Skip to content
  • Matthijs Mekking's avatar
    dnssec-policy: to sign inline or not · 644f0d95
    Matthijs Mekking authored
    When dnssec-policy was introduced, it implicitly set inline-signing.
    But DNSSEC maintenance required either inline-signing to be enabled,
    or a dynamic zone.  In other words, not in all cases you want to
    DNSSEC maintain your zone with inline-signing.
    
    Change the behavior and determine whether inline-signing is
    required: if the zone is dynamic, don't use inline-signing,
    otherwise implicitly set it.
    
    You can also explicitly set inline-signing to yes with dnssec-policy,
    the restriction that both inline-signing and dnssec-policy cannot
    be set at the same time is now lifted.
    
    However, 'inline-signing no;' on a non-dynamic zone with a
    dnssec-policy is not possible.
    644f0d95