Create keys when necessary
BIND 9 has a (currently unused) zone flag DNS_ZONEKEY_CREATE
that may be set to create DNSSEC keys when needed.
This will be set if a dnssec-policy
is configured. We could also introduce a new value for auto-dnssec
: next to off
, allow
and maintain
a new option full
will do the same as maintain
but also create keys if necessary.
This will create keys if at startup the zone has no matching keys, or if a rollover is initiated and there are no successor keys.