echo_i "checking named-checkconf kasp errors ($n)"
ret=0
$CHECKCONF kasp-and-other-dnssec-options.conf > checkconf.out$n 2>&1 && ret=1
-grep "'dnssec-policy;' requires dynamic DNS or inline-signing to be configured for the zone" < checkconf.out$n > /dev/null || ret=1
+grep "'inline-signing yes;' must also be configured explicitly for zones using dnssec-policy without a configured 'allow-update' or 'update-policy'" < checkconf.out$n > /dev/null || ret=1
grep "'auto-dnssec maintain;' cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "dnskey-sig-validity: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "dnssec-dnskey-kskonly: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
if (has_dnssecpolicy) {
if (!ddns && !signing) {
cfg_obj_log(kasp, logctx, ISC_LOG_ERROR,
- "'dnssec-policy;' requires%s "
- "inline-signing to be configured "
- "for the zone",
+ "'inline-signing yes;' must also "
+ "be configured explicitly for "
+ "zones using dnssec-policy%s. See "
+ "https://kb.isc.org/docs/"
+ "dnssec-policy-requires-dynamic-"
+ "dns-or-inline-signing",
(ztype == CFG_ZONE_PRIMARY)
- ? " dynamic DNS or"
+ ? " without a configured "
+ "'allow-update' or "
+ "'update-policy'"
: "");
result = ISC_R_FAILURE;
}
projects / thirdparty / bind9.git / commitdiff
