Skip to content

Add builtin kasp policy "insecure"

Currently when you want to unsign your zone you just reconfigure dnssec-policy from whatever you are using to none. This will gracefully unsign your zone. To allow for a graceful transition, DNSSEC maintenance is still required for the zone.

This means that with dnssec-policy none; the keymgr still needs to run for the zone if there are key state files present. The presence of such files is an indication that the graceful transition is not yet done.

This introduces some corner cases that are becoming somewhat a maintenance burden. So we will introduce an operational change when going to insecure:

  1. Instead of reconfigure dnssec-policy to none, you should now reconfigure to insecure.
  2. Once the transition is completed, you can remove the key state files (and the public and private key files too).
  3. Then reconfigure once more to dnssec-policy none; to disable DNSSEC maintenance.
  • Update the code
  • Update the tests
  • Update the documentation
  • Update the DNSSEC guide
Edited by Matthijs Mekking
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information