From 2abb2b638a8c2c7bf43af15d11a257e9caf3ad82 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Tue, 27 Sep 2022 12:04:37 +0200 Subject: [PATCH] Add inline-signing to config examples Add 'inline-signing yes;' to configuration examples to have working copy paste configurations. (cherry picked from commit 18d230a5844038ad3fdd438f25f83a6580f4782e) --- doc/arm/dnssec.inc.rst | 7 ++++++- doc/dnssec-guide/recipes.rst | 4 ++++ doc/dnssec-guide/signing.rst | 2 ++ 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/doc/arm/dnssec.inc.rst b/doc/arm/dnssec.inc.rst index f4810aeeff..762e6aa585 100644 --- a/doc/arm/dnssec.inc.rst +++ b/doc/arm/dnssec.inc.rst @@ -99,9 +99,13 @@ up-to-date DNSSEC practices: type primary; file "dnssec.example.db"; dnssec-policy default; + inline-signing yes; }; -This single line is sufficient to create the necessary signing keys, and generate +The :any:`dnssec-policy` statement requires dynamic DNS to be set up, or +:any:`inline-signing` to be enabled. In the example above we use the latter. + +This is sufficient to create the necessary signing keys, and generate ``DNSKEY``, ``RRSIG``, and ``NSEC`` records for the zone. BIND also takes care of any DNSSEC maintenance for this zone, including replacing signatures that are about to expire and managing :ref:`key_rollovers`. @@ -171,6 +175,7 @@ by configuring parental agents: type primary; file "dnssec.example.db"; dnssec-policy default; + inline-signing yes; parental-agents { 192.0.2.1; }; }; diff --git a/doc/dnssec-guide/recipes.rst b/doc/dnssec-guide/recipes.rst index cb2c3116e2..56eb1a514b 100644 --- a/doc/dnssec-guide/recipes.rst +++ b/doc/dnssec-guide/recipes.rst @@ -63,6 +63,7 @@ what the :iscman:`named.conf` zone statement looks like on the primary server, 1 file "db/example.com.db"; key-directory "keys/example.com"; dnssec-policy default; + inline-signing yes; allow-transfer { 192.168.1.2; 192.168.1.3; 192.168.1.4; }; }; @@ -142,6 +143,7 @@ signed data via zone transfer to the other three DNS secondaries. Its file "db/example.com.db"; key-directory "keys/example.com"; dnssec-policy default; + inline-signing yes; allow-transfer { 192.168.1.2; 192.168.1.3; 192.168.1.4; }; }; @@ -995,6 +997,7 @@ Here is what :iscman:`named.conf` looks like when it is signed: type primary; file "db/example.com.db"; dnssec-policy "default"; + inline-signing yes; }; To indicate the reversion to unsigned, change the :any:`dnssec-policy` line: @@ -1006,6 +1009,7 @@ To indicate the reversion to unsigned, change the :any:`dnssec-policy` line: type primary; file "db/example.com.db"; dnssec-policy "insecure"; + inline-signing yes; }; Then use :option:`rndc reload` to reload the zone. diff --git a/doc/dnssec-guide/signing.rst b/doc/dnssec-guide/signing.rst index d1175cdb0a..7ed5b824af 100644 --- a/doc/dnssec-guide/signing.rst +++ b/doc/dnssec-guide/signing.rst @@ -835,6 +835,7 @@ this example, we'll add it to the :any:`zone` statement: zone "example.net" in { ... dnssec-policy standard; + inline-signing yes; ... }; @@ -916,6 +917,7 @@ presence. Let's look at the following configuration excerpt: zone "example.net" in { ... dnssec-policy standard; + inline-signing yes; parental-agents { "net"; }; ... };