Skip to content

Add inline-signing to dnssec-policy

On the one hand I don't think "inline-signing" is really a key and signing policy option, so it feels misplaced.

On the other hand it is kind of cumbersome to include "inline-signing yes;" in all of your zones that use/inherit dnssec-policy.

I do believe the latter argument is a stronger one the "it feels wrong" argument though, so I am leaning more towards of adding an "inline-signing" option inside "dnssec-policy".

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information