I too was hit by this. I was tricked by the wording in doc/dnssec-guide/signing.rst:
- When using
dnssec-policy
, there is no need to set theauto-dnssec
andinline-signing
options for a zone. The zone'spolicy
statement implicitly does this.
But removing inline-signing
from a dynamic zone caused all the DNSSEC records to end up in the original zone file, as mentioned, which I didn't want.
Who doesn't want inline signing anyway? I guess if you never edit the zone file manually, you don't need the unsigned file.
The names of journal files can be overridden (with journal
), but not the names of the signed zone files created when inline-signing=yes
. They are always named like the original file with .signed
appended. https://gitlab.isc.org/isc-projects/bind9/-/blob/2872d6a12efe578360a641c1ba90884ea9a7dd01/bin/named/zoneconf.c#L1116
It's not a huge deal, but I'd like to separate manually edited configuration from software managed data per the FHS, and thus keep non-dynamic master zones in /etc (which is also what the Debian package recommends) but the inline-signed zone data in /var/lib. (It appears that the Debian BIND maintainers didn't consider inline signing, because the included AppArmor profile prevents named
from writing to /etc/bind.)
Define a new option signed-file
or similar. Could something like signed-file.patch work?