Skip to content

Add built-in dnssec-policy "insecure"

Matthijs Mekking requested to merge 2645-dnssec-polic-insecure-v9_16 into v9_16

Add a new built-in policy "insecure", to be used to gracefully unsign a zone. Previously you could just remove the 'dnssec-policy' configuration from your zone statement, or remove it.

The built-in policy "none" (or not configured) now actually means no DNSSEC maintenance for the corresponding zone. So if you immediately reconfigure your zone from whatever policy to "none", your zone will temporarily be seen as bogus by validating resolvers.

This means we can remove the functions 'dns_zone_use_kasp()' and 'dns_zone_secure_to_insecure()' again. We also no longer have to check for the existence of key state files to figure out if a zone is transitioning to insecure.

(cherry picked from commit 2710d9a1)

Closes #2645 (closed)

Edited by Matthijs Mekking

Merge request reports