsk-prepub";
 };
 zone "step5.zsk-prepub.autosign" {
 	type primary;
 	file "step5.zsk-prepub.autosign.db";
-	inline-signing yes;
 	dnssec-policy "zsk-prepub";
 };
 zone "step6.zsk-prepub.autosign" {
 	type primary;
 	file "step6.zsk-prepub.autosign.db";
-	inline-signing yes;
 	dnssec-policy "zsk-prepub";
 };
 
@@ -390,37 +352,31 @@ zone "step6.zsk-prepub.autosign" {
 zone "step1.ksk-doubleksk.autosign" {
 	type primary;
 	file "step1.ksk-doubleksk.autosign.db";
-	inline-signing yes;
 	dnssec-policy "ksk-doubleksk";
 };
 zone "step2.ksk-doubleksk.autosign" {
 	type primary;
 	file "step2.ksk-doubleksk.autosign.db";
-	inline-signing yes;
 	dnssec-policy "ksk-doubleksk";
 };
 zone "step3.ksk-doubleksk.autosign" {
 	type primary;
 	file "step3.ksk-doubleksk.autosign.db";
-	inline-signing yes;
 	dnssec-policy "ksk-doubleksk";
 };
 zone "step4.ksk-doubleksk.autosign" {
 	type primary;
 	file "step4.ksk-doubleksk.autosign.db";
-	inline-signing yes;
 	dnssec-policy "ksk-doubleksk";
 };
 zone "step5.ksk-doubleksk.autosign" {
 	type primary;
 	file "step5.ksk-doubleksk.autosign.db";
-	inline-signing yes;
 	dnssec-policy "ksk-doubleksk";
 };
 zone "step6.ksk-doubleksk.autosign" {
 	type primary;
 	file "step6.ksk-doubleksk.autosign.db";
-	inline-signing yes;
 	dnssec-policy "ksk-doubleksk";
 };
 
@@ -430,91 +386,76 @@ zone "step6.ksk-doubleksk.autosign" {
 zone "step1.csk-roll.autosign" {
 	type primary;
 	file "step1.csk-roll.autosign.db";
-	inline-signing yes;
 	dnssec-policy "csk-roll";
 };
 zone "step2.csk-roll.autosign" {
 	type primary;
 	file "step2.csk-roll.autosign.db";
-	inline-signing yes;
 	dnssec-policy "csk-roll";
 };
 zone "step3.csk-roll.autosign" {
 	type primary;
 	file "step3.csk-roll.autosign.db";
-	inline-signing yes;
 	dnssec-policy "csk-roll";
 };
 zone "step4.csk-roll.autosign" {
 	type primary;
 	file "step4.csk-roll.autosign.db";
-	inline-signing yes;
 	dnssec-policy "csk-roll";
 };
 zone "step5.csk-roll.autosign" {
 	type primary;
 	file "step5.csk-roll.autosign.db";
-	inline-signing yes;
 	dnssec-policy "csk-roll";
 };
 zone "step6.csk-roll.autosign" {
 	type primary;
 	file "step6.csk-roll.autosign.db";
-	inline-signing yes;
 	dnssec-policy "csk-roll";
 };
 zone "step7.csk-roll.autosign" {
 	type primary;
 	file "step7.csk-roll.autosign.db";
-	inline-signing yes;
 	dnssec-policy "csk-roll";
 };
 zone "step8.csk-roll.autosign" {
 	type primary;
 	file "step8.csk-roll.autosign.db";
-	inline-signing yes;
 	dnssec-policy "csk-roll";
 };
 
 zone "step1.csk-roll2.autosign" {
 	type primary;
 	file "step1.csk-roll2.autosign.db";
-	inline-signing yes;
 	dnssec-policy "csk-roll2";
 };
 zone "step2.csk-roll2.autosign" {
 	type primary;
 	file "step2.csk-roll2.autosign.db";
-	inline-signing yes;
 	dnssec-policy "csk-roll2";
 };
 zone "step3.csk-roll2.autosign" {
 	type primary;
 	file "step3.csk-roll2.autosign.db";
-	inline-signing yes;
 	dnssec-policy "csk-roll2";
 };
 zone "step4.csk-roll2.autosign" {
 	type primary;
 	file "step4.csk-roll2.autosign.db";
-	inline-signing yes;
 	dnssec-policy "csk-roll2";
 };
 zone "step5.csk-roll2.autosign" {
 	type primary;
 	file "step5.csk-roll2.autosign.db";
-	inline-signing yes;
 	dnssec-policy "csk-roll2";
 };
 zone "step6.csk-roll2.autosign" {
 	type primary;
 	file "step6.csk-roll2.autosign.db";
-	inline-signing yes;
 	dnssec-policy "csk-roll2";
 };
 zone "step7.csk-roll2.autosign" {
 	type primary;
 	file "step7.csk-roll2.autosign.db";
-	inline-signing yes;
 	dnssec-policy "csk-roll2";
 };

