Add builtin kasp policy "insecure"
Currently when you want to unsign your zone you just reconfigure dnssec-policy from whatever you are using to none. This will gracefully unsign your zone. To allow for a graceful transition, DNSSEC maintenance is still required for the zone.
This means that with dnssec-policy none; the keymgr still needs to run for the zone if there are key state files present. The presence of such files is an indication that the graceful transition is not yet done.
This introduces some corner cases that are becoming somewhat a maintenance burden. So we will introduce an operational change when going to insecure:
- Instead of reconfigure
dnssec-policytonone, you should now reconfigure toinsecure. - Once the transition is completed, you can remove the key state files (and the public and private key files too).
- Then reconfigure once more to
dnssec-policy none;to disable DNSSEC maintenance.
- Update the code
- Update the tests
- Update the documentation
- Update the DNSSEC guide