Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Register
  • Sign in
  • BIND BIND
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 605
    • Issues 605
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 86
    • Merge requests 86
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source ProjectsISC Open Source Projects
  • BINDBIND
  • Issues
  • #2645
Closed
Open
Issue created Apr 21, 2021 by Matthijs Mekking@matthijs🏡Developer4 of 4 checklist items completed4/4 checklist items

Add builtin kasp policy "insecure"

Currently when you want to unsign your zone you just reconfigure dnssec-policy from whatever you are using to none. This will gracefully unsign your zone. To allow for a graceful transition, DNSSEC maintenance is still required for the zone.

This means that with dnssec-policy none; the keymgr still needs to run for the zone if there are key state files present. The presence of such files is an indication that the graceful transition is not yet done.

This introduces some corner cases that are becoming somewhat a maintenance burden. So we will introduce an operational change when going to insecure:

  1. Instead of reconfigure dnssec-policy to none, you should now reconfigure to insecure.
  2. Once the transition is completed, you can remove the key state files (and the public and private key files too).
  3. Then reconfigure once more to dnssec-policy none; to disable DNSSEC maintenance.
  • Update the code
  • Update the tests
  • Update the documentation
  • Update the DNSSEC guide
Edited Apr 21, 2021 by Matthijs Mekking
Assignee
Assign to
Time tracking