bin/tests/system/kasp/ns3/named.conf.in

@@ -18,13 +18,11 @@ include "named-fips.conf";
 zone "rsasha1.kasp" {
 	type primary;
 	file "rsasha1.kasp.db";
-	inline-signing yes;
 	dnssec-policy "rsasha1";
 };
 
 zone "rsasha1-nsec3.kasp" {
 	type primary;
 	file "rsasha1-nsec3.kasp.db";
-	inline-signing yes;
 	dnssec-policy "rsasha1-nsec3";
 };

bin/tests/system/kasp/ns3/policies/kasp-fips.conf.in

@@ -19,6 +19,10 @@ dnssec-policy "unlimited" {
 	};
 };
 
+dnssec-policy "default-dynamic" {
+	inline-signing no;
+};
+
 dnssec-policy "manual-rollover" {
 	dnskey-ttl 3600;
 
@@ -30,6 +34,7 @@ dnssec-policy "manual-rollover" {
 
 dnssec-policy "multisigner-model2" {
 	dnskey-ttl 3600;
+	inline-signing no;
 
 	keys {
 		ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;

bin/tests/system/kasp/ns4/named.conf.in

@@ -76,14 +76,12 @@ view "inherit" {
 	zone "inherit.inherit.signed" {
 		type primary;
 		file "inherit.inherit.signed.db";
-		inline-signing yes;
 	};
 
 	/* Override dnssec-policy */
 	zone "override.inherit.signed" {
 		type primary;
 		file "override.inherit.signed.db";
-		inline-signing yes;
 		dnssec-policy "default";
 	};
 
@@ -103,14 +101,12 @@ view "override" {
 	zone "inherit.override.signed" {
 		type primary;
 		file "inherit.override.signed.db";
-		inline-signing yes;
 	};
 
 	/* Override dnssec-policy */
 	zone "override.override.signed" {
 		type primary;
 		file "override.override.signed.db";
-		inline-signing yes;
 		dnssec-policy "test";
 	};
 
@@ -136,7 +132,6 @@ view "none" {
 	zone "override.none.signed" {
 		type primary;
 		file "override.none.signed.db";
-		inline-signing yes;
 		dnssec-policy "test";
 	};
 
@@ -155,6 +150,7 @@ view "example1" {
 
 	zone "example.net" {
 		type primary;
+		inline-signing no;
 		file "example1.db";
 	};
 };
@@ -165,7 +161,6 @@ view "example2" {
 	zone "example.net" {
 		type primary;
 		file "example2.db";
-		inline-signing yes;
 	};
 };
 

bin/tests/system/kasp/ns5/named.conf.in

@@ -67,7 +67,6 @@ view "inherit" {
 	zone "override.inherit.unsigned" {
 		type primary;
 		file "override.inherit.unsigned.db";
-		inline-signing yes;
 		dnssec-policy "default";
 	};
 
@@ -87,14 +86,12 @@ view "override" {
 	zone "inherit.override.unsigned" {
 		type primary;
 		file "inherit.override.unsigned.db";
-		inline-signing yes;
 	};
 
 	/* Override dnssec-policy */
 	zone "override.override.unsigned" {
 		type primary;
 		file "override.override.unsigned.db";
-		inline-signing yes;
 		dnssec-policy "test";
 	};
 
@@ -120,7 +117,6 @@ view "none" {
 	zone "override.none.unsigned" {
 		type primary;
 		file "override.none.unsigned.db";
-		inline-signing yes;
 		dnssec-policy "test";
 	};
 

bin/tests/system/kasp/ns6/named.conf.in

@@ -51,7 +51,6 @@ zone "dynamic2inline.kasp" {
 zone "step1.going-insecure.kasp" {
 	type primary;
 	file "step1.going-insecure.kasp.db";
-	inline-signing yes;
 	dnssec-policy "unsigning";
 };
 
@@ -59,19 +58,20 @@ zone "step1.going-insecure-dynamic.kasp" {
 	type primary;
 	file "step1.going-insecure-dynamic.kasp.db";
 	dnssec-policy "unsigning";
+	inline-signing no;
 	allow-update { any; };
 };
 
 zone "step1.going-straight-to-none.kasp" {
 	type primary;
 	file "step1.going-straight-to-none.kasp.db";
-	inline-signing yes;
 	dnssec-policy "default";
 };
 
 zone "step1.going-straight-to-none-dynamic.kasp" {
 	type primary;
 	file "step1.going-straight-to-none-dynamic.kasp.db.signed";
+	inline-signing no;
 	dnssec-policy "default";
 	allow-update { any; };
 };
@@ -80,14 +80,12 @@ zone "step1.going-straight-to-none-dynamic.kasp" {
 zone "step1.algorithm-roll.kasp" {
 	type primary;
 	file "step1.algorithm-roll.kasp.db";
-	inline-signing yes;
 	dnssec-policy "rsasha256";
 };
 
 zone "step1.csk-algorithm-roll.kasp" {
 	type primary;
 	file "step1.csk-algorithm-roll.kasp.db";
-	inline-signing yes;
 	dnssec-policy "csk-algoroll";
 };
 
