Skip to content
  • Matthijs Mekking's avatar
    dnssec-policy inheritance from options/view · 5f464d15
    Matthijs Mekking authored
    'dnssec-policy' can now also be set on the options and view level and
    a zone that does not set 'dnssec-policy' explicitly will inherit it
    from the view or options level.
    
    This requires a new keyword to be introduced: 'none'.  If set to
    'none' the zone will not be DNSSEC maintained, in other words it will
    stay unsigned.  You can use this to break the inheritance.  Of course
    you can also break the inheritance by referring to a different
    policy.
    
    The keywords 'default' and 'none' are not allowed when configuring
    your own dnssec-policy statement.
    
    Add appropriate tests for checking the configuration (checkconf)
    and add tests to the kasp system test to verify the inheritance
    works.
    
    Edit the kasp system test such that it can deal with unsigned zones
    and views (so setting a TSIG on the query).
    5f464d15
To learn more about this project, read the wiki.