Definable zone-policies in named.conf to allow inhertiable zone configuration statements beyond the global options block.
Description
A generic, inheritable, zone-policy statement that allows for a many of zone data to be simply included. (Inspired somewhat by apache24's mod_template).
Request
In rolling out the new dnssec arguments in bind9.18, a number of items have come up where a number of statements are duplicated in each zone, that cannot be specified easily at the options
level.
Some examples:
- dnssec-policy assignment (not definition): while you can redefine the default, if you want a non-default policy, you must specify it manually in every zone.
- parental-agents: a globally named parental agent may be configured, but there is no keyword to make it the default one for all zones, unless overridden.
- inline-signing: this cannot be set at the global level, as far as I can tell.
- usage of the same data for multiple "parked" (non-dnssec) zones, so this could even include a "file" and "type" statement.
Several other more "classic" options also exist for zones, like allow-query
, and allow-transfer
, that you can set globally, and that you may want to apply for many zones, but you may not want to inherit what's present in the global options
block (or you may in fact want the global options
block to list a conservative and restrictive default.)
This is in no way an exhaustive list of available statements that could be included.
While on its face this feels like an option that would complicate configuration, it stands to make configuration way shorter and easier to read as long as the options are well spelled out. It makes configuration audits easier as well, because rather than scanning each zone statement for typos and evaluations, you know for-sure that a policy has been applied.
I recognize that 9.20 or beyond may be where this happens, if at all.