@@ -100,6 +98,5 @@ dnssec-policy "modified" {
 zone example {
 	type primary;
 	file "example.db";
-	inline-signing yes;
 	dnssec-policy modified;
 };

bin/tests/system/kasp/ns6/named2.conf.in

@@ -43,7 +43,6 @@ zone "dynamic2inline.kasp" {
 	type primary;
 	file "dynamic2inline.kasp.db";
 	allow-update { any; };
-	inline-signing yes;
 	dnssec-policy "default";
 };
 
@@ -51,20 +50,19 @@ zone "dynamic2inline.kasp" {
 zone "step1.going-insecure.kasp" {
         type primary;
         file "step1.going-insecure.kasp.db";
-	inline-signing yes;
         dnssec-policy "insecure";
 };
 
 zone "step2.going-insecure.kasp" {
         type primary;
         file "step2.going-insecure.kasp.db";
-	inline-signing yes;
         dnssec-policy "insecure";
 };
 
 zone "step1.going-insecure-dynamic.kasp" {
         type primary;
         file "step1.going-insecure-dynamic.kasp.db";
+	inline-signing no;
         dnssec-policy "insecure";
 	allow-update { any; };
 };
@@ -72,6 +70,7 @@ zone "step1.going-insecure-dynamic.kasp" {
 zone "step2.going-insecure-dynamic.kasp" {
         type primary;
         file "step2.going-insecure-dynamic.kasp.db";
+	inline-signing no;
         dnssec-policy "insecure";
 	allow-update { any; };
 };
@@ -85,6 +84,7 @@ zone "step1.going-straight-to-none.kasp" {
 zone "step1.going-straight-to-none-dynamic.kasp" {
         type primary;
         file "step1.going-straight-to-none-dynamic.kasp.db.signed";
+        inline-signing no;
         dnssec-policy "none";
         allow-update { any; };
 };
@@ -95,42 +95,36 @@ zone "step1.going-straight-to-none-dynamic.kasp" {
 zone "step1.algorithm-roll.kasp" {
 	type primary;
 	file "step1.algorithm-roll.kasp.db";
-	inline-signing yes;
 	dnssec-policy "ecdsa256";
 };
 
 zone "step2.algorithm-roll.kasp" {
 	type primary;
 	file "step2.algorithm-roll.kasp.db";
-	inline-signing yes;
 	dnssec-policy "ecdsa256";
 };
 
 zone "step3.algorithm-roll.kasp" {
 	type primary;
 	file "step3.algorithm-roll.kasp.db";
-	inline-signing yes;
 	dnssec-policy "ecdsa256";
 };
 
 zone "step4.algorithm-roll.kasp" {
 	type primary;
 	file "step4.algorithm-roll.kasp.db";
-	inline-signing yes;
 	dnssec-policy "ecdsa256";
 };
 
 zone "step5.algorithm-roll.kasp" {
 	type primary;
 	file "step5.algorithm-roll.kasp.db";
-	inline-signing yes;
 	dnssec-policy "ecdsa256";
 };
 
 zone "step6.algorithm-roll.kasp" {
 	type primary;
 	file "step6.algorithm-roll.kasp.db";
-	inline-signing yes;
 	dnssec-policy "ecdsa256";
 };
 
@@ -140,42 +134,36 @@ zone "step6.algorithm-roll.kasp" {
 zone "step1.csk-algorithm-roll.kasp" {
 	type primary;
 	file "step1.csk-algorithm-roll.kasp.db";
-	inline-signing yes;
 	dnssec-policy "csk-algoroll";
 };
 
 zone "step2.csk-algorithm-roll.kasp" {
 	type primary;
 	file "step2.csk-algorithm-roll.kasp.db";
-	inline-signing yes;
 	dnssec-policy "csk-algoroll";
 };
 
 zone "step3.csk-algorithm-roll.kasp" {
 	type primary;
 	file "step3.csk-algorithm-roll.kasp.db";
-	inline-signing yes;
 	dnssec-policy "csk-algoroll";
 };
 
 zone "step4.csk-algorithm-roll.kasp" {
 	type primary;
 	file "step4.csk-algorithm-roll.kasp.db";
-	inline-signing yes;
 	dnssec-policy "csk-algoroll";
 };
 
 zone "step5.csk-algorithm-roll.kasp" {
 	type primary;
 	file "step5.csk-algorithm-roll.kasp.db";
-	inline-signing yes;
 	dnssec-policy "csk-algoroll";
 };
 
 zone "step6.csk-algorithm-roll.kasp" {
 	type primary;
 	file "step6.csk-algorithm-roll.kasp.db";
-	inline-signing yes;
 	dnssec-policy "csk-algoroll";
 };
 
