document interaction between auto-dnssec/dnssec-policy/allow-update/update-policy/inling-signing
Various combinations of {auto-dnssec, dnssec-policy} x {allow-update, update-policy} x inling-signing cause different behavior in terms of serial number increments and data storage. I cannot find clear documentation in the ARM, and apparently it is somewhat confusing people (see #3381 (closed)).
I'm not sure what's best way to address this. Maybe create a table describing what goes where?
Or describe it separately for each option?
What I have learnt:
- if a primary zone does not allow updates named does not want modify it (is that 100% true)?
- auto-dnssec or dnssec-policy require write access
- in case of a static zone this forces inline-signing and writes updates to a new separate file with signatures and custom serial
- in case of a dynamic zone:
- without inline-signing: updates + signatures go to the the original zone file and uses the same "serial number series"
- with explicit inline-signing: updates go to the original file (without signatures) and bump its serial a bit, but changes also go to the .signed file together with signatures and this separate file has separate "serial number series" disconnected from the original file
A table copied from #3381 (comment 291481):
| updates allowed | signing method | inline-signing config | signatures | data updates |
|---|---|---|---|---|
| no | auto-dnssec maintain | no / unspecified | error: inline-signing must be enabled | - |
| no | auto-dnssec maintain | yes | db.signed | - |
| no | dnssec-policy | no | error: inline-signing must be enabled | - |
| no | dnssec-policy | yes / unspecified | db.signed | - |
| yes | auto-dnssec maintain | no / unspecified | original file | signed + original file |
| yes | auto-dnssec maintain | yes | db.signed | signed + original file |
| yes | dnssec-policy | no / unspecified | original file | signed + original file |
| yes | dnssec-policy | yes | db.signed | signed + original file |
Edited by Matthijs Mekking