git.ipfire.org Git - thirdparty/bind9.git/commit

]> git.ipfire.org Git - thirdparty/bind9.git/commit

projects / thirdparty / bind9.git / commit

author	Matthijs Mekking <matthijs@isc.org>
	Mon, 3 Apr 2023 15:00:36 +0000 (17:00 +0200)
committer	Matthijs Mekking <matthijs@isc.org>
	Tue, 1 Aug 2023 06:55:48 +0000 (06:55 +0000)
commit	bbfdcc36c855605b6959c9a353c942be7d1cfb7a
tree	16ddf804e4633b0f68853b521ad6cd0763a600ce	tree \| snapshot
parent	4bf94f4c52e8deb51d9e9649b80d3c40f95fcca8	commit \| diff

Add inline-signing to dnssec-policy

Add an option to enable/disable inline-signing inside the
dnssec-policy clause. The existing inline-signing option that is
set in the zone clause takes priority, but if it is omitted, then the
value that is set in dnssec-policy is taken.

The built-in policies use inline-signing.

This means that if you want to use the default policy without
inline-signing you either have to set it explicitly in the zone
clause:

    zone "example" {
        ...
        dnssec-policy default;
        inline-signing no;
    };

Or create a new policy, only overriding the inline-signing option:

    dnssec-policy "default-dynamic" {
        inline-signing no;
    };

    zone "example" {
        ...
        dnssec-policy default-dynamic;
    };

This also means that if you are going insecure with a dynamic zone,
the built-in "insecure" policy needs to be accompanied with
"inline-signing no;".

23 files changed:

bin/named/config.c		diff \| blob \| blame \| history
bin/named/include/named/zoneconf.h		diff \| blob \| blame \| history
bin/named/server.c		diff \| blob \| blame \| history
bin/named/zoneconf.c		diff \| blob \| blame \| history
bin/tests/system/autosign/ns2/named.conf.in		diff \| blob \| blame \| history
bin/tests/system/autosign/ns3/named.conf.in		diff \| blob \| blame \| history
bin/tests/system/checkconf/good-kasp.conf		diff \| blob \| blame \| history
bin/tests/system/kasp/ns3/named-fips.conf.in		diff \| blob \| blame \| history
bin/tests/system/kasp/ns3/policies/kasp-fips.conf.in		diff \| blob \| blame \| history
bin/tests/system/kasp/ns4/named.conf.in		diff \| blob \| blame \| history
bin/tests/system/kasp/ns6/named.conf.in		diff \| blob \| blame \| history
bin/tests/system/kasp/ns6/named2.conf.in		diff \| blob \| blame \| history
bin/tests/system/nsec3/ns3/named-fips.conf.in		diff \| blob \| blame \| history
bin/tests/system/nsec3/ns3/named2-fips.conf.in		diff \| blob \| blame \| history
bin/tests/system/nsupdate/ns3/named.conf.in		diff \| blob \| blame \| history
bin/tests/system/statschannel/ns2/named.conf.in		diff \| blob \| blame \| history
bin/tests/system/statschannel/ns2/named2.conf.in		diff \| blob \| blame \| history
doc/misc/dnssec-policy.default.conf		diff \| blob \| blame \| history
doc/misc/options		diff \| blob \| blame \| history
lib/dns/include/dns/kasp.h		diff \| blob \| blame \| history
lib/dns/kasp.c		diff \| blob \| blame \| history
lib/isccfg/kaspconf.c		diff \| blob \| blame \| history
lib/isccfg/namedconf.c		diff \| blob \| blame \| history

Mirror of https://gitlab.isc.org/isc-projects/bind9.git

RSS Atom