@@ -188,6 +176,5 @@ dnssec-policy "modified" {
 zone example {
 	type primary;
 	file "example.db";
-	inline-signing yes;
 	dnssec-policy modified;
 };

bin/tests/system/nsec3/ns2/named.conf.in

@@ -42,6 +42,5 @@ controls {
 zone "nsec3-xfr-inline.kasp" {
 	type primary;
 	file "nsec3-xfr-inline.kasp.db";
-	inline-signing yes;
 	dnssec-policy "nsec3";
 };

bin/tests/system/nsec3/ns3/named-fips.conf.in

@@ -56,7 +56,6 @@ controls {
 zone "nsec-to-nsec3.kasp" {
 	type primary;
 	file "nsec-to-nsec3.kasp.db";
-	inline-signing yes;
 	dnssec-policy "nsec";
 };
 
@@ -64,7 +63,6 @@ zone "nsec-to-nsec3.kasp" {
 zone "nsec3.kasp" {
 	type primary;
 	file "nsec3.kasp.db";
-	inline-signing yes;
 	dnssec-policy "nsec3";
 };
 
@@ -79,7 +77,6 @@ zone "nsec3-dynamic.kasp" {
 zone "nsec3-other.kasp" {
 	type primary;
 	file "nsec3-other.kasp.db";
-	inline-signing yes;
 	dnssec-policy "nsec3-other";
 };
 
@@ -87,13 +84,13 @@ zone "nsec3-other.kasp" {
 zone "nsec3-change.kasp" {
 	type primary;
 	file "nsec3-change.kasp.db";
-	inline-signing yes;
 	dnssec-policy "nsec3";
 };
 
 zone "nsec3-dynamic-change.kasp" {
 	type primary;
 	file "nsec3-dynamic-change.kasp.db";
+	inline-signing no;
 	dnssec-policy "nsec3";
 	allow-update { any; };
 };
@@ -102,7 +99,6 @@ zone "nsec3-dynamic-change.kasp" {
 zone "nsec3-to-optout.kasp" {
 	type primary;
 	file "nsec3-to-optout.kasp.db";
-	inline-signing yes;
 	dnssec-policy "nsec3";
 };
 
@@ -110,7 +106,6 @@ zone "nsec3-to-optout.kasp" {
 zone "nsec3-from-optout.kasp" {
 	type primary;
 	file "nsec3-from-optout.kasp.db";
-	inline-signing yes;
 	dnssec-policy "optout";
 };
 
@@ -118,7 +113,6 @@ zone "nsec3-from-optout.kasp" {
 zone "nsec3-to-nsec.kasp" {
 	type primary;
 	file "nsec3-to-nsec.kasp.db";
-	inline-signing yes;
 	dnssec-policy "nsec3";
 };
 
@@ -132,16 +126,16 @@ zone "nsec3-fails-to-load.kasp" {
 
 /* These zones switch from dynamic to inline-signing or vice versa. */
 zone "nsec3-dynamic-to-inline.kasp" {
-       type primary;
+	type primary;
-       file "nsec3-dynamic-to-inline.kasp.db";
+	file "nsec3-dynamic-to-inline.kasp.db";
-       dnssec-policy "nsec3";
+	inline-signing no;
-       allow-update { any; };
+	dnssec-policy "nsec3";
+	allow-update { any; };
 };
 
 zone "nsec3-inline-to-dynamic.kasp" {
        type primary;
        file "nsec3-inline-to-dynamic.kasp.db";
-       inline-signing yes;
        dnssec-policy "nsec3";
 };
 
@@ -149,7 +143,6 @@ zone "nsec3-inline-to-dynamic.kasp" {
 zone "nsec3-dynamic-update-inline.kasp" {
        type primary;
        file "nsec3-dynamic-update-inline.kasp.db";
-       inline-signing yes;
        allow-update { any; };
        dnssec-policy "nsec";
 };
@@ -157,7 +150,6 @@ zone "nsec3-dynamic-update-inline.kasp" {
 zone "nsec3-xfr-inline.kasp" {
        type secondary;
        file "nsec3-xfr-inline.kasp.db";
-       inline-signing yes;
        dnssec-policy "nsec";
        primaries { 10.53.0.2; };
 };

bin/tests/system/nsec3/ns3/named.conf.in

@@ -29,7 +29,6 @@ dnssec-policy "rsasha1" {
 zone "rsasha1-to-nsec3.kasp" {
 	type primary;
 	file "rsasha1-to-nsec3.kasp.db";
-	inline-signing yes;
 	dnssec-policy "rsasha1";
 };
 
