From: Matthijs Mekking Date: Tue, 27 Sep 2022 10:04:37 +0000 (+0200) Subject: Add inline-signing to config examples X-Git-Tag: v9.16.34~10^2 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=df11527a9a9bb6ebbd0ff617f25c430cfd8770bd;p=thirdparty%2Fbind9.git Add inline-signing to config examples Add 'inline-signing yes;' to configuration examples to have working copy paste configurations. (cherry picked from commit b13a0c8836d2d8bc5b4de1cdfcdb2057c0bb9d93) --- diff --git a/doc/arm/dnssec.inc.rst b/doc/arm/dnssec.inc.rst index 107e592aefe..f2b66aa3198 100644 --- a/doc/arm/dnssec.inc.rst +++ b/doc/arm/dnssec.inc.rst @@ -99,9 +99,13 @@ up-to-date DNSSEC practices: type primary; file "dnssec.example.db"; dnssec-policy default; + inline-signing yes; }; -This single line is sufficient to create the necessary signing keys, and generate +The ``dnssec-policy`` statement requires dynamic DNS to be set up, or +``inline-signing`` to be enabled. In the example above we use the latter. + +This is sufficient to create the necessary signing keys, and generate ``DNSKEY``, ``RRSIG``, and ``NSEC`` records for the zone. BIND also takes care of any DNSSEC maintenance for this zone, including replacing signatures that are about to expire and managing :ref:`key_rollovers`. @@ -171,6 +175,7 @@ by configuring parental agents: type primary; file "dnssec.example.db"; dnssec-policy default; + inline-signing yes; parental-agents { 192.0.2.1; }; }; diff --git a/doc/dnssec-guide/recipes.rst b/doc/dnssec-guide/recipes.rst index 54b94ecab7a..a4bdffaa0aa 100644 --- a/doc/dnssec-guide/recipes.rst +++ b/doc/dnssec-guide/recipes.rst @@ -63,6 +63,7 @@ what the ``named.conf`` zone statement looks like on the primary server, 192.168 file "db/example.com.db"; key-directory "keys/example.com"; dnssec-policy default; + inline-signing yes; allow-transfer { 192.168.1.2; 192.168.1.3; 192.168.1.4; }; }; @@ -142,6 +143,7 @@ signed data via zone transfer to the other three DNS secondaries. Its file "db/example.com.db"; key-directory "keys/example.com"; dnssec-policy default; + inline-signing yes; allow-transfer { 192.168.1.2; 192.168.1.3; 192.168.1.4; }; }; @@ -995,6 +997,7 @@ Here is what :iscman:`named.conf` looks like when it is signed: type primary; file "db/example.com.db"; dnssec-policy "default"; + inline-signing yes; }; To indicate the reversion to unsigned, change the ``dnssec-policy`` line: @@ -1006,6 +1009,7 @@ To indicate the reversion to unsigned, change the ``dnssec-policy`` line: type primary; file "db/example.com.db"; dnssec-policy "insecure"; + inline-signing yes; }; Then use :option:`rndc reload` to reload the zone. diff --git a/doc/dnssec-guide/signing.rst b/doc/dnssec-guide/signing.rst index baf67551539..9bd537199fe 100644 --- a/doc/dnssec-guide/signing.rst +++ b/doc/dnssec-guide/signing.rst @@ -835,6 +835,7 @@ this example, we'll add it to the ``zone`` statement: zone "example.net" in { ... dnssec-policy standard; + inline-signing yes; ... }; @@ -916,6 +917,7 @@ presence. Let's look at the following configuration excerpt: zone "example.net" in { ... dnssec-policy standard; + inline-signing yes; parental-agents { "net"; }; ... };