Skip to content
  • Matthijs Mekking's avatar
    Introduce dnssec-policy configuration · a50d707f
    Matthijs Mekking authored
    This commit introduces the initial `dnssec-policy` configuration
    statement. It has an initial set of options to deal with signature
    and key maintenance.
    
    Add some checks to ensure that dnssec-policy is configured at the
    right locations, and that policies referenced to in zone statements
    actually exist.
    
    Add some checks that when a user adds the new `dnssec-policy`
    configuration, it will no longer contain existing DNSSEC
    configuration options.  Specifically: `inline-signing`,
    `auto-dnssec`, `dnssec-dnskey-kskonly`, `dnssec-secure-to-insecure`,
    `update-check-ksk`, `dnssec-update-mode`, `dnskey-sig-validity`,
    and `sig-validity-interval`.
    
    Test a good kasp configuration, and some bad configurations.
    a50d707f