@@ -41,7 +40,6 @@ zone "rsasha1-to-nsec3.kasp" {
 zone "rsasha1-to-nsec3-wait.kasp" {
 	type primary;
 	file "rsasha1-to-nsec3-wait.kasp.db";
-	inline-signing yes;
 	dnssec-policy "rsasha1";
 };
 
@@ -53,7 +51,6 @@ zone "rsasha1-to-nsec3-wait.kasp" {
 zone "nsec3-to-rsasha1.kasp" {
 	type primary;
 	file "nsec3-to-rsasha1.kasp.db";
-	inline-signing yes;
 	dnssec-policy "nsec3";
 };
 
@@ -66,6 +63,5 @@ zone "nsec3-to-rsasha1.kasp" {
 zone "nsec3-to-rsasha1-ds.kasp" {
 	type primary;
 	file "nsec3-to-rsasha1-ds.kasp.db";
-	inline-signing yes;
 	dnssec-policy "nsec3";
 };

bin/tests/system/nsec3/ns3/named2-fips.conf.in

@@ -56,7 +56,6 @@ controls {
 zone "nsec-to-nsec3.kasp" {
 	type primary;
 	file "nsec-to-nsec3.kasp.db";
-	inline-signing yes;
 	//dnssec-policy "nsec";
 	dnssec-policy "nsec3";
 };
@@ -65,7 +64,6 @@ zone "nsec-to-nsec3.kasp" {
 zone "nsec3.kasp" {
 	type primary;
 	file "nsec3.kasp.db";
-	inline-signing yes;
 	dnssec-policy "nsec3";
 };
 
@@ -80,7 +78,6 @@ zone "nsec3-dynamic.kasp" {
 zone "nsec3-other.kasp" {
 	type primary;
 	file "nsec3-other.kasp.db";
-	inline-signing yes;
 	dnssec-policy "nsec3-other";
 };
 
@@ -88,7 +85,6 @@ zone "nsec3-other.kasp" {
 zone "nsec3-change.kasp" {
 	type primary;
 	file "nsec3-change.kasp.db";
-	inline-signing yes;
 	//dnssec-policy "nsec3";
 	dnssec-policy "nsec3-other";
 };
@@ -97,6 +93,7 @@ zone "nsec3-dynamic-change.kasp" {
 	type primary;
 	file "nsec3-dynamic-change.kasp.db";
 	//dnssec-policy "nsec3";
+	inline-signing no;
 	dnssec-policy "nsec3-other";
 	allow-update { any; };
 };
@@ -105,7 +102,6 @@ zone "nsec3-dynamic-change.kasp" {
 zone "nsec3-to-optout.kasp" {
 	type primary;
 	file "nsec3-to-optout.kasp.db";
-	inline-signing yes;
 	//dnssec-policy "nsec3";
 	dnssec-policy "optout";
 };
@@ -114,7 +110,6 @@ zone "nsec3-to-optout.kasp" {
 zone "nsec3-from-optout.kasp" {
 	type primary;
 	file "nsec3-from-optout.kasp.db";
-	inline-signing yes;
 	//dnssec-policy "optout";
 	dnssec-policy "nsec3";
 };
@@ -123,7 +118,6 @@ zone "nsec3-from-optout.kasp" {
 zone "nsec3-to-nsec.kasp" {
 	type primary;
 	file "nsec3-to-nsec.kasp.db";
-	inline-signing yes;
 	//dnssec-policy "nsec3";
 	dnssec-policy "nsec";
 };
@@ -140,7 +134,6 @@ zone "nsec3-fails-to-load.kasp" {
 zone "nsec3-dynamic-to-inline.kasp" {
        type primary;
        file "nsec3-dynamic-to-inline.kasp.db";
-       inline-signing yes;
        dnssec-policy "nsec3";
        allow-update { any; };
 };

