Is inline-signing with a dynamic zone (update-policy) a valid and supported configuration in BIND >= 9.16?
Apologies for actually only asking a question, but depending on the answer this might turn into a bug report. :-)
Is the following configuration supported?
zone "example.org." IN {
type primary;
file "example.org";
dnssec-dnskey-kskonly yes;
inline-signing yes;
update-policy {
grant local-ddns zonesub ANY;
};
};
The reason for having been using this is to have a "plain" zone file which can be easily viewed (and if necessary frozen/thawed), and the signed zone.
According to the table of combinations in this issue the answer is 'yes'.