dnssec-policy: to sign inline or not
When dnssec-policy was introduced, it implicitly set inline-signing. But DNSSEC maintenance required either inline-signing to be enabled, or a dynamic zone. In other words, not in all cases you want to DNSSEC maintain your zone with inline-signing. Change the behavior and determine whether inline-signing is required: if the zone is dynamic, don't use inline-signing, otherwise implicitly set it. You can also explicitly set inline-signing to yes with dnssec-policy, the restriction that both inline-signing and dnssec-policy cannot be set at the same time is now lifted. However, 'inline-signing no;' on a non-dynamic zone with a dnssec-policy is not possible.
Showing with 279 additions and 193 deletions