bin/tests/system/nsec3/ns3/named2.conf.in

@@ -29,7 +29,6 @@ dnssec-policy "rsasha1" {
 zone "rsasha1-to-nsec3.kasp" {
 	type primary;
 	file "rsasha1-to-nsec3.kasp.db";
-	inline-signing yes;
 	//dnssec-policy "rsasha1";
 	dnssec-policy "nsec3";
 };
@@ -42,7 +41,6 @@ zone "rsasha1-to-nsec3.kasp" {
 zone "rsasha1-to-nsec3-wait.kasp" {
 	type primary;
 	file "rsasha1-to-nsec3-wait.kasp.db";
-	inline-signing yes;
 	//dnssec-policy "rsasha1";
 	dnssec-policy "nsec3";
 };
@@ -55,7 +53,6 @@ zone "rsasha1-to-nsec3-wait.kasp" {
 zone "nsec3-to-rsasha1.kasp" {
 	type primary;
 	file "nsec3-to-rsasha1.kasp.db";
-	inline-signing yes;
 	//dnssec-policy "nsec3";
 	dnssec-policy "rsasha1";
 };
@@ -69,7 +66,6 @@ zone "nsec3-to-rsasha1.kasp" {
 zone "nsec3-to-rsasha1-ds.kasp" {
 	type primary;
 	file "nsec3-to-rsasha1-ds.kasp.db";
-	inline-signing yes;
 	//dnssec-policy "nsec3";
 	dnssec-policy "rsasha1";
 };

bin/tests/system/nsupdate/ns3/named.conf.in

@@ -35,6 +35,10 @@ controls {
 	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
 };
 
+dnssec-policy "default-dynamic" {
+	inline-signing no;
+};
+
 zone "example" {
 	type primary;
 	allow-update { any; };
@@ -84,6 +88,6 @@ zone "too-big.test" {
 zone "multisigner.test" {
 	type primary;
 	allow-update { any; };
-	dnssec-policy "default";
+	dnssec-policy "default-dynamic";
 	file "multisigner.test.db";
 };

bin/tests/system/statschannel/ns2/named.conf.in

@@ -38,6 +38,7 @@ controls {
 };
 
 dnssec-policy "dnssec" {
+	inline-signing no;
 	keys {
 		ksk lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
 		zsk lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
@@ -45,6 +46,7 @@ dnssec-policy "dnssec" {
 };
 
 dnssec-policy "manykeys" {
+	inline-signing no;
 	keys {
 		ksk lifetime unlimited algorithm 8;
 		zsk lifetime unlimited algorithm 8;

bin/tests/system/statschannel/ns2/named2.conf.in

@@ -45,6 +45,7 @@ dnssec-policy "dnssec" {
 };
 
 dnssec-policy "manykeys" {
+	inline-signing no;
 	keys {
 		ksk lifetime unlimited algorithm 8;
 		zsk lifetime unlimited algorithm 8;

bin/tests/system/zonechecks/ns1/named.conf.in

@@ -36,6 +36,7 @@ controls {
 };
 
 dnssec-policy "zonechecks" {
+	inline-signing no;
 	keys {
 		ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
 		zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;

doc/arm/dnssec.inc.rst

@@ -98,11 +98,11 @@ up-to-date DNSSEC practices:
         type primary;
         file "dnssec.example.db";
         dnssec-policy default;
-        inline-signing yes;
     };
 
 The :any:`dnssec-policy` statement requires dynamic DNS to be set up, or
-:any:`inline-signing` to be enabled. In the example above we use the latter.
+:any:`inline-signing` to be enabled. In the example above we use the latter,
+because the ``default`` policy uses :any:`inline-signing`.
 
 This is sufficient to create the necessary signing keys, and generate
 ``DNSKEY``, ``RRSIG``, and ``NSEC`` records for the zone. BIND also takes
@@ -174,7 +174,6 @@ by configuring parental agents:
         type primary;
         file "dnssec.example.db";
         dnssec-policy default;
-        inline-signing yes;
         parental-agents { 192.0.2.1; };
         checkds explicit;
     };

doc/arm/reference.rst

@@ -6086,7 +6086,7 @@ zone is maintained separately and is written out to a different file on disk
 
 If the zone is dynamic because it is configured with an :any:`update-policy` or
 :any:`allow-update`, the DNSSEC records are written to the filename set in the
-original zone's :any:`file`, unless :any:`inline-signing` is explicitly set.
+original zone's :any:`file`, unless :any:`inline-signing` is enabled.
 
 Key rollover timing is computed for each key according to the key
 lifetime defined in the KASP.  The lifetime may be modified by zone TTLs

doc/dnssec-guide/recipes.rst

@@ -63,7 +63,6 @@ what the :iscman:`named.conf` zone statement looks like on the primary server, 1
        file "db/example.com.db";
        key-directory "keys/example.com";
        dnssec-policy default;
-       inline-signing yes;
        allow-transfer { 192.168.1.2; 192.168.1.3; 192.168.1.4; };
    };
 
@@ -143,7 +142,6 @@ signed data via zone transfer to the other three DNS secondaries. Its
        file "db/example.com.db";
        key-directory "keys/example.com";
        dnssec-policy default;
-       inline-signing yes;
        allow-transfer { 192.168.1.2; 192.168.1.3; 192.168.1.4; };
    };
 
@@ -997,7 +995,6 @@ Here is what :iscman:`named.conf` looks like when it is signed:
        type primary;
        file "db/example.com.db";
        dnssec-policy "default";
-       inline-signing yes;
    };
 
 To indicate the reversion to unsigned, change the :any:`dnssec-policy` line:
@@ -1009,7 +1006,6 @@ To indicate the reversion to unsigned, change the :any:`dnssec-policy` line:
        type primary;
        file "db/example.com.db";
        dnssec-policy "insecure";
-       inline-signing yes;
    };
 
 Then use :option:`rndc reload` to reload the zone.

doc/dnssec-guide/signing.rst

@@ -66,7 +66,6 @@ To sign a zone, add the following statement to its
    zone "example.com" in {
        ...
        dnssec-policy default;
-       inline-signing yes;
        ...
    };
 
@@ -81,14 +80,6 @@ default values.
 Using :any:`dnssec-policy` requires dynamic DNS or :any:`inline-signing`
 to be enabled.
 
-.. note::
-
-   Previously, if a zone with a :any:`dnssec-policy` did not have dynamic
-   DNS set up and :any:`inline-signing` was not explicity set, BIND 9 used
-   inline-signing implicitly. But this caused a lot of problems when operators
-   switched on or off dynamic DNS for their zones. Therefor, you now have to
-   configure it explicitly.
-
 When the configuration file is updated, tell :iscman:`named` to
 reload the configuration file by running :option:`rndc reconfig`:
 
@@ -832,7 +823,6 @@ this example, we'll add it to the :any:`zone` statement:
    zone "example.net" in {
        ...
        dnssec-policy standard;
-       inline-signing yes;
        ...
    };
 
@@ -914,7 +904,6 @@ presence. Let's look at the following configuration excerpt:
    zone "example.net" in {
        ...
        dnssec-policy standard;
-       inline-signing yes;
        parental-agents { "net"; };
        checkds explicit;
        ...

doc/misc/dnssec-policy.default.conf

@@ -31,6 +31,7 @@ dnssec-policy "default" {
 	signatures-validity-dnskey 14d;
 
 	// Zone parameters
+	inline-signing yes;
 	max-zone-ttl 86400;
 	zone-propagation-delay 300;
 

doc/misc/options

@@ -14,6 +14,7 @@ dnssec-policy <string> {
 	cdnskey <boolean>;
 	cds-digest-types { <string>; ... };
 	dnskey-ttl <duration>;
+	inline-signing <boolean>;
 	keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime <duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
 	max-zone-ttl <duration>;
 	nsec3param [ iterations <integer> ] [ optout <boolean> ] [ salt-length <integer> ];

doc/notes/notes-current.rst

@@ -40,6 +40,12 @@ Feature Changes
   DNS SERVER COOKIES.  Previously these were silently treated as
   DNS CLIENT COOKIES.  :gl:`#4194`
 
+- The option :any:`inline-signing` can now also be set inside
+  :any:`dnssec-policy`. The built-in policies ``default`` and ``insecure``
+  enable the use of :any:`inline-signing`. If you set :any:`inline-signing`
+  at the ``zone`` level, it overrides the value used set in
+  :any:`dnssec-policy`. :gl:`#3677`.
+
 Bug Fixes
 ~~~~~~~~~
 

lib/dns/include/dns/kasp.h

@@ -103,6 +103,7 @@ struct dns_kasp {
 	/* Zone settings */
 	dns_ttl_t zone_max_ttl;
 	uint32_t  zone_propagation_delay;
+	bool	  inline_signing;
 
 	/* Parent settings */
 	dns_ttl_t parent_ds_ttl;
@@ -389,6 +390,30 @@ dns_kasp_setretiresafety(dns_kasp_t *kasp, uint32_t value);
  *\li   'kasp' is a valid, thawed kasp.
  */
 
+bool
+dns_kasp_inlinesigning(dns_kasp_t *kasp);
+/*%<
+ * Should we use inline-signing for this DNSSEC policy?
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, frozen kasp.
+ *
+ * Returns:
+ *
+ *\li   true or false.
+ */
+
+void
+dns_kasp_setinlinesigning(dns_kasp_t *kasp, bool value);
+/*%<
+ * Set inline-signing.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, thawed kasp.
+ */
+
 dns_ttl_t
 dns_kasp_zonemaxttl(dns_kasp_t *kasp);
 /*%<

lib/dns/kasp.c

@@ -247,6 +247,22 @@ dns_kasp_setretiresafety(dns_kasp_t *kasp, uint32_t value) {
 	kasp->retire_safety = value;
 }
 
+bool
+dns_kasp_inlinesigning(dns_kasp_t *kasp) {
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(kasp->frozen);
+
+	return (kasp->inline_signing);
+}
+
+void
+dns_kasp_setinlinesigning(dns_kasp_t *kasp, bool value) {
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(!kasp->frozen);
+
+	kasp->inline_signing = value;
+}
+
 dns_ttl_t
 dns_kasp_zonemaxttl(dns_kasp_t *kasp) {
 	REQUIRE(DNS_KASP_VALID(kasp));

lib/isccfg/check.c

@@ -2793,6 +2793,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	bool dlz;
 	bool ddns = false;
 	bool has_dnssecpolicy = false;
+	bool kasp_inlinesigning = false;
 	const void *clauses = NULL;
 	const char *option = NULL;
 	const char *kaspname = NULL;
@@ -3038,10 +3039,13 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 		kaspname = cfg_obj_asstring(obj);
 		if (strcmp(kaspname, "default") == 0) {
 			has_dnssecpolicy = true;
+			kasp_inlinesigning = true;
 		} else if (strcmp(kaspname, "insecure") == 0) {
 			has_dnssecpolicy = true;
+			kasp_inlinesigning = true;
 		} else if (strcmp(kaspname, "none") == 0) {
 			has_dnssecpolicy = false;
+			kasp_inlinesigning = false;
 		} else {
 			(void)cfg_map_get(config, "dnssec-policy", &kasps);
 			for (element = cfg_list_first(kasps); element != NULL;
@@ -3052,7 +3056,24 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 				if (strcmp(kaspname, cfg_obj_asstring(kobj)) ==
 				    0)
 				{
+					const cfg_obj_t *inlinesigning = NULL;
+					const cfg_obj_t *kopt = cfg_tuple_get(
+						cfg_listelt_value(element),
+						"options");
+					if (cfg_map_get(kopt, "inline-signing",
+							&inlinesigning) ==
+					    ISC_R_SUCCESS)
+					{
+						kasp_inlinesigning =
+							cfg_obj_asboolean(
+								inlinesigning);
+					} else {
+						/* By default true */
+						kasp_inlinesigning = true;
+					}
+
 					has_dnssecpolicy = true;
+					break;
 				}
 			}
 
@@ -3369,6 +3390,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 		res1 = cfg_map_get(zoptions, "inline-signing", &obj);
 		if (res1 == ISC_R_SUCCESS) {
 			signing = cfg_obj_asboolean(obj);
+		} else if (has_dnssecpolicy) {
+			signing = kasp_inlinesigning;
 		}
 
 		if (has_dnssecpolicy) {

lib/isccfg/kaspconf.c

@@ -360,6 +360,8 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp,
 	const cfg_obj_t *koptions = NULL;
 	const cfg_obj_t *keys = NULL;
 	const cfg_obj_t *nsec3 = NULL;
+	const cfg_obj_t *inlinesigning = NULL;
+	const cfg_obj_t *cds = NULL;
 	const cfg_obj_t *obj = NULL;
 	const cfg_listelt_t *element = NULL;
 	const char *kaspname = NULL;
@@ -446,6 +448,14 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp,
 	}
 
 	/* Configuration: Zone settings */
+	(void)confget(maps, "inline-signing", &inlinesigning);
+	if (inlinesigning != NULL && cfg_obj_isboolean(inlinesigning)) {
+		dns_kasp_setinlinesigning(kasp,
+					  cfg_obj_asboolean(inlinesigning));
+	} else {
+		dns_kasp_setinlinesigning(kasp, true);
+	}
+
 	maxttl = get_duration(maps, "max-zone-ttl", DNS_KASP_ZONE_MAXTTL);
 	dns_kasp_setzonemaxttl(kasp, maxttl);
 
@@ -470,10 +480,9 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp,
 		dns_kasp_setcdnskey(kasp, true);
 	}
 
-	obj = NULL;
+	(void)confget(maps, "cds-digest-types", &cds);
-	(void)confget(maps, "cds-digest-types", &obj);
+	if (cds != NULL) {
-	if (obj != NULL) {
+		for (element = cfg_list_first(cds); element != NULL;
-		for (element = cfg_list_first(obj); element != NULL;
 		     element = cfg_list_next(element))
 		{
 			result = add_digest(kasp, cfg_listelt_value(element),

lib/isccfg/namedconf.c

@@ -2208,6 +2208,7 @@ static cfg_clausedef_t dnssecpolicy_clauses[] = {
 	{ "cdnskey", &cfg_type_boolean, 0 },
 	{ "cds-digest-types", &cfg_type_algorithmlist, 0 },
 	{ "dnskey-ttl", &cfg_type_duration, 0 },
+	{ "inline-signing", &cfg_type_boolean, 0 },
 	{ "keys", &cfg_type_kaspkeys, 0 },
 	{ "max-zone-ttl", &cfg_type_duration, 0 },
 	{ "nsec3param", &cfg_type_nsec3, 0 },